<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[The New Plumbing]]></title><description><![CDATA[The New Plumbing]]></description><link>https://www.thenewplumbing.com</link><image><url>https://substackcdn.com/image/fetch/$s_!n15l!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3f0e550-a2ef-41af-be81-950cd19ffb3d_192x192.png</url><title>The New Plumbing</title><link>https://www.thenewplumbing.com</link></image><generator>Substack</generator><lastBuildDate>Sat, 18 Jul 2026 20:59:06 GMT</lastBuildDate><atom:link href="https://www.thenewplumbing.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[The New Plumbing]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[thenewplumbing@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[thenewplumbing@substack.com]]></itunes:email><itunes:name><![CDATA[The New Plumbing]]></itunes:name></itunes:owner><itunes:author><![CDATA[The New Plumbing]]></itunes:author><googleplay:owner><![CDATA[thenewplumbing@substack.com]]></googleplay:owner><googleplay:email><![CDATA[thenewplumbing@substack.com]]></googleplay:email><googleplay:author><![CDATA[The New Plumbing]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[The Liability Switch]]></title><description><![CDATA[Enterprise AI agents are stuck in pilot until someone owns the loss.]]></description><link>https://www.thenewplumbing.com/p/the-liability-switch</link><guid isPermaLink="false">https://www.thenewplumbing.com/p/the-liability-switch</guid><dc:creator><![CDATA[The New Plumbing]]></dc:creator><pubDate>Fri, 17 Jul 2026 15:54:49 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/367105d9-94f4-44ea-b624-aa63706eb428_2400x1260.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><span>The most active payment protocol built for AI agents has processed 165 million transactions. Their combined value, as of late April 2026, was roughly $50 million, about thirty cents each, and on Chainalysis&#8217;s reading of the chain much of that traces to meme-token farming rather than commerce. I distrust numbers I cannot rebuild by hand, so take those three for what they are: a count that measures enthusiasm, a dollar figure that measures the economy, and a composition read that explains the gap.</span></p><p><span>The announcements run far ahead of all three. Coinbase, Google, Stripe with OpenAI, then Visa and Mastercard within a day of each other: every major payments institution has shipped an agent framework since mid-2025. More than a year of infrastructure, and the money moving through it would not register on a mid-sized processor&#8217;s dashboard.</span></p><p><span>The explanation I keep hearing is that the rails need more work. Some layers do, and I will be precise about which. But the constraint that decides whether enterprise money ever flows is older than any of this technology, and every payment system that scaled had to answer it in writing: when the payment is wrong, whose money is gone?</span></p><p><span>Agentic payments will scale when someone writes what I call the </span><em><span>liability switch</span></em><span>: a rule, agreed in advance, that names which balance sheet eats each class of failure and what documented evidence moves the loss from one sheet to another. Trust gets you the pilot. Responsibility, priced and funded, gets you production. This essay lays out the switch, the B2B precedent for part of it, the product that would complete it, and the part I cannot prove yet.</span></p><h3><strong><span>The rail is not the whole stack</span></strong></h3><p><span>Settlement throughput is no longer the binding constraint. Stablecoin rails settled $10.2 billion of identified payments per month by August 2025, with B2B flows at $6.4 billion, roughly 63 percent (Artemis). The word identified matters: headline on-chain figures run into the trillions, but they count trading and treasury movement alongside payments, so the smaller labeled measure is the honest one. It is serious money, and it moves on the same pipes the tokenization wave settles on.</span></p><p><span>What that proves is that value moves when instructed. Above the movement sit the layers a payments operator has to run: delegated identity, sanctions and counterparty checks on a supplier an algorithm chose, reconciliation, exception handling, dispute and recovery on rails designed to be final. None of it is finished. Security researchers examining x402 implementations found failures of transactional atomicity and context binding, which in operating terms means the payment can complete while the thing it paid for does not. The industry can move the money. It has not finished binding the movement to the commercial event, and it has barely started deciding what happens when the two diverge.</span></p><p><span>Every payment system that reached scale eventually built machinery for that divergence. I watched one version get built, and one refuse to be built, from the inside.</span></p><h3><strong><span>The boundary before the transaction</span></strong></h3><p><span>Payment adoption tends to climb through two gates. Early adopters move on capability: faster, cheaper, reaching where the old rail cannot. Volume moves later, when a failure stops being the user&#8217;s problem, because someone with a balance sheet has agreed in advance to absorb a defined loss. The pattern has real exceptions: same-day ACH grew on expanded windows and higher limits with no liability event at the inflection, and SWIFT won on standardization. What survives them is narrower: when someone new starts making payment decisions inside a mature system, and their mistakes are of a kind the rulebook has no price for, adoption stalls until the recourse is written in advance.