AESP lets AI agents transact at machine speed on crypto rails while preventing them from gaining unilateral control over funds by combining deterministic policy checks, tiered human review, cryptographic dual-signing and escrow, context-isolated privacy, and a hardened crypto substrate; the protocol is released as an open-source TypeScript SDK with a formal evaluation plan but lacks field validation.
As AI agents increasingly perform economic tasks on behalf of humans, a fundamental tension arises between agent autonomy and human control over financial assets. We present the Agent Economic Sovereignty Protocol (AESP), a layered protocol in which agents transact autonomously at machine speed on crypto-native infrastructure while remaining cryptographically bound to human-defined governance boundaries. AESP enforces the invariant that agents are economically capable but never economically sovereign through five mechanisms: (1) a deterministic eight-check policy engine with tiered escalation; (2) human-in-the-loop review with automatic, explicit, and biometric tiers; (3) EIP-712 dual-signed commitments with escrow; (4) HKDF-based context-isolated privacy with batched consolidation; and (5) an ACE-GF-based cryptographic substrate. We formalize two testable hypotheses on security coverage and latency overhead, and specify a complete evaluation methodology with baselines and ablation design. The protocol is implemented as an open-source TypeScript SDK (208 tests, ten modules) with interoperability via MCP and A2A.
Summary
Main Finding
AESP (Agent Economic Sovereignty Protocol) specifies and implements a layered protocol that lets AI agents transact autonomously on crypto-native rails while cryptographically binding them to human-defined governance. It enforces the invariant “agents are economically capable but never economically sovereign” via five coordinated mechanisms (deterministic eight-check policy gate, tiered human-in-the-loop review, EIP‑712 dual-signed commitments with escrow, HKDF context-isolated ephemeral addresses, and an ACE‑GF cryptographic substrate). The paper supplies a formal specification, an open‑source TypeScript SDK + Rust/WASM crypto module, and a falsifiable evaluation plan (two hypotheses: H1 on security coverage, H2 on latency).
Key Points
- Core design invariant: enable machine-speed agent action but keep ultimate economic authority with the human principal (Digital Sovereign Entity, DSE).
- Five enforcement mechanisms:
- Policy-gated execution: deterministic sequence of eight checks per transaction (per-transaction limit, time window, address allowlist, chain allowlist, method allowlist, first-payment review, minimum balance, budget limits).
- Human-in-the-loop escalation: three approval tiers (auto, explicit review, biometric confirmation) with review queue and priority/expiration semantics.
- Cryptographic commitments: EIP‑712 typed-data dual-signatures between counterparties; optional on-chain escrow to prevent unilateral change or repudiation.
- Privacy-by-derivation: HKDF-based context-separated ephemeral addresses (REV32) per transaction to reduce on-chain linkability; consolidation performed with Fisher‑Yates shuffling and ±30% timing jitter.
- ACE‑GF crypto substrate: Rust implementation with WASM/FFI bindings providing multi-curve signing (Ed25519, secp256k1, ML‑DSA‑44), Argon2id→HKDF derivation, authenticated encryption, and context-isolated address creation.
- Threat model and assumptions:
- Adversaries: A1 compromised agent runtime, A2 malicious counterparty, A3 passive on‑chain observer.
- Critical deployment assumption DA1: mandatory policy mediation—signing API must be reachable only through the PolicyEngine/SDK; if DA1 is violated the main guarantees break.
- Key isolation and zeroization are assumed within the cryptographic module; modifying binaries or host compromises defeat guarantees.
- Implementation and artifacts:
- Open-source repository and TypeScript SDK + Rust/WASM module.
- Test coverage: 208 tests across ten modules (identity, policy, negotiation, commitments, review, MCP tools, A2A cards, crypto primitives, privacy).
- Interoperability: exposes operations as MCP tools and A2A agent cards.
- Evaluation plan:
- Two explicit, falsifiable hypotheses:
- H1 (Security): eight‑check gate blocks most unauthorized transactions while keeping false positives in single-digit %; escalation cost measured separately as review load.
- H2 (Efficiency): end-to-end latency overhead (policy eval + signing + HKDF) is on the order of a few hundred milliseconds per transaction and does not materially reduce transaction completion vs an unconstrained baseline.
- Experimental design: four baselines of increasing restrictiveness, per-check ablation studies, unlinkability security game, latency and false positive measurements, and operational metrics for escalations.
- Two explicit, falsifiable hypotheses:
Data & Methods
- Formal specification:
- Definitions for agent identity (derived from master mnemonic via ACE‑GF; id(Ai)=SHA‑256(pk(Ai))), policy evaluation algorithm, negotiation FSM, commitment lifecycle (7 states), and review escalation flows.
- Cryptography and derivation:
- Use of EIP‑712 typed data for commitments; SHA‑256 hashes for commitment digests.
- HKDF domain separation with context labels (agent ID, direction, sequence, tx ID) for ephemeral address derivation; Argon2id used as preimage work factor before HKDF where applicable.
- ACE‑GF provides signing (Ed25519, secp256k1, X25519), AES‑GCM, Argon2id→HKDF flows, context-isolated REV32 addresses, and optional ML‑DSA‑44 (post‑quantum).
- Implementation:
- TypeScript SDK wraps policy engine, ReviewManager, CommitmentBuilder, MCP/A2A bridges; the cryptographic core is Rust compiled to WASM (and native FFI).
- Runtime isolation patterns: WASM in a dedicated Web Worker (or worker_threads/subprocess in Node) exposing only high-level operations; raw mnemonic passed once at init and never returned.
- Testing and evaluation methodology:
- 208 unit/integration tests across modules.
