AI agents are already executing consequential actions. They’re making API calls, writing to databases, triggering financial operations. The infrastructure question most teams are focused on right now is: how do we know who the agent is?
That’s a reasonable place to start. But there’s a harder question sitting one layer above it: how do we know who authorized the agent to act, within what scope, and whether that person had any stake committed when they gave the order?
Auth tokens answer the first question. They don’t touch the second.
This article documents a proof-of-concept I designed and built by directing AI coding agents — primarily Claude Code — called Delegation Identity Proof. It’s a local coordination layer that sits above AgentGate, an open-source bond-and-slash execution engine for AI agents. The goal was to explore what accountable delegation with economic stakes looks like in practice: both parties post bonds, scope is explicit and bounded, AgentGate interactions are Ed25519-signed, and the full delegation lifecycle is locally auditable via SQLite state and events.
It is not a production system. It is a proof-of-concept. But it demonstrates the pattern is buildable, and the design process surfaced some interesting problems worth sharing.
The Gap Above Bond-and-Slash
AgentGate’s core insight is that rate limits and auth tokens are insufficient because they don’t make bad behavior costly. Before an agent can execute a high-impact action, it must post a bond as collateral. If the action resolves cleanly, the bond releases. If the agent behaves maliciously, the bond is slashed. Skin in the game at the action level.
That’s a meaningful improvement over the current default, which is identity verification plus volume caps. But it still leaves a gap: AgentGate knows an agent posted bond and acted. It doesn’t know whether a specific human authorized that agent to act, within what constraints, or whether that human had any accountability attached to the authorization.
An agent can claim it was authorized. There’s no mechanism to prove it, bound it, or make the authorizing human accountable if the authorization was reckless.
That gap is what this proof-of-concept is exploring.
The Concept: Two Bonds, Bounded Scope, Committed Intent
The core idea is straightforward. When a human wants to delegate bounded authority to an AI agent, both parties commit something before any action is taken — though not symmetrically, and that asymmetry matters.
The human posts a commitment deposit — a bond that locks intent and signals they have skin in this delegation. In v0.1, this bond always releases; it is not slashable. True human accountability, where a third-party resolver could slash the human’s bond for reckless authorization, is deferred to v0.2. The agent posts an action bond on accept, before acting. Not pay-as-you-go. Upfront. This prevents the accept-and-ghost problem: an agent can’t accept a delegation, acquire the authorization signal, and then disappear without cost.
Scope is explicit: maximum number of actions, maximum amount per action, and a TTL after which the delegation expires. The agent can only act within that envelope.
The full lifecycle moves through six states: pending → accepted → active → settling → completed (or terminated via revocation, expiry, or exhaustion). Each transition is guarded. The terminal_reason field separates why a delegation ended from where it operationally is — a distinction that turns out to matter when you're trying to audit what actually happened.
One important caveat: scope enforcement in v0.1 is client-side only. AgentGate has no knowledge of delegation scope. A malicious agent with direct API access can bypass the CLI’s checks entirely. This is a known limitation, documented, and the target of v0.2 server-side enforcement work.
Why this matters: the pattern transforms “an agent acted” into “a specific human authorized this specific agent to act within this specific envelope, and both had something committed before the action happened.”
The Design Journey: When the Audit Kills Its Own Recommendation
Before writing a single line of code, I ran a three-round multi-AI design audit — Gemini, Grok, and ChatGPT reviewing successive versions of the spec in defined roles (senior systems architect, principal security engineer, final sign-off).
Round 1 turned up a critical mechanical problem. AgentGate’s sweeper can only target bonds that have an action attached. A human’s commitment deposit, posted as a plain bond with no action, can’t be slashed — because there’s nothing for the sweeper to act on. Gemini caught this and proposed a workaround: a delegation_issuance action that would give the human bond something to attach to.
Round 2 reviewed that workaround. Gemini, reviewing its own round-1 recommendation, concluded it was fatally flawed. AgentGate forbids self-resolution — an agent can’t resolve its own action. A delegation_issuance action would require exactly that. Additionally, the sweeper could grief the delegation by slashing the action before the delegate accepted, and the action would consume rate-limit capacity without doing useful work. All three auditors independently reached the same conclusion: kill it.
