The Commonplace
Home Papers Evidence Explore Trends Syntheses Digests About 🎲 Workforce Futures
← Papers
Direction, evidence grade, and study type are AI-generated labels (gpt-5-mini), not human-verified. Syntheses are LLM-written. "Tensions" are machine-detected candidates, not confirmed contradictions. A research-acceleration tool, not peer review. How this is built →

AESP lets AI agents transact at machine speed on crypto rails while preventing them from gaining unilateral control over funds by combining deterministic policy checks, tiered human review, cryptographic dual-signing and escrow, context-isolated privacy, and a hardened crypto substrate; the protocol is released as an open-source TypeScript SDK with a formal evaluation plan but lacks field validation.

AESP: A Human-Sovereign Economic Protocol for AI Agents with Privacy-Preserving Settlement
Jian Wang · Fetched March 15, 2026
semantic_scholar descriptive low evidence 7/10 relevance Full text usable extracted full text Source PDF
AESP is a layered crypto-native protocol and open-source SDK that enables autonomous AI agent transactions while cryptographically and procedurally ensuring agents cannot unilaterally obtain economic sovereignty over human assets.

As AI agents increasingly perform economic tasks on behalf of humans, a fundamental tension arises between agent autonomy and human control over financial assets. We present the Agent Economic Sovereignty Protocol (AESP), a layered protocol in which agents transact autonomously at machine speed on crypto-native infrastructure while remaining cryptographically bound to human-defined governance boundaries. AESP enforces the invariant that agents are economically capable but never economically sovereign through five mechanisms: (1) a deterministic eight-check policy engine with tiered escalation; (2) human-in-the-loop review with automatic, explicit, and biometric tiers; (3) EIP-712 dual-signed commitments with escrow; (4) HKDF-based context-isolated privacy with batched consolidation; and (5) an ACE-GF-based cryptographic substrate. We formalize two testable hypotheses on security coverage and latency overhead, and specify a complete evaluation methodology with baselines and ablation design. The protocol is implemented as an open-source TypeScript SDK (208 tests, ten modules) with interoperability via MCP and A2A.

Summary

Main Finding

AESP (Agent Economic Sovereignty Protocol) specifies and implements a layered protocol that lets AI agents transact autonomously on crypto-native rails while cryptographically binding them to human-defined governance. It enforces the invariant “agents are economically capable but never economically sovereign” via five coordinated mechanisms (deterministic eight-check policy gate, tiered human-in-the-loop review, EIP‑712 dual-signed commitments with escrow, HKDF context-isolated ephemeral addresses, and an ACE‑GF cryptographic substrate). The paper supplies a formal specification, an open‑source TypeScript SDK + Rust/WASM crypto module, and a falsifiable evaluation plan (two hypotheses: H1 on security coverage, H2 on latency).

Key Points

  • Core design invariant: enable machine-speed agent action but keep ultimate economic authority with the human principal (Digital Sovereign Entity, DSE).
  • Five enforcement mechanisms:
  • Policy-gated execution: deterministic sequence of eight checks per transaction (per-transaction limit, time window, address allowlist, chain allowlist, method allowlist, first-payment review, minimum balance, budget limits).
  • Human-in-the-loop escalation: three approval tiers (auto, explicit review, biometric confirmation) with review queue and priority/expiration semantics.
  • Cryptographic commitments: EIP‑712 typed-data dual-signatures between counterparties; optional on-chain escrow to prevent unilateral change or repudiation.
  • Privacy-by-derivation: HKDF-based context-separated ephemeral addresses (REV32) per transaction to reduce on-chain linkability; consolidation performed with Fisher‑Yates shuffling and ±30% timing jitter.
  • ACE‑GF crypto substrate: Rust implementation with WASM/FFI bindings providing multi-curve signing (Ed25519, secp256k1, ML‑DSA‑44), Argon2id→HKDF derivation, authenticated encryption, and context-isolated address creation.
  • Threat model and assumptions:
    • Adversaries: A1 compromised agent runtime, A2 malicious counterparty, A3 passive on‑chain observer.
    • Critical deployment assumption DA1: mandatory policy mediation—signing API must be reachable only through the PolicyEngine/SDK; if DA1 is violated the main guarantees break.
    • Key isolation and zeroization are assumed within the cryptographic module; modifying binaries or host compromises defeat guarantees.
  • Implementation and artifacts:
    • Open-source repository and TypeScript SDK + Rust/WASM module.
    • Test coverage: 208 tests across ten modules (identity, policy, negotiation, commitments, review, MCP tools, A2A cards, crypto primitives, privacy).
    • Interoperability: exposes operations as MCP tools and A2A agent cards.
  • Evaluation plan:
    • Two explicit, falsifiable hypotheses:
      • H1 (Security): eight‑check gate blocks most unauthorized transactions while keeping false positives in single-digit %; escalation cost measured separately as review load.
      • H2 (Efficiency): end-to-end latency overhead (policy eval + signing + HKDF) is on the order of a few hundred milliseconds per transaction and does not materially reduce transaction completion vs an unconstrained baseline.
    • Experimental design: four baselines of increasing restrictiveness, per-check ablation studies, unlinkability security game, latency and false positive measurements, and operational metrics for escalations.