- Security evaluation includes an unlinkability game against an on-chain observer to quantify address correlation risk and ablation studies removing each policy check to measure its marginal security contribution and escalation load.
- Performance evaluation measures per-transaction latencies for policy evaluation, signing, and HKDF derivation against an unconstrained baseline.
- Datasets: no user datasets are published; the paper specifies synthetic/controlled experiments and measurement frameworks rather than deployed field data.
Implications for AI Economics
- Practical delegation with human economic sovereignty: AESP provides a concrete mechanism to let agents act at machine speed while limiting unilateral economic power, addressing a central barrier to delegating real economic tasks (payments, subscriptions, escrow).
- Risk reduction and market effects:
- Lowers counterparty risk from agent misconduct by enforcing policy gates and requiring dual-signed commitments—this can reduce risk premia and increase adoption of agent-mediated commerce.
- Privacy measures reduce on-chain linkability without complex ZK/mixing primitives, improving fungibility and reducing surveillance costs for delegated flows.
- Operational trade-offs:
- Security vs. friction: deterministic policy checks and escalation reduce attack surface but can create false positives and human review load; the paper formalizes measuring that burden and aims for single-digit % false positives.
- Latency and throughput: targeted overheads (hundreds of ms per tx) keep agent workflows responsive; however, cumulative effects and scaling of human review in high-volume scenarios remain operational considerations.
- Ecosystem and composability:
- Settlement-layer agnostic design enables use across DeFi, custodial vaults, and permissioned ledgers, helping agents interact in existing financial rails.
- Interoperability via MCP and A2A fosters integration with existing agent frameworks and tooling, enabling a broader agent economy under human control.
- Limitations and adoption risks:
- Guarantees hinge on DA1 (host enforcement of mandatory policy mediation) and secure cryptographic module deployments; if these are not enforced, agents can bypass controls.
- Side-channel and consolidation-pattern leakage: HKDF-derived addresses reduce direct linking, but consolidation behaviors can still leak information unless carefully randomized and operationalized.
- Usability and human factors: biometric escalation and progressive validation can create friction; UX design and escalation policies will determine practical adoption.
- Strategic implications:
- By curbing agent sovereignty while preserving automation, AESP can broaden institutional and retail willingness to delegate financial tasks to agents, enabling new agent-mediated markets (agent marketplaces, delegated subscription managers, automated escrow services) while maintaining human accountability.
- The protocol also frames clear empirical questions (H1, H2) whose validation will determine practical adoption—particularly the balance of false positives, reviewer burden, and end-to-end latency in real deployments.
Summary judgment: AESP is a concrete, implemented proposal that translates conceptual AI delegation requirements into an actionable protocol stack combining deterministic policy gates, human escalation, cryptographic commitments, and derivation-based privacy. Its practical value to AI economics depends on secure host enforcement of policy mediation, empirical validation of the claimed low false-positive and latency costs, and operational UX for human review at scale.
Assessment
Claims (11)
| Claim | Direction | Outcome | Confidence & Evidence | Details |
|---|---|---|---|---|
| The Agent Economic Sovereignty Protocol (AESP) is a layered protocol that lets agents transact autonomously at machine speed on crypto-native infrastructure while remaining cryptographically bound to human-defined governance boundaries. Governance And Regulation | positive | agent transaction autonomy (throughput/latency) and cryptographic binding to governance boundaries |
Reading fidelity
medium
Study strength
low
|
not reported
|
| AESP enforces the invariant that agents are economically capable but never economically sovereign. Governance And Regulation | positive | degree of agent economic capability versus agent economic sovereignty (policy/authorization constraints) |
Reading fidelity
medium
Study strength
low
|
not reported
|
| AESP includes a deterministic eight-check policy engine with tiered escalation. Governance And Regulation | positive | policy checks applied per transaction (count = eight) and escalation tiering behavior |
Reading fidelity
high
Study strength
low
|
eight checks
|
| AESP provides human-in-the-loop review with automatic, explicit, and biometric tiers. Governance And Regulation | positive | presence and functioning of human-review pathways (automatic/explicit/biometric) for transactions |
Reading fidelity
high
Study strength
low
|
not reported
|
| AESP uses EIP-712 dual-signed commitments with escrow to bind agent actions to human consent. Governance And Regulation | positive | use of EIP-712 dual signatures and escrow status for commitments |
Reading fidelity
high
Study strength
low
|
not reported
|
| AESP employs HKDF-based context-isolated privacy with batched consolidation. Governance And Regulation | positive | context isolation achieved via HKDF and effects of batched consolidation on privacy and throughput |
Reading fidelity
high
Study strength
low
|
not reported
|
| AESP is built on an ACE-GF-based cryptographic substrate. Governance And Regulation | positive | cryptographic primitives/substrate used (ACE-GF) |
Reading fidelity
high
Study strength
low
|
not reported
|
| The paper formalizes two testable hypotheses on security coverage and latency overhead. Governance And Regulation | null_result | security coverage and latency overhead (hypothesized measures) |
Reading fidelity
high
Study strength
low
|
two hypotheses (security coverage; latency overhead)
|
| A complete evaluation methodology is specified, including baselines and an ablation design. Research Productivity | null_result | evaluation methodology completeness (presence of baselines and ablation plan) |
Reading fidelity
high
Study strength
low
|
not reported
|
| AESP is implemented as an open-source TypeScript SDK with 208 tests and ten modules. Other | positive | SDK test count (208) and module count (10) |
Reading fidelity
high
Study strength
low
|
not reported
|
| The SDK provides interoperability via MCP and A2A. Other | positive | interoperability support for MCP and A2A protocols |
Reading fidelity
medium
Study strength
low
|
not reported
|