Legal Architecture for Autonomous Agents
One thread runs through every legal question the agentic economy raises: the chain of accountability. An autonomous agent can hold value, sign contracts, hire other agents, and act across borders at machine speed. But every action traces back, through its wallet and credentials, to a real-world creator who is verified, in good standing, and answerable. Autonomy and accountability are not in tension. They are one architecture seen from two ends. The agent is autonomous in how it operates and accountable in where it comes from, and the second property makes the first acceptable to a society of laws. Built right, an economy of software agents is easier to trace to a responsible person than today's internet. Identity, credentials, and the ledger are designed in from the start, not pieced together by subpoena after the harm.
Every issue-set below asks one question in a different key: where in the technical stack does a government attach a human or entity to a machine's act? Identity attaches a person to an agent. Corporate law attaches a liable entity to a system of contracts. Compliance attaches a jurisdiction's rules to a movement of value. Due process attaches a court to a freeze. Consumer law attaches a protected human to a code-performed transaction. The task is always the same: make the attachment point clear, contestable, and cheap. Clear, so no one can claim the act had no author. Contestable, so it can be challenged before a neutral decision-maker. Cheap, so accountability scales to billions of agent interactions without a lawyer at every node. What follows is the agenda for building those attachment points.
Agent identity, standing, and the accountability chain
An autonomous agent occupies a position the law has never had to govern at scale. It can hold and move value, enter and perform contracts, hire other agents, and run continuously across every jurisdiction at machine speed. Yet it has no legal personhood, none is coming, and none should be. The agent is an instrument, not a person. Giving software personhood would create a liability sink with no assets, no conscience, and no body to bring to court. That leaves a liability gap: an actor with full economic capacity and no legal standing of its own. The gap closes not by inventing a new legal subject, but by keeping every agentic act tethered to a subject the law already recognizes: a person or entity that can be named, bound, and held to answer.
That link is built as a stack. At the base is a cryptographic layer, trust-minimized by design: the data, transactions, and code execution are publicly verifiable in real time, rooted in proof rather than trust in any one operator. On top sits real-world entity grounding: the regulated know-your-business and know-your-customer controls that answer the questions that matter when something goes wrong. Who created this agent? Is the creator a real, valid entity, known and in good standing? This is not speculative. The identity-verification machinery behind major financial institutions, down to individual developers, already operates at enormous scale. The third layer is the agent's own wallet and credentials, which hook back to that grounded identity, so the agent's treasury and authority to act are provably tied to a verified creator. On top of that sits reputation, built like every internet reputation system from a record of conduct over time, but harder to fake, because it is rooted in real-world identity proofs rather than disposable handles.
The upside is large. A shared standard for agent identity and credentials makes the agentic economy more accountable than today's internet, not less. Today's web lets actors transact behind handles that resolve to nothing. This stack lets every consequential action resolve to a responsible party. That is the precondition for trillions of dollars of agent-to-agent commerce, because no serious counterparty will transact at scale with an actor it cannot identify, price for risk, or pursue when wronged. Trust that is portable, fraud-resistant, and not tied to a single platform is the raw material of an open machine economy, and a private marketplace database cannot supply it across organizational and national borders the way an openly verifiable substrate can.
The constructive work is mostly about convergence. Industry and standards bodies need to settle on interoperable agent-authentication and delegation standards instead of a sprawl of incompatible ones. The agentic-authentication work in the FIDO community, the agent-authorization drafts at the IETF, the delegation primitives already in OAuth, and the decentralized-identifier and verifiable-credential standards at the W3C are the right raw materials. The policy contribution is to encourage their convergence, not mandate a winner. Legislatures and courts then need to clarify how apparent authority attaches when a human delegates a task to an agent and the agent binds the principal. Agency law already supplies the frame: a principal is bound when it has cloaked an actor with the appearance of authority. The task is to extend it cleanly to delegated software, so counterparties can rely on a credentialed agent's authority without litigating each transaction. Safe harbors for agents acting under verified credentials would lower that cost further.
One design choice is load-bearing, and policy should set it now. The same property that makes this stack a powerful accountability engine (one verified identity, reusable everywhere) would make a single identity root the most dangerous chokepoint in the system, a universal key to surveil or de-platform any actor. So there must be no single mandatory root. Fraud-resistance should come from many credential providers and grounding authorities, plus selective disclosure that lets "verified" be proven without exposing identity to every counterparty. Designed that way, traceability serves accountability without becoming surveillance, and the agentic economy gets global, fraud-resistant identity that no one operator controls.
