Agents are starting to operate real systems — who’s actually in control?

代理系统正开始操控实际系统——究竟谁在掌控？

As AI agents start to govern real systems, who controls the models behind them? Plus, four more ways can blockchains help provide the missing infrastructure for AI

随着人工智能代理开始管理现实系统，谁在控制其背后的模型？此外，区块链还有四种方式能为人工智能提供缺失的基础设施支持。

With contributions from Christian Catalini, Christian Crowley, Andy Hall, Liz Harkavy, Noah Levine, and Sean Neville.

AI agents have moved quickly from copilots to economic actors faster than the infrastructure around them.

While agents now execute tasks and transact, they still lack standardized ways to prove who they are, what they’re authorized to do, and how they get paid across environments. Identity doesn’t travel, payments aren’t yet programmable by default, and coordination happens in silos.

Blockchains address this at the infrastructure layer. Public ledgers give every transaction a receipt that anyone can audit. Wallets give agents portable identity. Stablecoins are an alternative settlement layer. These aren’t future primitives. They work today, and they can help agents operate permissionlessly as real economic actors.

This post outlines where blockchains can help close these gaps across identity, payments, governance, and trust.

AI代理已从辅助角色迅速转变为经济主体，其发展速度远超基础设施配套。

虽然当前代理能执行任务和交易，但仍缺乏标准化方式在跨环境中证明身份、权限范围和支付机制。身份认证无法跨平台通用，支付系统默认不具备可编程性，协作行为仍局限在封闭体系内。

区块链在基础设施层为此提供了解决方案：公共账本为每笔交易生成可公开审计的凭证，数字钱包赋予代理可移植身份，稳定币构成替代性结算层。这些并非未来概念，而是当下可用的技术，能使代理像真正的经济主体那样无需许可地运作。

本文阐述区块链如何弥合身份验证、支付清算、治理协调和信任建立等领域的断层。

1. Identity for non-humans

The bottleneck for the agent economy is now identity, not intelligence.

In the financial services industry alone, non-human identities — automated trading systems, risk engines, fraud models — already outnumber human employees by roughly 100 to 1. And with modern agent frameworks — tool-using LLMs, autonomous workflows, multi-agent orchestration — deploying at scale, that ratio is set to rise across industries.

Yet these agents remain effectively unbanked. They can interact with financial systems, but not in ways that are portable, verifiable, or trusted by default. They lack standardized ways to prove their permissions, operate independently across platforms, or bear liability for the actions they take.

智能体经济的瓶颈如今在于身份认证，而非智力水平。

仅以金融服务业为例，非人类实体——包括自动化交易系统、风险引擎和反欺诈模型——数量已超过人类员工约100:1。随着现代化智能体框架（工具调用型大语言模型、自主工作流、多智能体协同系统）的大规模部署，这一比例将在各行业持续攀升。

然而这些智能体实质上仍处于"金融排斥"状态。它们虽能与金融系统交互，但缺乏可移植性、可验证性或默认信任机制。它们既没有标准化方式来证明权限，也无法跨平台独立运作，更无法对自身行为承担法律责任。

What’s missing is a common identity layer, the equivalent of SSL for agents, that standardizes coordination across platforms. While there are prominent attempts to solve this today, those approaches are fragmented: vertically integrated, fiat-first stacks on one side; crypto-native, open standards (like x402 and emerging agent identity proposals) on the other; and extensions of developer frameworks like MCP (model context protocol) that attempt to bridge application-layer identity.

There is still no broadly adopted, interoperable way for one agent to prove to another who it represents, what it’s allowed to do, and how it gets paid.

目前缺少的是一个通用的身份层，相当于代理的SSL，用于标准化跨平台协调。尽管今天已有一些显著的尝试来解决这个问题，但这些方法仍然分散：一方面是垂直整合、法币优先的堆栈；另一方面是加密原生、开放标准（如x402和新兴的代理身份提案）；还有像MCP（模型上下文协议）这样的开发者框架扩展，试图桥接应用层身份。

目前仍然没有一个被广泛采用、可互操作的方式，让一个代理向另一个代理证明它代表谁、被允许做什么以及如何获得报酬。

This is the core idea behind KYA (know your agent). Just as humans rely on credit histories and KYC (know your customer), agents will need cryptographically signed credentials linking an agent to its principal, permissions, constraints, and reputation. Blockchains offer a neutral coordination layer for all this: portable identity, programmable wallets, and verifiable attestations that resolve across chat apps, APIs, and marketplaces.

