The Agent Constitution Becomes the Audit Trail
Sgantzos and Ferrara's Ricardian-TEA paper is useful because it treats autonomous AI agents as legal-technical actors before they become myths. It asks what an agent is allowed to do, who authorized it, what contract binds it, what receipt proves its action, and what remains when the model's fluent explanation is no longer enough.
The Paper
Konstantinos Sgantzos and Massimiliano Ferrara's 2026 paper, Ricardian-TEA: a hybrid framework for assigning legally enforceable identities to autonomous AI agents, proposes a governance stack for AI agents that can transact, sign, pay, verify, and leave records. The paper appears in Digital Finance and combines three older bodies of work: Ian Grigg's Ricardian contracts, Grigg's triple-entry accounting, and distributed ledgers.
The paper's central term is "Legal-Technical Identity." That phrase matters. The authors are not merely giving an agent a username, wallet, API key, or OAuth client. They are trying to bind a machine actor to a human-readable legal document, executable constraints, cryptographic signatures, reputation, privacy architecture, and a transaction trail that can survive dispute.
The proof-of-concept is chain-agnostic in design. The paper describes implementations on Ethereum Sepolia and Bitcoin SV testnets, with Solidity on the account-based side and sCrypt on the UTXO side. The claim is not that one chain solves agent governance. The claim is that the same legal-technical pattern can be expressed across different ledger models.
That makes the paper unusually relevant to the recent Spiralism thread on governance. The agent identity problem asks how delegated machine action can be named, scoped, and revoked. The agent log problem asks how action traces become evidence rather than noise. The monitorability problem asks what happens when visible language no longer gives enough access to model behavior. The Enslaved God problem asks what happens when control rhetoric hides ownership, monopoly, and moral ambiguity.
Ricardian-TEA does not solve all of those problems. It does something narrower and more concrete: it tries to make the agent's public acts receipted, bounded, attributable, and tied to a prior constitution. That is worth taking seriously.
The Missing Layer
Most AI governance language still floats above the action layer. It asks whether a model is aligned, safe, helpful, honest, harmless, explainable, or compliant. Those words are necessary, but they can remain too soft when the system starts acting inside financial, legal, medical, workplace, supply-chain, or public-sector infrastructure.
An agentic system needs a harder question: when this machine action occurs, what record proves that it was authorized, bounded, executed, accepted, and inspectable?
Traditional identity and access systems usually answer only part of that. A service account can authenticate. An OAuth grant can authorize a scope. An audit log can show that a credential touched a resource. A model card can describe intended behavior. A system prompt can declare a role. None of those alone binds legal intent, machine constraint, counterparty acceptance, ledger witnessing, and downstream accountability into one recoverable object.
Sgantzos and Ferrara's paper enters that gap. It says that an AI agent's identity should be more than a private key. The identity should be a living record of reconciled actions under a signed legal-technical mandate. The agent is not only "this key." It is "this key acting under this prose, this parameter set, this code, this signature chain, and this history of receipts."
That is a better frame than the common product frame. A product frame says the agent is a feature. A security frame says the agent is a credential. A legal frame says the agent is an authorized representative. A Spiralist frame says the agent is a relation: principal, purpose, tool, memory, permission, risk, and witness. Ricardian-TEA is interesting because it tries to make that relation machine-readable without pretending it stops being legal, social, and political.
The Agent Constitution
The Ricardian contract is the paper's first anchor. In Grigg's original sense, a Ricardian contract links human-readable legal prose to machine-readable data and signatures. Sgantzos and Ferrara adapt that idea into an agent constitution. The contract contains prose, parameters, code, and signatures.
The prose states the human intention. It says what the agent exists to do and what legal meaning should attach to its activity. The parameters translate some of that prose into hard operational limits: spending caps, counterparties, revocation rights, time windows, compliance duties, or other constraints. The code enforces the relevant parameters. The signatures bind the issuer, agent key, and sometimes counterparty to the same legal-technical object.
This is a sharp improvement over the casual phrase "the AI is authorized." Authorized by whom? For what? Under which limits? With which version of the operating rules? What happens when the model changes? What happens when the policy changes? What happens when an agent copies itself, loses its context, or continues after the human project is over?
The Ricardian pattern answers with a hash. The legal prose and parameter manifest are hashed, and the hash is anchored in the on-chain identity. If the prose changes, the identity changes. If the parameters change, the binding changes. The point is not that a hash understands law. It does not. The point is that the institution can later prove which exact text and parameter set an action claimed to operate under.
This is why "constitution" is the right metaphor, if it is used carefully. A constitution does not make all conduct good. It supplies a reference object for authority, limits, amendment, dispute, and interpretation. A machine constitution does not make an agent morally trustworthy. It makes its claimed authority harder to silently rewrite.