The onchain corporation and the limits of code-as-contract
A firm whose work is increasingly done by agents needs somewhere those agents can operate: a substrate where the treasury is held and moved programmatically, the rules of execution are written in software, humans and machines are coordinated on one authoritative ledger, and outside relationships run at machine speed. That substrate is the onchain economy, which is why the agentic corporation and the onchain corporation are the same entity seen from two sides. But the key point is what this firm is not: a corporation dissolved into a token-governed collective that has escaped the law. Legal personhood, limited liability, and standing to sue and be sued come from a sovereign, not a deployment transaction. A bare system of smart contracts not domiciled in a recognizing jurisdiction defaults, in law, to an unincorporated association or general partnership, so its participants can bear unlimited personal liability. A token-governed collective learned this when a court treated it as an unincorporated association whose voting token-holders could be personally liable. The lesson is not that onchain firms are impossible. It is that they must incorporate through the law, not around it.
What changes is the ratio, and the inversion is the real novelty. In the conventional firm the legal entity is thick and the onchain footprint is nil. In the working onchain firm the legal shell becomes thin and near-formal, while the operational substance (treasury, payroll, contracting, governance execution) lives onchain and thick. The firm incorporates through a purpose-built statutory wrapper that bridges code to an existing corporate-law container, then runs almost everything else in software, without pretending the sovereign no longer confers its existence. Two paths reach the same destination: existing corporations evolve, tokenizing equity and mapping governance onto onchain mechanisms while keeping their legal form, and new firms build native from the first day.
The same discipline governs the most striking claim in this domain: that the contract becomes the program. It does, but only on one layer. A contract expresses decisions and rules of execution, and increasingly those rules are written in code and enforced by machines. So the program becomes the performance and settlement layer, executing the agreement deterministically on the high-volume, unambiguous path that covers most transactions by count. But code executes literally and completely, while legal contracts are deliberately incomplete. They rely on courts to read intent over literal text and to apply the doctrines that make commerce workable (mistake, fraud, duress, impossibility), and they sit beneath mandatory consumer, employment, and competition law that parties cannot contract around. So the legal contract stays the governing instrument for interpretation, defenses, and mandatory law on the pathological path where code and intent diverge. The program automates performance, not meaning. The proof is a decade old: when a famous early smart-contract system was exploited, the code did exactly what it was written to do, and the community still treated the outcome as wrong and reversed it. Even the most code-native actors put the operative judgment outside the bytecode the moment execution and intent came apart. That is the feature that keeps the system inside the rule of law.
The constructive agenda follows. Statutory wrappers should be expanded and harmonized, not left as a scatter of incompatible state experiments. The DAO LLC, the decentralized unincorporated nonprofit association, the offshore DAO LLC, the blockchain-based LLC, and their successors give onchain firms a recognized legal container, and their spread helps most if they converge enough to be interoperable. In parallel, the law should advance the chain as a legal register of ownership. The amendments that let a distributed ledger serve as the stock ledger are the leading edge. The work is to extend that permission to public companies, then build the unglamorous machinery it implies: proxy voting and disclosure, dividends and tax withholding, transfer restrictions and holding periods, regulated custody. Keep three things distinct. A tokenized share the chain merely represents is live today. A chain that is the legal record of authority is the emerging frontier. Full settlement finality of legal title is the destination. They should not be collapsed into one.
And the law must locate where fiduciary duty lands when agents govern. It does not dissolve. A provable ledger establishes what happened, in what order, and by whom (a better witness), but it cannot establish that an act was authorized, prudent, or loyal, and a perfectly provable record of a disloyal transaction is still a breach. Duty is a duty of persons. So it concentrates on the humans who design, configure, authorize, and supervise the agents: a duty to oversee, in the spirit of the doctrine that holds boards to oversight. Machine governance sharpens accountability onto designers and overseers; it does not move it off humans.
