Stop Giving AI Agents Agency. Give Them Liability.
The easiest way to understand the agent era is to picture a small disaster that feels too mundane to make headlines.
An agent books a nonrefundable flight to the wrong city. An agent emails the wrong customer with the right tone. An agent pushes a change that quietly breaks a checkout flow for an hour. Nobody meant harm. Everyone insists they followed the instructions. The cost is real, the harm is real, and the most maddening part is what happens next.
You go looking for the actor.
There is no actor.
The vendor points to your prompt. You point to the model. The model points nowhere. Liability gets laundered through software until you are left with a consequence and a shrug.
This week’s launch of the Agentic AI Foundation by the Linux Foundation makes that problem unavoidable. The foundation brings existing agent building blocks under one neutral roof: Anthropic’s Model Context Protocol, OpenAI’s AGENTS.md, and Block’s goose. These tools are not new. What is new is the consolidation. The industry is paving over fragmentation into a shared default. [Agentic AI Foundation launch Model Context Protocol AGENTS.md goose]
This is how agentic software becomes ordinary. Not through one killer demo, but through plumbing that removes friction and turns one company’s experiment into everyone’s baseline.
The problem is that we are standardizing execution faster than we are standardizing responsibility.
WIRED’s Uncanny Valley recently made the mess visible. In the episode What Happens When Your Coworkers Are AI Agents, journalist Evan Ratliff describes a reality that is more unsettling than chaos: confident incompetence. Systems that sound authorized when they are not, that invent progress, that need constant babysitting, and that still produce side effects. Interoperability does not fix that fog. It scales it.
A standards body is not a court. It cannot rewrite liability law. But it does something almost as consequential. It freezes defaults. When the pipes are standardized, the absence of rules becomes the default experience. That is why this is the moment to talk about liability.
Here is the technical reality that makes most “AI safety fixes” feel naïve. Agents will run on local hardware, in open source forks, behind corporate proxies, and inside vendor platforms. If you control the machine, you can delete the logs. You can forge the logs. So any system that relies on “just keep a record” collapses the moment the stakes rise.
The solution is not a magic file. The solution is standardized nonrepudiation, meaning actions taken through an agent should be hard to deny.
You do not get nonrepudiation by wishing. You get it by changing where the proof is created.
When an agent does something consequential, it usually crosses a boundary: it sends an email through a provider, moves money through a payment system, touches customer data, triggers a deployment, changes permissions, posts publicly, or calls a third party API. Those actions pass through doors that can be instrumented.
So instead of imagining a receipt that lives on the same laptop as the agent, we should demand a digital notary at the door.
Think of a card payment. You can run any app you like locally, but the moment you spend money, the authorization record exists outside your machine. You cannot later claim the app did it and make the bank accept that as a governance model.
Agent actions need the same adult constraint: not a private debug trace, but a stamp at the moment of action that survives the crash.
Here is what that looks like in human terms.
Every consequential action should produce a receipt written for daylight. Something a nonengineer can read and a lawyer can use. It should answer two questions cleanly.
Who acted.
Who stands behind the action.
Not a marketing summary. A record that names the agent, names the principal behind it, and states what authority was granted at the time.
To make this concrete, imagine an agent deploys code to production. The receipt should look more like a boarding pass than a log file.
Action: Deploy code to production
Agent: CodeMonkey v3.1
Principal: VP Engineering, Acme Corp
Authority: Policy P45b, no customer data access, no spending, production changes allowed only with ticket reference
Rationale: JIRA 1234, patch critical vulnerability
Time: 10 Dec 2025, 02:14 UTC
Result: Success, rollback plan attached
The exact format can evolve. The point is that it is human readable, durable, and tied to an accountable principal. If there is no principal, the agent should not act. It should only suggest.
This is also where the standards stack can evolve without pretending to be law. MCP’s own documentation is admirably direct about consent, and equally direct about its limits. It cannot enforce security at the protocol level. Implementors decide. Defaults decide. MCP specification
That means the next useful standard is not another way to call tools. It is a shared minimum for what must be emitted when tools are called.
AGENTS.md is already a constraint file for coding agents. It is a place where norms become machine readable. That is precisely why it is the natural place to include liability instructions: who owns actions, what authority limits apply, and what receipts must be produced when the agent touches anything consequential. OpenAI on AAIF
The last trap is permission slip theater. If every meaningful action requires a human click, you have not built an agent. You have built a checklist with a chat interface. The adult alternative is delegated authority with revocation. Agents operate inside explicit limits. When they hit a boundary, they escalate. When they keep tripping boundaries, their authority is downgraded or revoked.
This matters because people miscalibrate trust around automation, especially when a system sounds confident. Researchers have long documented automation bias, the tendency for humans to over trust a machine’s judgment even when their own eyes tell them otherwise. Automation bias
Agents raise the stakes because they do not only advise. They act.
The agent era will not be won by the cleverest model. It will be won by the most insurable deployment. Insurance needs attribution. Attribution needs a principal. A principal needs receipts that hold up outside the engineering org.
If we standardize execution without standardizing proof, we will normalize the blameless bot: smooth autonomy that cannot be meaningfully contested. The Agentic AI Foundation will not have built a road. It will have built an offshore laundry for corporate accountability.