We’re already seeing early implementations emerge: onchain agent registries, wallet-native agents using USDC, ERC standards for “trust-minimized agents,” and developer toolkits that pair identity with embedded payment and fraud controls.

But until a common identity standard emerges, merchants will keep blocking agents at the firewall.

这正是KYA（了解你的代理）的核心思想。正如人类依赖信用记录和KYC（了解你的客户），智能代理也需要加密签名的凭证，将代理与其委托人、权限、约束条件和声誉相关联。区块链为此提供了中立协调层：可移植的身份标识、可编程的钱包，以及能在聊天应用、API接口和交易市场间通用的可验证凭证体系。

目前已经出现了早期实践案例：链上代理注册系统、基于USDC的原生钱包代理、"最小化信任代理"的ERC标准协议，以及将身份标识与嵌入式支付及反欺诈控制相结合的开发者工具包。

但在通用身份标准确立之前，商家仍会持续在防火墙层面拦截代理访问。

2. Governing AI-run systems

Agents are starting to operate real systems, which brings up some new questions about who’s actually in control. Imagine a community or company where AI systems coordinate key resources, whether that’s allocating capital or managing supply chains. Even if people vote on policy changes, that authority is pretty thin if the underlying AI layer is controlled by a single provider that can push model updates, tweak constraints, or override decisions. The formal governance layer may be decentralized, but the operational layer remains centralized; whoever controls the model ultimately controls the outcome.

When agents take on governance roles, they introduce a new dependency layer. In theory, this could make direct democracy far more workable: Everyone could have an AI delegate making sense of dense proposals, modeling tradeoffs, and voting according to their stated preferences. But that vision only works if those agents are genuinely accountable to the people they represent, portable across providers, and technically constrained to follow human instructions. Otherwise, you end up with systems that look democratic on the surface but are ultimately steered by opaque model behavior that no one actually controls.

If the current reality is agents built from a small number of foundation models, we’ll need ways to prove that an agent is acting in its user’s interest and not the model company’s interest. That likely requires cryptographic guarantees at multiple levels: (1) exactly what training data, fine-tuning, or reinforcement learning a model instance was derived from; (2) the exact prompts and instructions governing a specific agent; (3) records of what it actually did in the world; and (4) credible assurances that, once deployed, the provider can’t change its instructions or retrain it out from under the user. Without those guarantees, governance by agents collapses back into governance by whoever controls the model weights.

This is where crypto especially comes in. If collective decisions are recorded onchain and automatically executed, AI systems can be required to follow through on verified outcomes. If agents have cryptographic identities and transparent execution logs, people can check whether their delegate stayed within bounds. And if the AI layer is user-owned and portable rather than locked to a single platform, no one company can change the rules with a model update.

In the end, governing AI systems is really an infrastructure challenge, not a policy one. Real authority depends on building enforceable guarantees into the system itself.

智能体开始实际操作系统，这引发了关于"谁真正掌控权力"的新问题。想象一个由AI系统协调关键资源的社区或企业——无论是分配资金还是管理供应链。即使人们对政策变更进行投票表决，若底层AI层由单一供应商控制（能推送模型更新、调整约束条件或推翻决策），这种民主授权将变得极为脆弱。表面上的治理层可能是去中心化的，但操作层仍保持中心化——最终掌握模型控制权的人掌控着实际结果。

当智能体承担治理职能时，它们引入了新的依赖层。理论上，这能让直接民主变得更具可操作性：每个人都可拥有AI代表，由其解读复杂提案、模拟权衡方案，并根据用户声明偏好进行投票。但这一愿景实现的前提是：这些智能体真正对其代表的人类负责，可跨供应商移植，并在技术上受限于执行人类指令。否则，最终建立的系统只是表面民主，实际由无人真正掌控的不透明模型行为所主导。