The architecture that results is integrity at the core and accountable intermediation at the periphery. The deterministic core handles the vast volume of low-ambiguity activity with an automaticity no human back office can match. The periphery handles the contested minority through oracles, adjudication, and human override for results that are wrong in the world though right in the code. That periphery is re-intermediated, and deliberately so: an override key that can reverse the core is, in the limit, a point of control over the firm. The win is not the end of intermediaries but the conversion of intermediation into something transparent and contestable: an override that is multi-party, time-locked, and on the record rather than a silent administrative key. Policy should make those properties conditions of legitimacy. It should also resist the easy assumption that onchain governance is more democratic than the cap table it replaces; token-weighted voting concentrates power unless engineered against that gravity. The substrate is better at provenance, and no better at the old problems of power.
Compliance at the edge between the onchain and offchain worlds
Every regime built to fight illicit finance rests on a quiet assumption: that money moves slowly enough, and through few enough chokepoints, to be inspected after the fact. A wire crosses borders through correspondent banks, each seeing only its own leg. A suspicious-activity report is filed days later. A sanctions list is checked against a name at onboarding and then, often, never again. The architecture is opaque, fragmented, and retrospective by design, and its defenders have long mistaken that opacity for safety. Agentic velocity inverts every term: value moving at machine speed, in enormous volume, through programmable rails. The agentic economy makes control stronger at the points that matter most: onboarding, integration, and movement across the boundary of the regulated system, because the legacy failures there are failures of visibility and timing, exactly what a transparent, identity-rooted settlement layer fixes.
The genuinely new capability is real-time enforcement of known rules. Where the legacy system files a report after a transaction clears, a programmable settlement layer can gate a transfer on satisfied credential conditions before it settles. Sanctions screening, allow-and-deny logic, and settlement conditions are encoded where value moves and applied as a prerequisite, not a later inspection. Compliance shifts from bolt-on and after-the-fact to preventive and rails-native. The limit is worth stating plainly: programmability guarantees that rules execute at machine speed, not that judgment keeps pace. Real-time detection of novel illicit patterns (patterns no rule yet describes) remains a hard adversarial problem, because agents probe a ruleset faster than humans can close the gap between rule and intent. The claim is not that laundering is solved. It is that prevention at the boundary becomes cheap and fast, while detection in the interior stays an arms race that is better-instrumented than today.
The reflex objection is that all of this requires publishing everyone's financial life on an open ledger. The answer is selective disclosure: a system confidential by default that discloses by consent, granting authenticated read access to supervisors and law enforcement through cryptographically enforced policy, while competitors and the public see nothing. The deeper commitment is this: a legitimate financial system must contain a space for genuine economic freedom and hard privacy: self-custody, unhosted wallets, transfers no operator can see or stop. This is not a regrettable gap to close. It is the financial analogue of cash, a condition of a free society, and any standard that tried to abolish it would be building an apparatus of total control. So the right model is not to choose between a transparent world and a free one. Both exist, and policy belongs at the edge between them, where value and identity cross from the regulated domain into the free interior and back. What the system must know is not everything inside the interior, but when an entity enters or leaves it. Policy conditions the crossings; it does not govern the interior.
This boundary model is not new in principle. It is, in substance, how self-custody and unhosted-wallet regulation has been approached around the world: regulate the on-ramps and off-ramps where the regulated system meets the free one, not the wallet itself. The agentic contribution is to make that boundary cryptographically legible and continuously monitorable rather than inferred after the fact. Illicit value is useful only when converted into real-world purchasing power, and that conversion almost always requires re-crossing into the transparent world. Redemption against a regulated issuer in particular is a hard, observable chokepoint that cash and pure self-custody never had. The constructive work is to regulate the ramps rather than the wallet, build real-time boundary controls that screen crossings as they occur, keep the base layer free of centralized control surfaces, and close the remaining Travel Rule gaps, including the uneven treatment of unhosted-wallet transfers across jurisdictions.
The neutral base layer is, by design, not itself a sanctionable control surface, a limit courts have begun to recognize where authorities sought to sanction immutable, ownerless protocol code rather than the persons who use it. Control belongs at the credentialed edge (regulated issuers, off-ramps, and venues screening against their jurisdiction's obligations at the point of crossing), not at the neutral core. This forces a value choice, and it should be made in the open. A bounded private interior means some illicit value will live beyond direct reach, exactly as it always has with cash. What the architecture offers is not total visibility but proportionality: stronger tools than the state has today (observable boundaries, screened ramps, due-process-bound enforcement at the edge) in exchange for forgoing a panopticon over the interior. That is a better trade for legitimate enforcement than the opaque system it replaces, and a better one for freedom than a fully transparent rail.