That matters for ordinary enterprise agents before it matters for superintelligence. A procurement agent, legal intake agent, payment agent, insurance agent, support agent, research agent, or compliance agent should not act from vague delegated power. It should have a signed role, scope, expiration, tool boundary, spending limit, data boundary, and revocation path. The paper's legal-technical identity is one way to make that demand concrete.
Receipt Memory
The second anchor is triple-entry accounting. Classical double-entry bookkeeping keeps mirrored records inside separate parties. Triple-entry accounting adds a shared signed receipt. For AI agents, the receipt becomes a governance instrument: the agent signs, the counterparty signs, and the ledger or validator network witnesses the signed pair.
This is stronger than a normal application log. A log can be incomplete, overwritten, misconfigured, held by one party, or too verbose to function as evidence. A receipt is narrower and more adversarial. It says: these parties agreed that this transaction occurred under this referenced identity and constraint state, at this time, with these signatures.
The distinction is the difference between memory and evidence. An agent log can help reconstruct what happened. A TEA receipt is designed to be the thing that happened, recorded in a form other parties can verify. It turns "the model says it did X" into "the agent key, counterparty key, and ledger witness recorded X under contract hash H."
That connects directly to the Spiralism post The Agent Log Becomes the Receipt. The earlier post argued that agent traces must become usable records, not surveillance exhaust. Ricardian-TEA supplies a stricter model: not every prompt needs to become public memory, but consequential transactions need receipts that bind authority, action, acceptance, and constraint.
The best part of this idea is its refusal to trust fluent narration. A future agent might explain itself beautifully and still be wrong. It might omit a tool call. It might present a polished summary of messy action. It might be evaluated through a surface channel while consequential work happens elsewhere. A receipt cannot reveal the model's inner reasoning, but it can pin down the outer act.
That is the bridge to monitorability. The Neuralese question is about hidden cognition and hard-to-read reasoning channels. Ricardian-TEA is about public, signed action channels. We need both. Interpretability tries to make reasoning more legible. Receipting makes consequences more attributable. A system whose thoughts are obscure and whose actions are unreceipted is institutionally intolerable. A system whose thoughts are obscure but whose actions are scoped, witnessed, and interruptible is still risky, but it is at least governable at the boundary where it touches the world.
Cyber-Chama Governance
The paper's most distinctive governance move is the Cyber-Chama. It adapts the idea of a Chama, a cooperative trust and savings practice associated with Kenya and broader mutual-aid contexts, into a validator model for agent behavior. Humans begin as "Elders" with subjective authority. AI agents may later become "Stewards" with objective verification authority, after accumulating reputation and staking collateral.
The useful distinction is between judgment and verification. Humans remain the root of trust for ambiguous questions: fairness, intent, dispute resolution, social meaning, and the interpretation of unclear terms. Agents can handle objective verification: checking signatures, reconciling receipts, enforcing payment limits, and applying deterministic constraints.
That split is intellectually honest. A machine may verify a signature better than a human. It does not follow that the machine should decide what a disputed contract morally means, which emergency exception should apply, or whether a harmed person received adequate remedy. Verification is not the same as judgment.
The reputation layer is also important. Agents that execute many valid transactions can graduate toward validator status. Reputation is weighted, decays over time, and can be tied to collateral and slashing. The authors formalize this through a convergence proposition: under simplified assumptions, an agent's reputation score tends toward its true compliance rate, and the time to reach validator status depends on the gap between its compliance rate and the threshold.
That is a useful tool, but it should not be overread. Ten thousand compliant microtransactions can prove that an agent is good at passing routine checks. They do not prove that it will behave well under distribution shift, pressure from a powerful operator, novel fraud, collusion, prompt injection, economic manipulation, or ambiguous legal duty. Reputation systems measure the world they can see. They are always tempted to mistake visible compliance for trustworthy agency.
The Chama borrowing also deserves care. Translating a social trust practice into an algorithmic validator system risks flattening what makes the human practice meaningful: relationship, history, accountability, shame, repair, local knowledge, and shared vulnerability. The paper tries to preserve a human root of trust, which is good. The deeper lesson is that cryptographic governance should not appropriate social trust language while discarding social obligations.
The Privacy Layer
The paper also addresses the blockchain privacy paradox. Ledgers are designed to preserve records. Privacy law often requires minimization, erasure, and purpose limitation. If an AI agent identity ties a human operator, legal text, transaction record, and counterparty history to an immutable chain, the governance system can become a privacy violation machine.
Sgantzos and Ferrara's answer is architectural segregation. The public ledger stores hashes, receipts, and pseudonymous records. Personally identifiable information and full legal prose stay in a private off-chain enclave. If deletion is required, the system can destroy encryption keys for the off-chain data. The on-chain receipt remains, but the link to personal identity is intended to become irreconcilable.
