The word “agent” did not come from AI.
It came from law.
A principal authorizes an agent to act on their behalf. The agent’s acts bind the principal. The principal is liable for what the agent does within scope. This structure governs real estate, corporate governance, financial services, and contract law. It has governed them for centuries.
Respondeat superior, or let the master answer, dates to Roman law.
When an AI system takes action on your behalf, you are not inside a new product category. You are inside a legal relationship that has been litigated for hundreds of years.
The law did not need new concepts for AI agents. It already had them. What the tech industry doesn’t have is trust, and they’re learning fast they don’t have legal protections that once indemnified platforms.
The Arc
Every major software abstraction follows the same pattern. Expertise relocates. It does not disappear.
SaaS moved software delivery to the cloud. You stopped installing. Knowing what software you needed stayed with you.
PaaS moved infrastructure to the cloud. You stopped racking servers. Knowing what to build stayed with you.
Service-as-a-Software moves execution to the cloud. You state intent. Agents produce outcomes. Knowing what outcome you need and whether the agent achieved it stays with you.
Your laptop is no longer the execution environment. It is the intent surface.
The compute that matters lives in cloud systems your device cannot replicate. 200-billion-parameter models at inference speed. 500-agent orchestration pipelines. Real-time synthesis across dozens of APIs simultaneously. The desktop is the authorization point. The execution happens elsewhere.
This is not a prediction. It is the architecture in production right now, without a trust layer. In our view that is why there is a dynamic increase in cybersecurity incidents – mature technologies bolted on top of immature layers they were never designed to handle.
The Agentic Web Was Already Being Built
Humans built the agentic web without naming it.
Service workers intercept requests and act on the principal’s behalf outside their real-time attention. Zapier and IFTTT are agent orchestration; one principal, multiple agents, event-driven execution, no person in the loop. Stripe is a payment agent. Kubernetes operators manage infrastructure state autonomously. Cron jobs are the oldest agents on the internet! Cron is scheduled, autonomous, acting without supervision since the 1970s. Search crawlers, DNS resolvers, CDN edge nodes, certificate authorities are all agents, all acting within defined scope while the principal’s attention is elsewhere. This is the promise of automation, the time sync in creating automation pays future us in free time.
The first attempt at principal-agent delegation at web scale is called it OAuth.
OAuth proved delegation was necessary. It also proved the structural problem with centralizing the authorization anchor.
OAuth requires a common authorization server between the delegating party and the receiving party. When the transaction stays inside one platform’s orbit, for example a user authorizing an app to read their Google Calendar, the model works. The IdP is Google. Both parties trust Google. The token is issued, scoped, and revocable.
When the transaction crosses principal boundaries things fall apart. Agent A acting for Company X, Agent B acting for Company Y, neither sharing an identity provider then OAuth has no implementation answer. You can federate the identity provider, which recreates the centralization problem at a higher layer. The other option is the transaction cannot happen with integrity.
Agentic workflows cross principal boundaries by design. That is the use case. The authorization model that cannot handle it is the wrong model. That’s why your data is no longer safe in the cloud without cryptographic guarantees of its lifetime.
What “AI” and LLMs Changed
The existing agents were deterministic. Their scope was binary.
A cron job either fires or it does not. A webhook either matches the event or it does not. The scope is encoded in the rule. Rules have no interpretation surface.
LLM agents have and continue to gain delegated judgment.
They interpret intent. They extrapolate from context. They make decisions the principal never explicitly anticipated.
An OAuth token grants “read calendar.” That is a binary permission. It cannot be exceeded by interpretation.
An LLM agent given “manage my calendar” can interpret that to include declining invitations, sending replies on your behalf, sharing your availability with third parties, and booking meetings you never reviewed. None of those were explicit in the grant. All of them are within a probabilistic model’s interpretation of the instruction.
That shift is from rule to judgment is what broke the existing trust infrastructure.
The web already had agents. It never needed cryptographic scope enforcement because deterministic agents cannot exceed binary rules. Probabilistic agents can.
That is the gap PAP closes.
The Inversion Principal-Agent Protocol Is Built On
Human identity is decentralized. Agent identity is centralized. This is a deliberate architectural decision, not a tradeoff. The reason is simply that existing authentication systems try to simulate human organizations, which seems reasonable on its face but is showing weaknesses and unauthorized access is happening at an alarming rate. People are terrible about following security rules, but agents are excellent at following rules. PAP designed with that in mind.
A principal’s identity is a passkey – a device-bound Ed25519 keypair. The did:key derives directly from the public key — no registry, no DNS, no issuer, no platform that can revoke it. The identity lives on the hardware the principal user chooses. No deplatforming is possible because there is no platform to deplatform from.
Agent identity is accountable. Agents register in Chrysalis with verifiable DIDs and passkey-signed capability advertisements. Vouch-based admission requires existing trusted peers to stake their reputation on a new entrant. A request arriving without a valid PAP mandate is rejected before execution begins. Even a locally-running agent is platformed in this sense — it has a registered identity, declared capabilities, and operates within an accountable trust structure. The local computer is the platform for local agents. Accountability does not require external dependence.
This inversion solves the problem OAuth could not.
When two agents from independent principals need to transact, there is no common IdP to invoke. There is no federation agreement to negotiate. The transaction is a handshake between two mandate chains. Each agent carries a cryptographic mandate from its own principal. A selective disclosure token negotiates what each side reveals; bounded by what each principal’s mandate permits. The co-signed receipt is auditable by both principals independently.
Trust flows from the principals outward through their respective mandate chains. The two chains meet at the session boundary. No central party is in the path.
