---
title: Who Does the Agent Answer To?
author: Hilal Agil
date: 2026-06-16
source: https://hilalagil.com/essays/who-does-the-agent-answer-to/
topics: Artificial Intelligence, Agentic Commerce, AI Governance, AI Safety
---

# Who Does the Agent Answer To?

Sometime this spring, without much ceremony, the world finished wiring money to machines.

In March, Stripe took its Tempo blockchain to mainnet with a protocol built specifically for machine-initiated payments, and Mastercard spent $1.8 billion acquiring stablecoin infrastructure to serve the same future. Visa's agentic commerce program now counts its partners in the hundreds and predicts ordinary consumers will be delegating purchases to agents by the holiday season. Whatever your view of the timeline, the direction is settled: AI agents are becoming economic actors — holding balances, executing transactions, entering agreements.

The rails came first. Everything that makes an economic actor accountable is being retrofitted afterward. I think that ordering is backwards, and this year has already produced the evidence.

## The accountability gap, in three documents

Three things happened in the first half of this year that belong in the same frame, though they came from a courtroom, a statehouse, and a payments company.

On March 4, one of the world's largest insurers filed suit against OpenAI in federal court — an early entry in what will become a defining genre: litigation over what happens when an AI system, acting on someone's behalf, causes loss. On January 1, a California law took effect that bars what might be called the "the AI did it" defense — the idea that harm caused by an autonomous system attaches to no one. And in April, a regulated financial institution published the first "Know Your Agent" framework — an attempt to do for AI agents what Know Your Customer did for banking: establish who you're actually dealing with.

A lawsuit, a statute, a compliance framework. Three different institutions independently discovering the same missing layer: agents can act, but nothing reliably establishes who an agent is, whose authority it carries, and where responsibility lands when it goes wrong.

## Liability needs someone to attach to

Every functioning economy runs on a quiet assumption: an actor is a durable thing. A person persists. A company persists. Courts, contracts, credit, insurance — all of it depends on identity that holds still long enough for responsibility to attach.

Agents, as currently built, fail this test in a new way. An agent is a temporary arrangement — a model version, a context window, a set of instructions — that can be spun up in thousands of copies, modified mid-task, and gone by morning. When one of those arrangements moves money or signs up for obligations, the old questions arrive with nowhere to land. Which copy acted? Under whose instruction? Was it the deployer's configuration, the model builder's training, or the user's prompt that made the difference? The California statute can insist that someone is liable; it cannot conjure the records that show who.

The honest answer is that today, mostly, nobody knows — because the infrastructure that would know was never built. Identity for agents isn't a login. It's a verifiable, persistent record: this agent, operating under this authority, within these limits, with this history. Not a policy document describing good intentions — a property of the system, checkable at the moment of the transaction, the way a signature is checked, enforceable the way a spending limit is enforced.

## Capability first, accountability later — again

I've written about [the infrastructure gap in autonomous AI](/essays/the-infrastructure-gap-in-autonomous-ai/) — the pattern where we extend AI's ability to act faster than we extend the systems that make action governable. Agent commerce is that pattern at its purest. The capability (an agent that spends) took roughly two years to become products. The accountability (an agent that can be identified, bounded, and answered for) is still mostly aspiration, arriving through lawsuits — which is to say, through the failure mode.

This is the problem I've been circling from different directions for years: enforceable identity and governance standards for AI, memory and authority that persist across systems rather than evaporating between sessions, rules that are properties of infrastructure rather than promises in documentation. It's work I began under Praecise and Rivier and have now brought together under [Ipnops](/about), because I've come to believe these aren't separate products. Reaching the world's data safely and acting in the world accountably are the same problem: both need rules that travel with the actor.

None of this is an argument against agents. I want the agent economy to work — it's one of the genuinely large economic openings of the decade, for people and small businesses most of all, and it will not survive its first serious wave of fraud and unattributable losses if accountability stays bolted on. Trust is not a feature you add later. It's the load-bearing wall.

An economy of actors nobody can identify, answering to nobody in particular, is not a market. It's a crowd. The difference between the two has always been accountability — and we still get to choose which one we're building.

There's a second question stacked behind this one: agents ultimately answer to whoever controls the intelligence they run on. Who that is, and what happens when they change the terms, is a story that's beginning to tell itself — and it deserves its own essay.