</span></p><p><span>The US chip-card migration is the cleanest documented case. The rule, announced in 2012 and effective October 2015, fit in one sentence: whoever ran the weaker technology ate the counterfeit fraud. In practice that meant the merchant if the store had not installed a chip reader, and the issuer if the store had upgraded but the bank had not issued a chip card. What it did on day one is measurable. Kansas City Fed research documents merchant loss rates on magnetic-stripe transactions rising roughly sixfold after the shift, while chip-to-chip ran at 0.02 basis points. The physical migration still took years, through terminal replacement cycles, certification queues, and a $231.7 million settlement over the backlog. The UK ran the same rule inside a coordinated national program with mandatory PIN and finished in roughly two years. The pen moved the loss immediately; coordination moved the hardware.</span></p><p><span>I watched a version of this boundary from the inside, at trivago, where I was Head of UX Research working on product strategy. The model was metasearch: do the searching, comparing, and ranking for the traveler, then hand the transaction to the advertiser. The company&#8217;s own F-1 documents what that intelligence was worth, with the cheapest advertiser for a given hotel averaging 19 percent below the most expensive. The booking, the payment, the cancellation, and every loss in between belonged, by design and by contract, to the advertiser.</span></p><p><span>The travelers never accepted that contract. Complaints about failed bookings, wrong rooms, and missing refunds kept arriving at trivago, for transactions completed on other companies&#8217; websites under other companies&#8217; terms. Many users never registered that they had left the platform at all. We drew the boundary in the legal documents. The people we served drew it at the interface they trusted, and no amount of handoff design moved it. </span><strong><span>Perceived responsibility attaches to the interface of trust, not the legal boundary.</span></strong></p><p><span>Today&#8217;s shopping and procurement agents sit on the same line, with the same physics. The line is the metasearch handoff, intelligence up front and the transaction passed on, and the physics is the trivago lesson, that blame attaches to the interface the user trusts. They decide with more intelligence than we ever shipped, and whoever owns the conversation will own the blame, whatever the terms of service say. The question is no longer whether agents can decide. It is who inherits when they get it wrong.</span></p><h3><strong><span>Three ways an agent payment goes wrong</span></strong></h3><p><span>The three failure classes have different owners today and will need different owners tomorrow.</span></p><p><span>First, the unauthorized instruction: a compromised credential, a hijacked session, an agent acting outside any authority it was granted. Second, the execution error: the right instruction processed wrongly, duplicated, misrouted, settled after cancellation. Third, and this is the class the agentic economy adds, the authorized but wrong decision: the agent holds valid authority, exercises it correctly by every encoded test, and produces an outcome the principal, the business or person that set the agent up and gave it its budget and rules, never wanted.</span></p><p><span>B2B payments already prices the first two. Article 4A of the Uniform Commercial Code, the wholesale funds-transfer law governing commercial wires and many commercial ACH credits since 1989, allocates unauthorized-order and erroneous-execution losses; account agreements, commercial card rules, and negotiated indemnities do the rest. The consumer machinery of chargebacks and statutory caps does not transfer: commercial protections are narrower and mostly contractual.</span></p><p><span>The third class is different in kind. Munich Re, which has underwritten AI performance since 2018, calls the exposure &#8220;mistakes without negligence&#8221;: the system performed as designed and the outcome is still wrong. Existing coverage responds only in fragments, because technology E&amp;O and cyber wordings vary widely, and none was drafted with an authorized, correctly executed, unwanted purchase in mind. Card dispute taxonomies cover fraud, authorization failures, processing errors, and defined consumer disputes; none contains a reason code for this one.</span></p><p><span>Walk one through. A procurement agent holds a signed mandate: approved supplier list, unit price ceiling, monthly budget. It buys 40,000 units from an approved supplier, inside its ceiling, inside its budget. The enterprise disputes the purchase, because an internal policy that was never encoded in the mandate had frozen restocking until quarter end.