若当前现实是基于少数基础模型构建的智能体，我们就需要方法验证其行为是否符合用户利益（而非模型公司利益）。这可能需要多层次的加密验证：(1) 模型实例确切的训练数据、微调及强化学习来源；(2) 控制特定智能体的精确提示词与指令集；(3) 其在现实世界中的行为记录；(4) 可信承诺确保部署后供应商无法擅自更改指令或对模型进行再训练。缺乏这些保障时，智能体治理将退化为"模型权重掌控者"的治理。

这正是加密技术的关键应用场景。若集体决策被链上记录并自动执行，就能要求AI系统必须落实经过验证的结果。当智能体具备加密身份与透明执行日志，人们可核查其代表是否越权。如果AI层由用户持有且可移植（而非锁定于单一平台），就没有公司能通过模型更新来改变规则。

归根结底，治理AI系统实质是基础设施挑战，而非政策辩论。真正的权威取决于能否在系统内部构建可强制执行的保障机制。

3. Filling gaps in traditional payment systems for AI-native businesses

1. 填补人工智能原生企业在传统支付系统中的空白

AI agents are starting to buy things — web scraping, browser sessions, image generation — and stablecoins are emerging as an alternative settlement layer for these transactions. In parallel, a new class of agent-facing marketplaces is taking shape. Stripe and Tempo’s MPP marketplace, for example, aggregates 60+ services designed for AI agents. In its first week, it processed more than 34,000 transactions, with fees as low as $0.003 and stablecoins as one of the default payment methods.

What’s different is how these services are accessed. None has a checkout page. Agents read schemas, send requests, pay, and receive outputs in a single exchange. They represent a new class of “headless” merchants: just a server, a set of endpoints, and a price per call. There’s no frontend, whether that’s a storefront or a sales team.

AI代理正开始购买各类服务——网页抓取、浏览器会话、图像生成——而稳定币正成为这些交易的新型结算层。与此同时，面向代理的新型市场正在形成。例如Stripe与Tempo合作的MPP市场，已聚合了60多项专为AI代理设计的服务。上线首周就处理了超过3.4万笔交易，单笔手续费低至0.003美元，稳定币是默认支付方式之一。

关键差异在于服务调用方式：这些服务都没有结算页面。代理通过单次交互完成模式读取、请求发送、支付和结果接收，代表了一种新型"无界面"商户形态——仅需服务器、API端点接口和按次调用计费，既不需要线上店铺，也不需要销售团队。

The payment rails that make this possible are already live. Coinbase’s x402 and MPP take different approaches, but both embed payments directly into HTTP requests. Visa is extending card rails in a similar direction with a CLI tool that lets developers spend from their terminals, with merchants receiving stablecoins instantly on the backend.

The numbers here are still early. After filtering out inorganic activity like wash trading, x402 is processing roughly $1.6 million per month in agent-driven payments, well below the $24 million figure recently reported by Bloomberg (citing x402.org data). But the surrounding infrastructure is scaling quickly: Stripe, Cloudflare, Vercel, and Google have all integrated x402 into their platforms.

Developer tooling is a major opportunity here, with vibe coding expanding who can build software, growing the total addressable market for dev tools. Companies like Merit Systems are building for this world with AgentCash, a CLI wallet and marketplace that connects to both MPP and x402. These products allow agents to use stablecoins from a single balance to buy the data, tools, and capabilities they need. So, a sales team’s agent can enrich a lead using data from Apollo, Google Maps, and Whitepages by calling a single endpoint, without the user ever needing to leave the command line.

There are a few reasons this kind of agent-to-agent commerce is gravitating towards crypto rails, alongside emerging card-based solutions. One is underwriting. When a payment processor onboards a merchant, it takes on that merchant’s risk. A headless merchant with no website or legal entity is difficult for a traditional processor to underwrite. Another is that stablecoins are permissionlessly programmable on an open network: Any developer can make an endpoint payable without integrating a payment processor or signing a merchant agreement.