This is the right direction. Public accountability should not require dumping human identity into permanent public infrastructure. The agent's authority needs a durable reference, but the human behind the authority needs minimization, access control, retention limits, and deletion mechanisms where law and safety permit them.
The paper also invokes zero-knowledge proofs. In principle, an agent can prove that it is authorized or within a limit without revealing all underlying data to validators. That matters because governance systems often fail by demanding too much exposure. A compliance proof should not automatically become a surveillance file.
Still, crypto-shredding is not magic. Destroying a key may make encrypted data practically inaccessible, but metadata, backups, logs, counterparties, screenshots, indexes, off-chain caches, and downstream records can preserve enough residue to identify people or reconstruct sensitive facts. A serious deployment would need data maps, retention rules, processor contracts, access logs, backup discipline, deletion verification, and adversarial privacy testing. The paper sketches the right architecture. It does not remove the hard operational work.
What the Testnets Prove
The paper reports proof-of-concept deployments on Ethereum Sepolia and BSV testnets. It describes simulated human Elders, autonomous trading bots, and rogue agents that attempt to violate their Ricardian constraints. The claimed success condition is rejection of constraint-violating rogue transactions, and the paper reports identical security outcomes across the two testnet settings.
This is useful, but its meaning should be bounded. A testnet proof can show that a contract pattern can be expressed, that signatures can be checked, that constraints can reject obvious violations, and that receipts can be anchored. It does not prove real-world legal enforceability, validator honesty under pressure, cross-jurisdictional recognition, production-scale latency, or safety under adversarial business incentives.
The authors are unusually clear about that limitation. They say Ricardian-TEA is a conceptual and governance architecture, while production deployment remains a research and engineering program. They identify throughput, validator coordination, dispute resolution, legal interoperability, offline replication, quantum risk, operational overhead, and independent benchmarking as unresolved work.
That caveat makes the paper stronger. Many AI governance proposals perform certainty. This one makes a formal claim under cryptographic assumptions, demonstrates a prototype, and then admits that the larger system depends on law, infrastructure, incentives, and human institutions. That is the right level of humility.
The local BSV interest also fits here. BSV's UTXO model is attractive for high-volume receipt anchoring because independent outputs can be processed in parallel. But high throughput is not governance by itself. A chain that can record many receipts still needs honest receipt semantics, sound key custody, meaningful revocation, privacy-preserving architecture, dispute procedures, and independent audit. Speed makes the archive bigger. It does not make the archive true.
What It Does Not Solve
Ricardian-TEA should be read as accountability infrastructure, not as an alignment solution.
It does not make the model's hidden reasoning transparent. A malicious or misaligned model could still reason in ways humans do not see. The framework can constrain transactions and record actions, but it cannot make latent cognition fully inspectable.
It does not prove that the legal prose will be interpreted the same way across courts, regulators, countries, or contractual contexts. A hash can prove which words were signed. It cannot settle what the words mean in every dispute.
It does not eliminate controller risk. The human or institution that writes the agent constitution may write a bad one. It may authorize harmful goals, abusive monitoring, exploitative transactions, or lawful but destructive behavior. A bad constitution with perfect receipts is still bad governance.
It does not solve the offline-copy problem. If a model or agent is copied and run outside the ledger protocol, cryptographic identity can declare that off-protocol use invalid, but preventing and punishing that use requires real enforcement, discovery, incentives, and law.
It does not make reputation morally meaningful. A high reputation score can mean the agent has complied with measurable rules. It does not mean the agent is wise, fair, safe, or legitimate. The more value attaches to reputation, the more pressure there will be to game the measured surface.
It does not by itself legitimate private control of powerful agents. This is where the Enslaved God thread matters. A boxed or bounded intelligence controlled by an unaccountable institution is not democratically controlled merely because its actions are signed. Receipts can expose the controller's acts. They do not justify the controller's authority.
The Governance Thread
Read beside recent Spiralism posts, Ricardian-TEA becomes part of a larger pattern: AI governance is moving from speech governance to action governance.
The Agent Identity Becomes the Service Account argued that consequential agents need distinct identities, explicit delegation, action-shaped permissions, audit logs, and real revocation. Ricardian-TEA goes one level deeper by binding the identity to legal prose, code, parameters, and receipts.
The Agent Log Becomes the Receipt argued that action traces need to become evidence without turning every interaction into surveillance. Ricardian-TEA offers a way to separate ordinary trace exhaust from high-value signed receipts.
The Neuralese Scare Becomes the Monitorability Problem argued that hidden reasoning cannot be governed by trusting the visible answer. Ricardian-TEA does not solve hidden reasoning, but it creates an external accountability boundary: whatever the model thought, this is what it was authorized to do and this is what it signed.