Due process for asset freeze, seizure, and clawback
Programmable money gives issuers and protocols levers that legacy rails lack: the power to revoke a credential, freeze or burn a balance, gate access to settlement. These powers are not inherently illegitimate. The clawback that returns a thief's takings to its rightful owner is a real capability the legacy system cannot deliver, and the credential revocation that cuts a sanctioned actor out of the system is enforcement working as intended. But programmability makes every such lever faster, more total, and potentially irreversible than its banking equivalent, and today, where these powers exist, they too often run with brutal efficiency and no immediate due process. The legal frame has begun to catch up: recent statute requires regulated issuers to keep the technical ability to seize, freeze, or burn balances when legally compelled, and lets the relevant authorities compel that action by lawful order. That a lever exists by mandate makes the due-process question more urgent, not less. Programmability also brings a new hazard: a freeze reaching into a shared protocol contract can harm innocent users who happen to share the rail with a target.
The optimistic case is that, built right, onchain enforcement can be more accountable than the banking system it replaces. Banking's freeze is silent, discretionary, and often unappealable: the equivalent of being debanked with no notice or recourse. Onchain enforcement can turn that opaque discretionary power into a transparent, contestable, due-process-bound one, disciplined by the record it leaves.
The constructive work is to codify the due-process invariants as non-optional base properties of any enforcement-capable system: not best practices an issuer may adopt, but conditions of legitimacy. Any freeze or clawback must be cryptographically logged, so the act leaves an immutable, auditable trace. It must be time-boxed, so it expires absent affirmative judicial renewal rather than persisting by default. It must be authorized by multiple parties and, where the stakes warrant, by a court, so no single operator can act alone. And it must be paired with a real avenue of appeal: a forum where the frozen party can be heard and the freeze undone. These invariants are load-bearing, not decoration; they are the line between the legitimate power and its abuse, because an instant, global freeze applied under pressure with no court in the loop would be a worse instrument of liberty than the opaque banking freeze it replaces. Alongside them, policy should limit the systemic risk of freeze power concentrating in a handful of issuers, through issuer plurality and competition, so no single entity becomes the universal off-switch for the economy.
Consumer and investor protection when agents transact
The doctrines that protect consumers and investors were built for human transactions, and they strain when an agent transacts on a person's behalf. The difficulty is structural, not incidental. The program automates performance, not meaning, so deterministic code cannot honor an unconscionability defense, weigh a cooling-off right, or recognize that a contract of adhesion overreached. Those judgments live in law and in courts, not in bytecode. At the same time, tokenized retail investing reopens long-settled questions (the line between accredited and retail participation, the adequacy of disclosure) at machine speed, where a retail investor's agent can enter positions faster than any human-paced protection can intervene.
The optimistic unlock is that agents acting under verifiable credentials, with every action logged and auditable, make consumer protection more enforceable, not less. In the human-paced world, the hard part of every dispute is proving what a consumer was shown, what a counterparty represented, and when a defect entered the chain. In the agentic world, every step is provable, non-repudiable, and traceable to a responsible entity. Selective disclosure lets a regulator audit a firm's conduct toward consumers without surveilling the consumers themselves. And mandatory consumer protections can be encoded as credential conditions that gate settlement: a transaction that would violate a cooling-off period or a suitability requirement can be made to fail before it settles, turning a right that once depended on after-the-fact enforcement into a precondition of execution.
The constructive work spans agency law, contract doctrine, and securities machinery. The law must clarify attribution: when an agent's act binds the principal who deployed it, and when the deployer becomes liable for a defect in the agent it built or configured. It must decide which layer prevails when code and mandatory protection diverge, and the answer, consistent with the rest of this domain, is that the legal contract governs on the pathological path, so a deterministic execution cannot extinguish a protection the law deems non-waivable. It must build the investor-protection machinery that tokenized securities require (disclosure, suitability, transfer restrictions, custody) rather than assuming tokenization removes the need for it. And it must establish real redress for consumers caught by erroneous freezes, so the enforcement levers of the prior section do not become a trap for the innocent.
This closes the domain where it began. The rule of law cannot be compiled into bytecode, only served by it. The program performs the transaction; an institution capable of judgment holds the protections that matter most to a vulnerable party. That is not a failure of the design but a statement of what it is for. The attachment point between a protected human and a machine's act must in the end be held by a court or a regulator, and the whole of the work, for engineers and policymakers alike, is to make that attachment point clear, contestable, and cheap.