The Liability Question: Who Owns the Outcome When an Agent Acts?

A consumer's agent negotiates a new wireless plan on the consumer's behalf. The plan it accepts is more expensive than the consumer would have approved if asked directly. The brand on the other side acted in good faith and has a signed receipt. The consumer wants to unwind the transaction. Who bears the loss?

This question, variants of which will be asked thousands of times per day in the early years of agentic commerce, does not have a settled answer in current law. The frameworks that govern human-to-human contracts assume parties capable of intent; the frameworks that govern automated systems assume the human principal had explicit, narrow authorization to delegate; the frameworks that govern marketplaces assume the platform is a passive intermediary, not a party that materially shapes the outcome. None of these frameworks map cleanly onto a transaction where an autonomous agent exercised judgment within a delegated scope and produced a result the principal disputes.

This paper proposes a four-party allocation framework: principal, agent provider, marketplace operator, counterparty, and the legal and contractual mechanisms each party can use to manage its share of the risk. The framework is not a prediction of how courts will rule. It is a starting point for the design conversations that operators, regulators, and counsel are going to need to have over the next several years to make agentic commerce insurable, contestable, and trustworthy.

The four parties to an agentic transaction

Every agentic transaction has four parties whose actions and authorizations contribute to the outcome.

The principal. The human or institution on whose behalf the agent acts. The principal grants the agent authority, defines the scope of that authority, and benefits from (or is bound by) the agent's actions within that scope.

The agent provider. The company that built and operates the agent, the consumer's advocate-agent vendor, the brand's customer-service-agent vendor. The agent provider is responsible for the agent's behavior staying within its declared capabilities, for honoring the principal's authorization scope, and for the technical reliability of the agent's reasoning and execution.

The marketplace operator. The neutral layer where the two agents transact. The marketplace operator defines the protocol, accepts the identity claims, mediates disputes, and produces the signed receipt that documents the transaction. The marketplace is not a passive intermediary in the way classic e-commerce platforms claim to be, its rules materially shape what transactions are possible.

The counterparty. The party on the other side of the transaction, typically the brand whose agent accepted the consumer's offer, or the consumer whose agent accepted the brand's. The counterparty is entitled to rely on the receipt as evidence of agreement and on the marketplace's protocol as the rules of engagement.

Most current liability discussions collapse these four parties into two, the consumer and the platform, and try to assign loss between them. This is structurally inadequate because the four-party transaction has four distinct loci of fault, four distinct insurance frameworks that could attach, and four distinct sets of incentives that need to be aligned for the system to function.

The four loci of fault

When an agentic transaction produces a disputed outcome, the fault almost always lies in one of four places.

Principal scope error. The principal authorized a scope of action that was too broad, too vague, or too technical for the principal to have meaningfully understood. The agent acted within the authorized scope, but the principal did not actually intend the outcome the scope made possible. This is the most common failure mode and the hardest to assign liability for, because the principal did consent, just not in a way that produced informed agreement.

Agent execution error. The agent acted outside the authorized scope, misinterpreted the principal's instructions, or executed an action that a reasonable agent would not have executed under the circumstances. This is closest to a traditional product-liability framing: the agent provider built and operated the agent, and the agent malfunctioned.

Marketplace protocol error. The marketplace's protocol allowed a transaction that should not have been allowable: for example, by failing to require a confirmation step that would have caught the error, by accepting an identity claim that turned out to be fraudulent, or by mediating the transaction under rules that were ambiguous about what was being agreed to.

Counterparty bad faith. The counterparty exploited an ambiguity, a known limitation in the principal's agent, or a structural imbalance in information to extract value the principal would not have agreed to give if the principal had been transacting directly. This is the agentic-commerce equivalent of dark-pattern litigation in the human-to-human web.

In practice, most disputed transactions involve some combination of these: a principal whose scope was too broad, an agent whose execution was technically within scope but substantively unwise, a marketplace whose protocol did not require confirmation, and a counterparty who knew or should have known the agent was acting beyond what the principal would have approved. The framework's value is not in always producing a single liable party; it is in producing a structured discussion of which parties bear which share, on which evidence.

The mechanisms each party can use to manage risk

Each of the four parties has mechanisms available to manage its share of the liability exposure.

Principals can manage scope. The principal's primary tool is the scope of authorization granted to the agent. A scope that is broad enough to be useful and narrow enough to be safe is hard to specify, but the design of the scope-granting interface is decisive. Principals who grant unlimited scopes will and should bear more of the loss when the unlimited scope produces an unwanted outcome; principals who specified narrow, well-understood scopes will and should be protected when the agent stays within them.

The agent provider's product design largely determines how meaningful the principal's scope choices are. Confusing or maximalist scope-granting interfaces shift more risk to the principal in a way that is unfair if the principal could not realistically have made an informed choice. Clear, defaults-narrow scope interfaces shift the risk back to the agent provider, which is appropriate.

Agent providers can manage capability declarations and confirmation behavior. The agent provider's primary tools are the declared capabilities of the agent (what the agent will and will not do, regardless of what the principal authorizes) and the confirmation-request behavior (when the agent will check back with the principal before acting). Capability declarations function like the disclaimers in a financial-services product, they define the scope of the relationship and what the provider warrants. Confirmation behavior is the operational mechanism by which the provider gives the principal the chance to catch errors before they bind.

