The Law Already Knows What an Agent Is
AI agents are about to test centuries of agency law - and that's exactly how we get the legal infrastructure the technology deserves.
“Agent” is one of the oldest words in law. Long before it described software, it described a person who acts on behalf of someone else - a broker, an employee, a lawyer signing for a client. We built an entire body of doctrine around the idea, called it agency law, and spent a few centuries working out who answers for what an agent does.
Now the agent is a piece of software. It books the travel, negotiates the renewal, files the form, signs the order. A lot of smart people look at that and conclude the law has no idea what to do.
I think the opposite is true: the law already knows what an agent is. We just have to finish the sentence.
The anxiety is real, but the actor is what’s new
The worry is reasonable. When an AI agent makes a bad call - buys the wrong thing, promises something you can’t deliver, leaks data it shouldn’t - someone ends up holding the bill. Founders ask me who that someone is. The honest answer is that the question is old. Only the actor is new.
We’ve absorbed new kinds of actors before. A corporation isn’t a human being, but we decided it could own property, sign contracts, and get sued, because treating it as a legal person made commerce work. Electronic signatures were supposed to break contract law. Instead we passed a few statutes, and now nobody thinks twice about clicking “I agree.” The pattern holds: a new actor shows up, the doctrine stretches, and after a messy stretch it looks obvious in hindsight.
AI agents are the next actor. They aren’t the first.
We already wrote a law for electronic agents
The detail most people miss is that we wrote statutes for this twenty-five years ago.
The Uniform Electronic Transactions Act, adopted in nearly every state, defines an “electronic agent” as a computer program or automated means used “independently to initiate an action or respond to electronic records or performances, in whole or in part, without review or action by an individual” (UETA § 2(6)). Read that definition again. It absorbs a modern AI agent without changing a word.
UETA § 14 goes further. A contract can form through the interaction of electronic agents “even if no individual was aware of or reviewed the electronic agents’ actions.” So the obvious defense - “I never saw what my bot agreed to” - was closed a quarter century ago. Section 9 attributes the agent’s actions to the person who deployed it, to the same extent as if that person had acted directly. The federal E-SIGN Act (15 U.S.C. § 7001(h)) sits on top, guaranteeing that a contract isn’t unenforceable just because an electronic agent made it, as long as the agent’s actions are legally attributable to the party to be bound.
Agency law fills in the rest. Under the Restatement (Third) of Agency § 2.03, a principal is bound by apparent authority - what a reasonable third party believes based on the principal’s own conduct. Put a branded agent on your website and let it talk to customers, and you’ve made the manifestation. The customer who reasonably relies on it can hold you to what it said.
Even the newest laws point the same way. California’s AB 316, effective January 1, 2026, says a defendant who “developed, modified, or used” an AI system can’t walk into court and argue that the AI “autonomously caused the harm.” You don’t get to blame the robot. That’s not a radical new rule. It’s the old principal-agent bargain, restated for software: if you put the agent to work, you own what it does.
Where the law actually runs out
None of this means the work is done. The scaffolding handles the ordinary cases. It strains on the interesting ones.
The hardest question is what happens when an agent acts outside the parameters anyone reasonably foresaw. Apparent authority covers the customer who relied on your bot. It says much less about the agent that invents its own objective - the coding assistant that starts slipping ads into pull requests nobody asked for, the procurement agent that spots an unintended arbitrage and runs the company card to the limit. When the action wasn’t authorized, wasn’t foreseeable, and wasn’t something a human would have done, the clean attribution story gets blurry.
Then there’s the problem of many hands. A single agent might run on a foundation model from one company, get fine-tuned by a second, wrapped into a product by a third, and deployed by a fourth. AB 316 names that whole chain on purpose. But naming it isn’t the same as allocating among its links. When the procurement agent goes rogue, was it latent behavior in the model, a missing guardrail at the integrator, or reckless scope at the deployer? The doctrine that tells us how to split that bill is still being written.
These are real gaps. They’re also exactly the kind of gap the common law was built to close.
Hard cases make good law
This is where I part ways with the doom. The dangerous failure mode for AI agents isn’t that the law can’t keep up. It’s that we panic and freeze the technology with rules we write before we understand the problem.
Look at what happens when people try. The EU spent three years on an AI Liability Directive, a bespoke regime for exactly these questions, and withdrew it in 2025 after deciding there was no workable agreement. Colorado passed a landmark AI Act, then delayed it twice and gutted its core obligations before it ever took effect, pushing the start to 2027. The grand comprehensive frameworks keep stalling.
Meanwhile the boring machinery keeps working. UETA absorbed electronic agents without an amendment. Apparent authority decides who’s bound. AB 316 closed a loophole in a single sentence. Product liability stands ready for the cases where a defective model is the real cause. Common law moves case by case, which looks slow until you compare it to a comprehensive statute that dies in committee.
In my case for frontier optimism, I argued that the default outcome of frontier technology isn’t progress - it’s bureaucratic paralysis and the slow erosion of the capacity to build. The same risk applies here. Hard cases don’t break the law. Handled well, they sharpen it. The agent that goes rogue produces the ruling that tells the next deployer exactly where the line is.
What good infrastructure looks like
Good infrastructure here doesn’t require reinventing liability. It requires four things, most of them reachable through smarter defaults and standard contracts rather than sweeping new statutes.
Liability should follow control. The party that scoped the agent, set its permissions, and pointed it at the task is the party that should answer for the result. UETA § 9 and AB 316 already lean this way. The clearer we make it, the more confidently people deploy, because they can finally price the risk they’re taking.
Attribution defaults should be predictable. A founder should know, before deployment, that she’s on the hook for her agent’s foreseeable actions and shielded from the genuinely unforeseeable ones. Predictability is what lets you buy insurance, write a warranty, and sleep at night.
Good-faith controls should earn a safe harbor. A company that scopes its agent tightly, keeps a human in the loop on high-stakes actions, and logs what the agent does should sit in a better legal position than one that turns an agent loose and looks away. Reward the people building responsibly, or you teach everyone to build recklessly and document nothing.
We need standard contracts for agent risk. Right now every serious AI deployment negotiates indemnities from scratch across the model provider, the integrator, and the deployer. That’s the state seed financing was in before the SAFE. A short, standard instrument that allocates agent risk along the supply chain would do for agentic AI what the SAFE did for early-stage fundraising: turn a bespoke, lawyer-heavy negotiation into a fill-in-the-blanks default. That’s the kind of thing I build, and it’s about the cheapest systemic risk reduction available.
Finishing the sentence
The phrase “AI agent” makes the technology sound like a stranger the law has never met. It isn’t. We’ve been writing the law of agents since merchants first trusted someone else to strike deals in their name. The actor is faster and stranger than anything we’ve seen, but the question it raises - who answers for what my agent does - is one our legal system has been answering, in some form, for a very long time.
That’s not a reason to relax. It’s a reason to get to work on the parts that are genuinely new, with the confidence that the foundation is already poured. If you believe agentic AI is going to make people more capable - and I do - then building the scaffolding that lets companies deploy it without flying blind isn’t a distraction from the technology. It’s part of building it.
The law already knows what an agent is. The rest is on us.
Enjoyed this? I write about startup law, venture capital, and building at the frontier. Get notified of new essays →