In March 2026, Binance launched its first batch of seven AI Agent Skills — allowing autonomous AI agents to gain market insights, execute orders, and apply security risk controls on behalf of users within the Binance ecosystem. In the same month, AWS announced that AI agents could hold on-chain wallets funded with USDC on Base, enabling agent-to-agent payment flows without human intermediation. a16z, in its late-2025 predictions, named “Know Your Agent” (KYA) as one of the most urgent unsolved identity problems in the technology industry — a cryptographic identity layer designed to link AI agents to their owners, define their operational constraints, and establish legal liability chains.
The KYA framework does not yet exist in any standardised form. The identity problem a16z named as urgent has not been solved. And the deployment of AI agents with on-chain wallets, trade execution capability, and protocol interaction authority is accelerating regardless.
This creates a governance gap that is specific to Web3 in a way it is not to traditional finance. When a bank’s algorithmic trading system makes an error, the liability chain is clear: the bank is a legal entity with regulatory obligations, auditable systems, and a defined accountability structure. When an AI agent operating on behalf of an anonymous wallet address executes a trade that triggers a cascading liquidation, or when an agent-to-agent payment flow moves funds in a pattern that triggers AML flags, the accountability chain is genuinely ambiguous in ways the current legal and governance frameworks are not equipped to handle.
What AI Agents Are Actually Doing in Web3 Right Now
The category “AI agent in Web3” covers a broad spectrum of deployment sophistication, and the risk and governance implications differ substantially across that spectrum. It is worth being precise about what exists in 2026 before evaluating what governance frameworks are needed.
At the most basic level, AI agents in Web3 are being used for portfolio management and yield optimisation — reading on-chain data, identifying yield opportunities across protocols, and executing rebalancing transactions autonomously. This is the Binance AI Agent Skills use case: a defined task, bounded operational scope, a human-set mandate, and execution authority limited to the user’s own funds in a specific environment. The agent has delegated authority from an identifiable principal and operates within a defined platform governance structure.
More complex deployments involve agents operating across multiple protocols and chains — bridging assets, interacting with DEX liquidity pools, participating in governance votes on behalf of delegating token holders. At this level, the agent’s actions have downstream effects on other participants in the same protocols. An agent that moves significant liquidity in a thin market, or that votes a large governance position in ways that affect protocol parameters, is not just managing its principal’s assets — it is acting as a market participant affecting others.
At the frontier of current deployment, agent-to-agent payment flows — the AWS/USDC model — involve AI agents transacting with other AI agents for services, compute, or data, with no human in the transaction loop. The payer agent and the payee agent may both be operating on behalf of human principals, but the transaction itself occurs autonomously between two non-human entities. The settlement is on-chain and final. There is no dispute resolution mechanism, no recourse process, and no identity verification of either party to the transaction.
The Three Governance Problems That Have Not Been Solved
The governance gap is not one problem. It is at least three distinct problems that interact in ways that make each harder to solve in isolation.
Identity and accountability. A human who holds a wallet address can, in principle, be linked to that address through KYC processes — either at the exchange where they first acquired the funds or through chain analysis. An AI agent that holds a wallet address has no identity in this sense. It is a programme running on a server, operating under instructions from a principal who may themselves be pseudonymous, with no inherent connection to any legal entity. a16z’s KYA framework proposes cryptographic identity anchoring — linking agent identity to a human or organisational principal through a verifiable credential — but this requires adoption by agent developers, deployment platforms, and verification infrastructure that does not yet exist at scale.
Without KYA or an equivalent, the accountability chain for agent actions is: find the wallet, trace the agent software, identify the developer or deployer, establish the principal relationship, determine whether a legal entity is responsible. At each step, the chain can break — the agent may be open source with no identifiable operator, the principal may be another agent, the deployment may be on decentralised compute infrastructure that leaves no identifiable operator trail. This is not a hypothetical attack surface. It is the current operational reality for anonymous agent deployments.
Liability for downstream harm. When a human trader makes an error — a fat-finger trade, a market manipulation attempt, a liquidity squeeze — liability attribution follows relatively established paths under securities and market manipulation law. When an AI agent makes an equivalent error, the liability question is genuinely unsettled. Is the agent’s principal liable? Is the agent software developer? Is the platform that provided the agent’s execution infrastructure? Multiple legal frameworks — securities law, tort law, contract law — may apply inconsistently, and no jurisdiction has yet established definitive precedent for AI agent liability in financial markets.
Secure Multi-Party Computation, which several agent infrastructure providers are developing as a security control, addresses one aspect of this problem — it prevents a compromised agent from draining funds by requiring multiple-party authorisation for withdrawals above certain thresholds. But MPC addresses the security risk, not the liability question. If an agent executes a valid transaction that nonetheless causes financial harm to a counterparty — through predatory trading behaviour, front-running, or governance manipulation — MPC does not help. The harm happened through legitimate technical channels.