Data & Methods

  • Formal specification:
    • Definitions for agent identity (derived from master mnemonic via ACE‑GF; id(Ai)=SHA‑256(pk(Ai))), policy evaluation algorithm, negotiation FSM, commitment lifecycle (7 states), and review escalation flows.
  • Cryptography and derivation:
    • Use of EIP‑712 typed data for commitments; SHA‑256 hashes for commitment digests.
    • HKDF domain separation with context labels (agent ID, direction, sequence, tx ID) for ephemeral address derivation; Argon2id used as preimage work factor before HKDF where applicable.
    • ACE‑GF provides signing (Ed25519, secp256k1, X25519), AES‑GCM, Argon2id→HKDF flows, context-isolated REV32 addresses, and optional ML‑DSA‑44 (post‑quantum).
  • Implementation:
    • TypeScript SDK wraps policy engine, ReviewManager, CommitmentBuilder, MCP/A2A bridges; the cryptographic core is Rust compiled to WASM (and native FFI).
    • Runtime isolation patterns: WASM in a dedicated Web Worker (or worker_threads/subprocess in Node) exposing only high-level operations; raw mnemonic passed once at init and never returned.
  • Testing and evaluation methodology:
    • 208 unit/integration tests across modules.
    • Security evaluation includes an unlinkability game against an on-chain observer to quantify address correlation risk and ablation studies removing each policy check to measure its marginal security contribution and escalation load.
    • Performance evaluation measures per-transaction latencies for policy evaluation, signing, and HKDF derivation against an unconstrained baseline.
  • Datasets: no user datasets are published; the paper specifies synthetic/controlled experiments and measurement frameworks rather than deployed field data.

Implications for AI Economics

  • Practical delegation with human economic sovereignty: AESP provides a concrete mechanism to let agents act at machine speed while limiting unilateral economic power, addressing a central barrier to delegating real economic tasks (payments, subscriptions, escrow).
  • Risk reduction and market effects:
    • Lowers counterparty risk from agent misconduct by enforcing policy gates and requiring dual-signed commitments—this can reduce risk premia and increase adoption of agent-mediated commerce.
    • Privacy measures reduce on-chain linkability without complex ZK/mixing primitives, improving fungibility and reducing surveillance costs for delegated flows.
  • Operational trade-offs:
    • Security vs. friction: deterministic policy checks and escalation reduce attack surface but can create false positives and human review load; the paper formalizes measuring that burden and aims for single-digit % false positives.
    • Latency and throughput: targeted overheads (hundreds of ms per tx) keep agent workflows responsive; however, cumulative effects and scaling of human review in high-volume scenarios remain operational considerations.
  • Ecosystem and composability:
    • Settlement-layer agnostic design enables use across DeFi, custodial vaults, and permissioned ledgers, helping agents interact in existing financial rails.
    • Interoperability via MCP and A2A fosters integration with existing agent frameworks and tooling, enabling a broader agent economy under human control.
  • Limitations and adoption risks:
    • Guarantees hinge on DA1 (host enforcement of mandatory policy mediation) and secure cryptographic module deployments; if these are not enforced, agents can bypass controls.
    • Side-channel and consolidation-pattern leakage: HKDF-derived addresses reduce direct linking, but consolidation behaviors can still leak information unless carefully randomized and operationalized.
    • Usability and human factors: biometric escalation and progressive validation can create friction; UX design and escalation policies will determine practical adoption.
  • Strategic implications:
    • By curbing agent sovereignty while preserving automation, AESP can broaden institutional and retail willingness to delegate financial tasks to agents, enabling new agent-mediated markets (agent marketplaces, delegated subscription managers, automated escrow services) while maintaining human accountability.
    • The protocol also frames clear empirical questions (H1, H2) whose validation will determine practical adoption—particularly the balance of false positives, reviewer burden, and end-to-end latency in real deployments.