Agent providers that ship agents with broad capabilities and minimal confirmation behavior are taking on more risk than providers that ship narrower agents with more confirmation. The market will eventually price this risk into pricing and contract terms, but for now the provider that under-designs the confirmation interface is exposing itself to liability the contract probably does not cover.

Marketplace operators can manage protocol design and dispute mechanisms. The marketplace's primary tools are the protocol rules (what transactions can happen, what evidence is required, what confirmations are required for what classes of transactions) and the dispute resolution mechanism (how disputes are heard, what remedies are available, what the appeal process is).

A marketplace whose protocol allows high-value transactions without confirmation requirements bears more of the risk when those transactions produce disputes. A marketplace with a clear dispute mechanism that produces predictable outcomes is taking less risk than one with an opaque or arbitrary process. The signed receipt is the marketplace's most important risk-management asset: it transforms each transaction into evidence that can be inspected, contested, and adjudicated.

Counterparties can manage their own diligence. The counterparty's tools are the diligence it does on the agent identity it is transacting with, the marketplace it operates within, and the structure of the offer it makes. A counterparty that transacts with an agent whose authorization scope is obviously inadequate to the transaction the counterparty is offering is on weaker ground than a counterparty that confirms the agent has authority before proceeding. The counterparty's standard of care will likely be raised over time as the technology matures and what counts as obvious changes.

What the law has to figure out

The framework above is descriptive of how the parties can manage risk operationally. The legal frameworks that will translate this into enforceable allocations are still in early development. Several specific questions need to be resolved.

Whose intent counts in contract formation? Traditional contract law requires a meeting of the minds. When the agent forms the contract, does the principal's intent at the time of authorization satisfy this requirement, or does each transaction need a fresh manifestation of intent? The Uniform Electronic Transactions Act and the U.N. Convention on the Use of Electronic Communications in International Contracts both contemplate electronic agents, but neither was drafted with autonomous, multi-agent systems in mind. Courts will likely find that the principal's broad authorization is sufficient for routine transactions and require fresh confirmation for transactions that exceed certain thresholds, but the thresholds and the standards are unsettled.

What are the agent provider's warranties? The agent provider sells a product (the agent) and a service (its operation). What does the provider warrant about the agent's behavior, and to whom? Privity-of-contract issues arise when the counterparty (who never agreed to the provider's terms) relies on the agent's behavior. Product-liability issues arise when the agent's malfunction produces foreseeable harm. The shape of these warranties will be defined by the first major appellate decisions, which we expect to emerge in 2027–2028 as the first agentic-transaction disputes work through the courts.

What is the marketplace's standard of care? Marketplaces are increasingly held to higher standards than passive intermediaries: see the evolution of platform liability under DSA, the SHOP SAFE Act discussions, and the case law on Section 230's scope. The marketplace operator in agentic commerce is structurally less passive than a classic e-commerce platform because its protocol shapes what transactions are possible. We expect courts to apply something closer to the standard applied to financial-clearing platforms than to the standard applied to social-media platforms: a higher standard of care, with affirmative obligations around dispute resolution, identity verification, and protocol transparency.

What insurance products attach? Insurance markets price risk; the existence of insurance for a class of risk is itself an indicator of how that risk is allocated. We expect three insurance products to emerge: principal-side insurance (the consumer's coverage for agent malfeasance, similar to identity-theft insurance), provider-side insurance (the agent provider's professional-liability coverage), and marketplace-operator coverage (similar to the surety bonds that financial-clearing operators carry). The pricing of each will reveal the market's view of where the risk actually sits.

A recommended posture for operators

Operators building in this category should plan for the liability allocation to land before it is settled. Specifically:

Build for evidence from day one. Every transaction should produce a signed receipt that documents what was authorized, what was negotiated, what was agreed, and on what evidence. This evidentiary record is what makes disputes contestable on the merits rather than through the relative bargaining power of the parties.

Design confirmation interfaces seriously. The interface that asks the principal "do you want to proceed?" is the single most important risk-management mechanism in the system. Underbuilding this interface to maximize automation throughput will produce outsized litigation exposure later.

Document scope-granting carefully. The principal's authorization should be narrow by default, broad only on explicit request, and re-confirmable on a regular cadence. The defaults are not a design afterthought, they are the substantive content of the agent provider's risk position.

Plan for the first major dispute. The first agentic-commerce dispute that produces a meaningful appellate ruling will set patterns for the next decade. Operators should expect to be involved in such disputes (as parties or amici), and should be staffed and budgeted for them. The cost of being on the wrong side of the first ruling is far higher than the cost of being on the right side of an industry effort to shape how the law develops.

Closing

The liability question in agentic commerce is structurally harder than in any prior generation of commerce because it involves four parties, four loci of fault, and a transaction that is autonomous in a way that conventional commerce never was. The frameworks that will resolve it are not yet built. The first decade of the category will be partially defined by the cases, regulations, and contractual norms that emerge to fill the gap.

The operators that get this right will build the discipline early, clear scope-granting, serious confirmation interfaces, verifiable receipts, transparent dispute mechanisms, well-priced insurance, and will treat liability as a design constraint rather than a regulatory afterthought. The operators that defer it will face crisis-mode litigation when the first major dispute lands, and will spend the next several years explaining to investors, regulators, and counterparties why their architecture cannot be defended.

We are designing for the high-discipline path. The framework above is not advice; it is the operational posture we are building under. The right time to design for liability is before the first dispute, not after.