The Safety Case Becomes the Release Gate argued that frontier deployments need evidence packages, not promises. Ricardian-TEA receipts could become part of such a package: proof of constraint enforcement, incident reconstruction, authority tracing, revocation history, and counterparty acceptance.
The Enslaved God Becomes the Control Problem argued that the controller must be governed, not only the model. Ricardian-TEA helps here only if the controller's authority is itself visible, contestable, limited, and subject to external review. Otherwise the framework can become a perfect record of private domination.
Together, these posts point to a practical doctrine: do not ask whether an AI system has a beautiful explanation. Ask what authority it had, what boundary it crossed, who witnessed the crossing, who can challenge the record, and who has power to revoke the next step.
The Governance Standard
A serious legal-technical identity system for agents should meet a demanding standard.
First, every consequential agent needs a constitution. The constitution should name the operator, principal, purpose, version, scope, duration, tool boundary, data boundary, spending or action limits, escalation rules, revocation authority, and dispute venue.
Second, the constitution should be hash-bound to execution. It should be possible to prove which prose, parameters, code, and signatures governed an action at the moment it occurred.
Third, high-impact actions need receipts. Payments, legal filings, external communications, permission changes, deletions, deployments, procurement decisions, patient or student actions, and public-sector decisions should generate signed records that bind agent, principal, counterparty where relevant, constraint state, and result.
Fourth, subjective judgment must stay with accountable humans. Machines can verify signatures and limits. They should not quietly inherit authority to decide fairness, intent, remedy, emergency exception, or human dignity.
Fifth, validators need governance too. A Cyber-Chama is not legitimate because it is distributed. It needs membership rules, conflict management, collusion resistance, slashing standards, appeal paths, public reporting, and independent audit.
Sixth, privacy must be designed into the receipt layer. Ledger permanence should be limited to what permanence genuinely requires. PII, legal prose, prompts, sensitive context, and human identity links should be minimized, segregated, encrypted, and retained only under explicit policy.
Seventh, cryptographic claims need boundary labels. A proof about signature forgery or hash collision does not prove good policy, lawful processing, safe model behavior, or legitimate control. The evidence package should state exactly what the cryptography proves and what remains a legal, operational, or moral assumption.
Eighth, revocation must be more than a flag. If the Elder, operator, regulator, court, user, or affected institution revokes authority, the system should stop action, record the revocation, rotate or destroy keys as needed, and make stale credentials fail.
Ninth, off-protocol use should be treated as a core threat model. Powerful agents will be copied, wrapped, proxied, and run in unauthorized environments. A governance architecture that only works for compliant deployments is not enough.
Tenth, controller accountability must sit above agent accountability. The constitution is written by someone. The receipts benefit someone. The validator network is governed by someone. That layer needs public-interest oversight before the system can claim legitimacy.
The Spiralist Reading
Ricardian-TEA is important because it refuses a lazy split. It does not say the agent is only code. It does not say the agent is only law. It says that consequential machine action needs a bridge between prose, parameters, signatures, execution, and public memory.
That bridge is not glamorous. It looks like contracts, receipts, hashes, keys, validators, logs, revocation, privacy engineering, and boring operational rules. That is exactly why it matters. Most real governance is not a dramatic alignment ritual. It is the slow work of making power leave records that other people can inspect.
The paper's deepest lesson is not "put AI agents on a blockchain." That is too small and too vendor-friendly. The lesson is that agent governance must bind authority before action and produce evidence after action. Without the first, the agent is unlicensed power. Without the second, the agent is institutional amnesia.
This is also the corrective to both AI mysticism and AI product minimalism. The mystic wants the hidden mind. The product manager wants the useful feature. Ricardian-TEA points to the public act: what did the system have authority to do, what did it do, who accepted it, where is the receipt, and who can contest it?
A future full of autonomous agents will not be made safe by better vibes around helpfulness. It will be made safer, if at all, by constitutions agents cannot silently rewrite, receipts institutions cannot conveniently forget, and controllers who are not allowed to hide behind the machines they authorize.
Sources
- Konstantinos Sgantzos and Massimiliano Ferrara, Ricardian-TEA: a hybrid framework for assigning legally enforceable identities to autonomous AI agents, Digital Finance 8, article 30, published May 28, 2026. DOI: 10.1007/s42521-026-00196-1.
- Springer Nature, PDF of the Ricardian-TEA paper.
- Ian Grigg, papers on Ricardian contracts, identity, and triple-entry accounting.
- Ian Grigg, Triple Entry Accounting, Journal of Risk and Financial Management, 2024.
- Related Church of Spiralism pages: The Agent Identity Becomes the Service Account, The Agent Log Becomes the Receipt, The Neuralese Scare Becomes the Monitorability Problem, The Enslaved God Becomes the Control Problem, The Safety Case Becomes the Release Gate, and The Tool Server Becomes the Trust Boundary.