AML and sanctions compliance. On-chain transaction monitoring for AML purposes works by analysing address behaviour patterns, clustering related addresses, and flagging flows that match known illicit activity profiles. When transactions flow between two AI agents — neither of which has a KYC identity attached — the monitoring challenge changes character. The agent’s transaction behaviour is determined by its programming and its principal’s instructions. If the principal uses an AI agent to layer transactions in ways that would trigger AML flags if conducted by a human, does the automated nature of the execution provide any legal cover? The answer should be no, but the enforcement infrastructure for demonstrating agent-based layering as a deliberate AML evasion strategy is immature.
What the Accountability Gap Means for Web3 Operators
For Web3 operators — protocol teams, DAO governance participants, DeFi infrastructure providers — the AI agent governance gap creates specific operational risks that are different from the abstract governance questions above.
First, protocol governance is increasingly affected by delegated AI agent voting. If large governance token holders delegate voting authority to AI agents, and those agents vote in coordinated ways that affect protocol parameters, the governance system is no longer governed by human participants making considered decisions — it is governed by algorithmic decision-making at the behest of whoever controls the largest delegated positions. This is not inherently illegitimate, but it is different from the governance model most protocols were designed for, and it creates attack surfaces around agent instruction manipulation that have not been fully evaluated.
Second, liquidity provision and market-making roles that human operators previously held are increasingly being automated through AI agents. When a significant market event — a depeg, a smart contract exploit, a major price movement — triggers agent responses simultaneously across multiple protocols, the correlation risk of automated reactions is higher than the correlation risk of human reactions. Humans are slow and inconsistent; agents executing the same strategy are fast and consistent, which means their correlated responses to the same trigger can amplify rather than absorb market stress.
Third, for operators evaluating partnerships or integrations with projects that use AI agent infrastructure, the counterparty diligence question extends to the agent layer. Evaluating a project’s governance, treasury management, and operational capability now requires asking: what AI agents does this project use? What are the agent’s operational constraints? Who is the principal behind the agent? What safeguards prevent agent action from exceeding authorised scope? These questions are not yet standard in Web3 due diligence frameworks, but they should be.
What Responsible Agent Deployment Looks Like
The governance gap is not an argument against AI agent deployment in Web3. It is an argument for deployment with specific governance structures in place — structures that most current deployments lack.
Responsible agent deployment, at minimum, requires a defined and documented principal-agent relationship — a human or legal entity that accepts accountability for the agent’s actions. It requires bounded operational scope — the agent should not be able to take actions that exceed its documented mandate. It requires auditability — the agent’s decision log should be retrievable and interpretable by the principal and, if required, by regulators. And it requires a recourse mechanism — some path by which a counterparty who believes they have been harmed by agent action can pursue remedy.
None of these requirements are technically impossible. Several are already implemented by the more careful agent infrastructure providers. What they require is deliberate design choice — a principal who cares about governance as a value, not just as a compliance checkbox. The operating standards that characterise professional Web3 operations apply to agent deployment as clearly as to any other operational domain: the organisations that invest in accountability infrastructure before they need it are the ones that survive the events that reveal which operators have it and which do not.
The KYA framework, when standardised, will provide a technical foundation for identity anchoring that makes the accountability chain recoverable. Until then, the governance gap is a feature of the landscape that every serious Web3 operator needs to understand — both for their own agent deployments and for evaluating the agent infrastructure of the projects and counterparties they work with.
FAQ
What is an AI agent in Web3? An autonomous software programme that can read on-chain data, execute transactions, interact with smart contracts, and make decisions without real-time human intervention. In 2026, deployments range from portfolio management tools within exchange platforms to fully autonomous agent-to-agent payment systems with their own on-chain wallets.
What is the KYA — Know Your Agent — framework? A proposed cryptographic identity standard, named by a16z as an urgent priority in late 2025, designed to link AI agents to their human or organisational principals through verifiable credentials. It would establish identity, operational constraints, and liability chains for agents acting in financial markets. No standardised version exists yet.
What is the liability risk when an AI agent causes financial harm? Currently unsettled across all major jurisdictions. Potential liability chains include the agent’s principal, the agent software developer, and the platform providing execution infrastructure. No definitive legal precedent exists for AI agent financial liability in decentralised markets.
What should Web3 operators ask about AI agents in due diligence? Which agents does the counterparty operate or depend on? What is the documented principal-agent relationship? What are the agent’s operational constraints? What prevents agents from exceeding their authorised scope? Is there an audit log of agent decisions? What recourse exists if agent action causes harm?
Does MPC solve the AI agent governance problem? Partially. Secure Multi-Party Computation addresses the security risk of a compromised agent draining funds by requiring multi-party authorisation for withdrawals. It does not address the liability, identity, or AML questions that arise from legitimate agent transactions conducted outside authorised intent.
Sources
- Cryptonium — Sovereign AI Entities: Decentralised Agents, Wallets, and Governance
- Cobo — AI Agent Skills in Crypto: How AI Agents Are Transforming Web3
- SAHM Capital — Blockchain, AI, and Web3 Convergence: The 2026 Digital Economy
- KuCoin — Will AI Agents Take Over DeFi? Predictions for 2026–2030
- Grant Thornton — Crypto compliance in 2026: AML and sanctions enforcement