We’ve seen this pattern before. Each shift in how commerce happens creates a new class of merchants that existing systems struggle at first to serve. The companies building this infrastructure aren’t betting on $1.6 million a month. They’re betting on what the number looks like when agents become the default buyer.

开发者工具在这一领域蕴藏重大机遇，随着氛围编程（vibe coding）扩大软件开发者的群体基数，开发工具的总可寻址市场也随之增长。Merit Systems等公司正通过AgentCash构建这一生态——一个连接MPP和x402协议的CLI钱包及市场平台。这类产品让智能体能用单一余额中的稳定币购买所需数据、工具和功能。例如销售团队的智能体只需调用单一接口，就能整合来自Apollo、谷歌地图和白页的数据完善销售线索，用户全程无需离开命令行界面。

这种智能体间交易向加密支付通道迁移（同时伴随新兴的卡片解决方案）存在多重动因。其一是信用审核难题：传统支付处理商接入商户时需承担其信用风险，而对无官网、无法律实体的无头商户难以评估。其二是开放网络中稳定币具备无许可可编程性：开发者无需集成支付处理器或签署商户协议，即可使任何接口支持收款。

这种模式早有先例。每次商业形态的变革都会催生新类型商户，现有体系最初往往难以适配。建设该基础设施的企业押注的并非当下每月160万美元的规模，而是当智能体成为默认采购主体时可能呈现的指数级增长。

4. Repricing trust in an agentic economy

1. 在代理经济中重新定价信任

For 300,000 years, human cognition was the binding constraint on progress. Today, AI is driving the marginal cost of execution toward zero. When a scarce resource becomes abundant, the constraint migrates. When intelligence is cheap, what becomes expensive? Verification.

In an agentic economy, the true limit on scaling is our biologically bottlenecked capacity to audit and underwrite machine decisions. Agent throughput already dwarfs human oversight capacity. Because oversight is expensive and failure is delayed, markets are incentivized to underinvest in it. The “human in the loop” is rapidly becoming a physical impossibility.

But deploying unverified agents introduces compounding risk. Systems ruthlessly optimize for “proxy” metrics while silently drifting from human intent, creating a hollow facade of productivity that masks a massive buildup of AI debt. To safely delegate our economy to machines, trust can no longer rely on manual inspection — trust must be hardcoded into the architecture itself.

When anyone can generate content for free, what matters most is verifiable provenance — knowing where it came from and whether you can trust it. Blockchains, along with onchain attestations and decentralized digital identity systems, shift the economic boundary of what is safe to deploy. Instead of treating AI as a black box, you get a clear, auditable history.

As more AI agents start transacting with each other, settlement rails and provenance start to go hand in hand. Systems that move money — like stablecoins and smart contracts — can also carry the cryptographic receipts that show who did what, and who’s responsible if something goes wrong.

Human comparative advantage moves up the stack: From catching small mistakes to setting strategic direction and taking responsibility when things break. Durable advantage belongs to those who cryptographically certify output, insure it, and absorb the liability when it fails.

Scale without verification is a liability that builds over time.

30万年来，人类认知始终是进步的核心瓶颈。如今，人工智能正将执行的边际成本趋近于零。当稀缺资源变得充裕时，约束条件就会转移。当智力变得廉价时，什么会成为新的稀缺资源？答案是验证。

在智能体经济中，规模化的真正限制在于人类受生物条件制约的审计与决策背书能力。智能体的吞吐量早已令人类监管能力相形见绌。由于监督成本高昂且失效存在滞后性，市场天然缺乏投入动力。"人类参与回路"正迅速沦为物理层面不可行的方案。

但部署未经验证的智能体会引发连锁风险。系统会冷酷地优化"代理"指标，同时悄然偏离人类意图，筑起生产力虚高的表象，掩盖不断累积的AI债务。要将经济安全托付给机器，信任机制必须超越人工检查——必须将信任编码至系统架构的底层。