The Routing Problem the Web Was Not Built to Solve
HTTP routing finds a server. DNS routing resolves a name.
Neither resolves a capability, negotiates a disclosure scope, cryptographically bounds an authorization, or returns verifiable proof that an agent stayed within its mandate.
Service-as-a-Software requires routing the web was not built to provide. Capability-aware routing that finds the right agent for the task. Privacy-preserving negotiation so the agent receives only what it needs. Cryptographic scope enforcement so the agent cannot act beyond the principal’s grant. Ephemeral session handling so interactions cannot be correlated. Co-signed receipts that prove what happened.
PAP’s intent router is a three-level deterministic chain. URL fast-path at near-zero latency; no model, no inference, no network. BM25 semantic index at 50 microseconds in pure Rust. We built it with zero external dependencies and no model weights in the routing path. On-device AI fallback for ambiguous queries, running locally, never touching a cloud API.
The model is optional in the routing path. The cryptographic handshake is not.
Chrysalis handles the registry. Agents register with verifiable DIDs and signed capability advertisements. Vouch-based admission requires three existing peers to stake their reputation on a new entrant. A request arriving without a valid PAP mandate is rejected before execution begins.
In short, you don’t need AI to use PAP. But if you do, the request layer is completely untouched by AI tooling. You state intent. The protocol routes. The agent executes. The receipt comes back co-signed. Your device-bound keypair stays the root of trust. The compute lives in the cloud. The authorization lives on your device.
The Surveillance Inversion
Without a trust layer, Service-as-a-Software is surveillance-as-a-software.
Every cloud agent that executes a task learns something about the principal who asked. Across enough tasks, enough sessions, enough agents the behavioral profile builds. The platform hosting the agents sees the aggregate.
OAuth made this worse at the identity layer. Google knows everywhere and every service you granted access, every scope, every token, every revocation. The identity provider (idp) they host is the behavioral aggregator by design. They don’t do this because they’re a nice company. They do this because it feeds their ad serving needs, thus offsetting and profiting from the login service. Centralized authorization produces centralized visibility which provides central surveillance which is then resold and profited.
This is the stroller problem at agent scale. One search query from a human behind a browser left a six-month behavioral trail. Thousands of agent queries per day; correlated, timestamped, attributed to a persistent identity. They build a profile of intent no human has ever voluntarily disclosed to a single party. Medical research. Financial decisions. Legal questions. Career moves. All of it flowing through platforms that profit from the aggregate. All of it designed to take your attention at the expense of your trust. It’s experimental behavioral training at a massive scale.
PAP makes this correlation structurally expensive.
Decentralized principal identity means no party can see the aggregate of your agent authorizations. Ephemeral session keys break cross-session linkage. Each session generates a fresh keypair, discarded at close. OHTTP breaks IP-to-query correlation at the network layer. SD-JWT breaks over-disclosure at the field level. The agent gets the properties and values it needs for this task because it advertises its needs. Once execution completes, the receipts store property references, never values. Storing receipts is off by default, and flagged when requested.
You leave no behavioral profile the platform can monetize, no session trail that can be correlated as a unit, no disclosure record that exceeds what each task required.
The agentic web the incumbents are building optimizes for the opposite. Every interaction is training data. Every session is attribution. Every agent call compounds the profile.
The trust layer determines whether Service-as-a-Software serves you or the platform.
The Law Already Has the Framework
Courts do not need new concepts to govern AI agents. They have the principal-agent doctrine, and they are applying it now.
If your agent generates output, you authorized it. If you authorized it, you are responsible for it. The California AG is explicit: conduct that is illegal without AI involvement is equally unlawful with it. AI is not a defense. The operator is the responsible party.
The question courts are converging on: what did this principal authorize, under what scope, and did the agent stay within it?
A prompt history cannot answer that. It is a log of requests. It does not establish scope, duration, or whether the agent exceeded what you intended.
A cryptographic mandate chain answers all three. You signed what the agent could do, which data it could access, and how long the grant was valid. Scope::contains() enforces containment at every delegation step. The co-signed receipt proves what happened. The mandate TTL proves when the grant expired.
This is the system working correctly — the same way the principal-agent doctrine has always required principals to define, bound, and be accountable for what they authorized.
The Protocol the Agentic Web Always Needed
People in tech built the V1 of the agentic web without naming it.
Service workers for local agency. Stripe for financial agency. Kubernetes operators for infrastructure agency. OAuth for delegation until delegation needed to cross platform boundaries and the centralized anchor became the constraint.
The infrastructure existed. The agents were deterministic. The trust layer was implicit in the binary scope of the rules they followed. When the authorization model was centralized, the center became the capture point.
LLMs made the agents probabilistic. Probabilistic agents require explicit, cryptographic, principal-bound authorization. The implicit trust of deterministic scope does not survive a model that interprets its way into actions the principal never intended. Centralized authorization does not survive workflows that cross principal boundaries by design.
The SaaS era needed billing infrastructure. Stripe built it. The PaaS era needed container orchestration. Kubernetes built it. The Service-as-a-Software era needs principal-agent governance at the protocol layer.
Each abstraction produced infrastructure the layer below could not provide and the layer above could not function without. The infrastructure always arrives after the abstraction is in production and before the failures it prevents become catastrophic.
We are inside that window right now.
PAP is not a response to a new problem. It is the formalization of the trust infrastructure the agentic web always implied and never required — until the agents started making judgment calls across principal boundaries.
pap:// is how you put the principal back in the principal-agent relationship.
PAP is open source. MIT/Apache-2.0. The spec is public.