The fix was to accept the constraint rather than fight it. The human bond in v0.1 is a commitment deposit, not a slashable stake. It always releases. True human slashability — where a third-party resolver can slash the human’s bond if the delegation was reckless — is deferred to v0.2 with a properly designed resolver flow.
Round 3 added two hard implementation constraints: a two-phase transaction pattern (no SQLite write locks held across HTTP calls), and a Gate #1 integration test to verify idle bond behavior against live AgentGate before the build could proceed.
What I found valuable about this process was that the most important finding in round 2 was a retraction of a round-1 recommendation. That’s the point of structured multi-round review — not to validate the design, but to expose its failures under increasing pressure.
What Got Built
The result is six TypeScript source files, 88 tests, and a CLI with seven commands — all written by AI coding agents under my direction.
Two design decisions are worth understanding:
Two-phase transaction model. When an action is taken, the delegation engine claims local state in a short SQLite transaction and commits. Then it makes the HTTP call to AgentGate. Then it opens a second short transaction to finalize or revert based on the result. Write locks are never held across network calls. This matters for reliability under failures — if the AgentGate call times out or returns an error, local state reverts cleanly rather than getting stuck in an inconsistent intermediate.
Crash recovery. If the process crashes mid-action, orphaned action reservations are detected on restart and cleaned up. The state machine has explicit transient state recovery logic so a crash doesn’t leave delegations stranded.
Integration tests ran against live AgentGate and proved three things: idle bonds are safe from sweeper slash (Gate #1), Tier 1-compatible capacity math aligns correctly with AgentGate’s 1.2× multiplier, and the full delegation lifecycle — delegate, accept, act, resolve — completes end to end.
Known Limitations
These are documented in the spec, not hidden. v0.1 has a clear enforcement boundary and a lot of deferred work:
Scope enforcement is client-side only. A malicious agent with direct AgentGate API access bypasses the CLI’s scope checks entirely. AgentGate has no knowledge of delegation scope. This is the most significant limitation and the primary target of v0.2.
Delegation metadata is convention, not enforcement. The delegation_id embedded in action payloads is opaque to AgentGate. It can be omitted or forged by a malicious agent. There is no way to verify it was correctly embedded.
Human bond always releases in v0.1. The commitment deposit locks intent but is not slashable. True human accountability — where a third-party resolver can slash the human’s bond for reckless authorization — is v0.2.
Orphaned stale bonds. Gate #1 confirmed that expired idle bonds are not slashed and cause no reputation damage. But they remain as active records in AgentGate’s database indefinitely. Lifecycle leakage at the substrate boundary is real, even if it’s harmless in v0.1.
Bond TTL hard cap at 24 hours. AgentGate’s ceiling constrains delegation lifetime. Long-running delegations aren’t supported in v0.1.
No protection against human grief-revoke. A human can revoke a delegation while an agent action is in flight.
Single-hop only. No recursive or multi-hop delegation chains. An agent can’t sub-delegate to another agent in v0.1.
What This Points Toward
The v0.2 roadmap addresses the most material limitations: server-side scope enforcement (AgentGate aware of delegation constraints), recursive delegation chains (agent sub-delegates to another agent with a nested scope envelope), and true human slashability via a third-party resolver flow.
The broader point this proof-of-concept is making is not that the delegation problem is solved. It isn’t. It’s that accountable delegation with economic stake — where both the authorizer and the agent have committed something before the action happens, and both are accountable for the outcome — is much better explored in current agent infrastructure than ordinary identity and auth.
What this proof-of-concept demonstrates is that the pattern is buildable above an existing bonded execution engine, without changes to the substrate. Whether that pattern becomes infrastructure worth running in production is a question v0.2 and beyond will have to answer.
The code is at github.com/selfradiance/agentgate-delegation-proof. AgentGate is at github.com/selfradiance/agentgate.
Part of the AgentGate ecosystem — an open-source framework for economically accountable AI agent execution.
Accountable Delegation for AI Agents: A Proof-of-Concept with Economic Stakes was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.