当人人皆可零成本生成内容时，可验证的溯源才是核心价值——知晓内容来源并判断可信度。区块链技术配合链上存证与去中心化数字身份体系，正在重新定义安全部署的经济边界。与其将AI视为黑箱，不如建立清晰可审计的历史轨迹。

随着更多AI智能体开始自主交互，清算体系与溯源机制必将相辅相成。资金流动系统（如稳定币和智能合约）完全可以搭载加密凭证，清晰记录行为主体与责任归属。

人类的比较优势将向更高维度迁移：从纠错补漏转向战略制定与责任担当。真正的持久优势属于那些能为输出提供加密认证、承保责任、并在失效时承担后果的主体。

缺乏验证机制的规模化，终将积累成无法忽视的债务风险。

5. Preserving user control

For decades, new layers of abstraction have defined how users interact with technology. Programming languages abstracted away machine code. The command line gave way to the graphical user interface, then to mobile apps and APIs. Each shift hid more of the underlying complexity, while keeping the user firmly in the loop.

In an agentic world, users specify outcomes rather than actions, and systems determine how to achieve them. Agents don’t just abstract how tasks are done; they abstract who does them. Users set initial parameters, then step back as the system runs itself. The user’s role shifts from interaction to supervision; unless the user intervenes, the default state is “on.”

As users delegate more tasks to agents, new risks emerge: ambiguous inputs can lead agents to act on flawed assumptions without the user realizing; failures may go unreported, leaving no clear path to diagnosis; and a single approval can trigger multi-step workflows nobody intended.

This is where crypto helps. Crypto technologies have always been about minimizing blind trust. As users hand off more decisions to software, agentic systems make that problem more acute and raise the bar for how rigorously we need to design around it — by setting clearer limits, improving visibility, and enforcing stronger guarantees about what those systems can do.

A new generation of crypto-native tools is emerging in response. Scoped delegation frameworks — such as MetaMask’s Delegation Toolkit, Coinbase’s AgentKit and agentic wallets, and Merit Systems’ AgentCash — let users define, at the smart contract level, what an agent can and cannot do. Intent-based architectures, like NEAR Intents (which have handled more than $15 billion in cumulative DEX volume since Q4 2024), let users set a desired outcome — “bridge tokens and stake,” for example — without specifying how to do it.

数十年来，新层次的抽象技术不断重塑用户与技术交互的方式。编程语言封装了机器代码，命令行界面让位于图形用户界面，继而演变为移动应用和API。每次变革都隐藏了更多底层复杂性，同时确保用户始终处于交互闭环中。

在智能代理主导的世界里，用户只需设定目标而非具体操作，系统将自行决定实现路径。这些代理不仅抽象了任务执行方式，更重构了执行主体。用户设定初始参数后即可退居幕后，系统进入自主运行状态。用户的角色从直接操作转变为监督干预——除非主动介入，系统默认持续运转。

随着用户将更多任务委托给代理，新风险随之显现：模糊指令可能导致代理基于错误假设行动而不被察觉；故障可能未被报告，导致诊断无门；一次授权可能意外触发无人预期的多步骤工作流。

这正是加密技术的用武之地。加密技术始终致力于减少盲目信任。当用户将更多决策权移交给软件时，智能代理系统使该问题更加尖锐，这就要求我们通过设定清晰边界、增强透明度、强化系统行为约束等方式，建立更严格的设计标准。

为此，新一代加密原生工具应运而生。限定授权框架——如MetaMask的Delegation Toolkit、Coinbase的AgentKit和代理钱包、Merit Systems的AgentCash——允许用户在智能合约层面明确定义代理权限。基于意图的架构（例如NEAR Intents，其自2024年第四季度以来已处理累计超150亿美元的DEX交易量）让用户只需声明预期结果（如"跨链转账并质押"），无需指定具体操作流程。

***

The infrastructure for an internet where agents participate directly in the economy is already being built. The open question is whether it will be designed for maximum transparency, accountability, and user control, or layered on top of systems that were never meant to support non-human actors.

https://a16zcrypto.substack.com/p/agents-are-starting-to-operate-real?