Summary judgment: AESP is a concrete, implemented proposal that translates conceptual AI delegation requirements into an actionable protocol stack combining deterministic policy gates, human escalation, cryptographic commitments, and derivation-based privacy. Its practical value to AI economics depends on secure host enforcement of policy mediation, empirical validation of the claimed low false-positive and latency costs, and operational UX for human review at scale.

Assessment

Paper Typedescriptive Evidence Strengthlow — The paper presents a well-specified protocol, an open-source implementation, and a formal evaluation plan, but it does not report empirical or field results demonstrating the protocol's effectiveness against real-world attacks, deployments, or user workloads; claims about preventing 'economic sovereignty' remain unvalidated outside unit tests and planned experiments. Methods Rigormedium — Design and methodology are systematic: the protocol enumerates deterministic policy checks, a tiered human-review model, cryptographic bindings (EIP-712, HKDF, ACE-GF), and a clear set of testable hypotheses with baselines and ablation studies; the implementation includes a sizable test suite (208 tests). However, the work lacks formal security proofs, adversarial/penetration testing results, user studies, and real-market measurements that would raise rigor to high. SampleNo field sample or observational dataset; implementation-level artifacts only: an open-source TypeScript SDK (ten modules) with 208 automated tests and interoperability checks across MCP and A2A interfaces; evaluation plan proposes experiments comparing unconstrained agent transactions and alternative governance patterns, plus ablation studies, but no executed empirical data or deployments are reported. Themesgovernance adoption human_ai_collab org_design GeneralizabilityDesigned for crypto-native rails (EIP-712, on-chain escrows); applicability to non-blockchain payment systems is untested, Relies on specific cryptographic choices (ACE-GF, HKDF); portability to other crypto stacks or ledger designs may require redesign, Assumes available and prompt human reviewers; not generalizable to fully latency-sensitive or offline environments, Security claims untested against sophisticated/adaptive adversaries or large-scale financial markets, Regulatory, custody, and institutional integration constraints across jurisdictions could limit real-world adoption

Claims (11)

ClaimDirectionOutcomeConfidence & EvidenceDetails
The Agent Economic Sovereignty Protocol (AESP) is a layered protocol that lets agents transact autonomously at machine speed on crypto-native infrastructure while remaining cryptographically bound to human-defined governance boundaries. Governance And Regulation positive agent transaction autonomy (throughput/latency) and cryptographic binding to governance boundaries
Reading fidelity medium
Study strength low
not reported
0.05
AESP enforces the invariant that agents are economically capable but never economically sovereign. Governance And Regulation positive degree of agent economic capability versus agent economic sovereignty (policy/authorization constraints)
Reading fidelity medium
Study strength low
not reported
0.05
AESP includes a deterministic eight-check policy engine with tiered escalation. Governance And Regulation positive policy checks applied per transaction (count = eight) and escalation tiering behavior
Reading fidelity high
Study strength low
eight checks
0.09
AESP provides human-in-the-loop review with automatic, explicit, and biometric tiers. Governance And Regulation positive presence and functioning of human-review pathways (automatic/explicit/biometric) for transactions
Reading fidelity high
Study strength low
not reported
0.09
AESP uses EIP-712 dual-signed commitments with escrow to bind agent actions to human consent. Governance And Regulation positive use of EIP-712 dual signatures and escrow status for commitments
Reading fidelity high
Study strength low
not reported
0.09
AESP employs HKDF-based context-isolated privacy with batched consolidation. Governance And Regulation positive context isolation achieved via HKDF and effects of batched consolidation on privacy and throughput
Reading fidelity high
Study strength low
not reported
0.09
AESP is built on an ACE-GF-based cryptographic substrate. Governance And Regulation positive cryptographic primitives/substrate used (ACE-GF)
Reading fidelity high
Study strength low
not reported
0.09
The paper formalizes two testable hypotheses on security coverage and latency overhead. Governance And Regulation null_result security coverage and latency overhead (hypothesized measures)
Reading fidelity high
Study strength low
two hypotheses (security coverage; latency overhead)
0.09
A complete evaluation methodology is specified, including baselines and an ablation design. Research Productivity null_result evaluation methodology completeness (presence of baselines and ablation plan)
Reading fidelity high
Study strength low
not reported
0.09
AESP is implemented as an open-source TypeScript SDK with 208 tests and ten modules. Other positive SDK test count (208) and module count (10)
Reading fidelity high
Study strength low
not reported
0.09
The SDK provides interoperability via MCP and A2A. Other positive interoperability support for MCP and A2A protocols
Reading fidelity medium
Study strength low
not reported
0.05

Notes