</span></p><p><span>Trace it, and it keeps clearing everyone. The credentials were valid, so not class one. The processor executed correctly, so not class two. The supplier performed. Settlement, on most of the rails involved, is final. What remains is the enterprise and its agent provider, facing each other across a contract that today says nothing about this event. The precedent worth borrowing is the shape of a rule: allocation that moves on documented evidence, agreed before anyone loses money.</span></p><h3><strong><span>The liability switch</span></strong></h3><p><span>&#8220;Who is responsible&#8221; hides four questions: who was positioned to prevent the failure, who is contractually liable, who makes the injured party whole this week, and whose balance sheet has bled once indemnities, recoveries, and insurance settle out. In mature payments these are routinely four different institutions, and any agent-liability answer that does not separate them is a slogan. I know, because I started with one: agent provider owns performance, platform owns the rest. It cost me a draft. The framing did not survive the case law, and the lesson is this section&#8217;s spine: naming blame moves no money.</span></p><p><span>Article 4A&#8217;s value here is as a working B2B loss-allocation mechanism with decades behind it. The default: a bank that accepts a payment order neither authorized nor otherwise effective against its customer must refund it. The switch: if the bank and customer agreed on a commercially reasonable security procedure and the bank proves it complied in good faith, the order binds the customer, in the statute&#8217;s words, &#8220;whether or not authorized.&#8221; The loss moves on evidence. Commercial reasonableness and good faith stay fact-intensive and litigated hard, but the statute replaced an open-ended negligence inquiry with specific, documentable questions, and decades of case law show them getting answered.</span></p><p><span>Three cases sketch the grammar. In Choice Escrow v. BancorpSouth (8th Cir. 2014), fraudsters wired away $440,000; the customer had declined the bank&#8217;s dual-control procedure in writing, and that declination, inside a finding that the procedure was commercially reasonable, left the loss with the customer. In Patco v. People&#8217;s United Bank (1st Cir. 2012), the bank made customers answer challenge questions on nearly every transaction while ignoring its own risk scores; the court held the procedure commercially unreasonable, and the bank settled on remand with interest. In Experi-Metal v. Comerica (2011), the procedure was reasonable, but the bank cleared a burst of phishing transfers, including a five-million-dollar overdraft on an account that usually held almost nothing, and lost on the good-faith prong for $561,399. Different outcomes, one grammar: agreed procedure, documented compliance, attended anomalies, and the evidence decides where the loss lands.</span></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!dYiD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!dYiD!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 424w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 848w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 1272w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!dYiD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png" width="1456" height="724" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:724,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!dYiD!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 424w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 848w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 1272w, https://substackcdn.com/image/fetch/$s_!dYiD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0b1a17f-2959-4ea8-b36e-9b98546f1252_2045x1017.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p style="text-align: center;"><em><span>Article 4A in practice. The same three-part test sends the loss to a different party in each case. Sources: the cited rulings.</span></em></p><p><span>What the agentic economy must do is harder than borrowing the statute. The encoded mandate is not a security procedure in Article 4A&#8217;s sense: the procedure authenticates orders between a customer and its bank; the mandate defines an agent&#8217;s decision space between a principal and a provider. Different legal objects. But the mandate can become an object of the same kind, inside a contract that does not exist yet: the agreed, documented reference against which the agent&#8217;s conduct is judged, with consequences attached in advance.</span></p><p><span>Written as that contract, the switch has four positions. If the agent violates a correctly encoded mandate, the provider pays, because the deviation is objectively provable from the mandate and the execution record. If the mandate was honored but a platform control failed, a leaked credential, a misfired spend policy, a double-settling execution layer, the responsible infrastructure provider pays, under operational warranties that largely exist already. If the mandate was honored and the execution correct, the principal owns the outcome, because the principal defined the authority; my procurement enterprise bought a lesson in mandate design at market price. And where the merchant fails, the merchant-and-processor regime applies to whatever extent the rail provides one, which on cards is substantial and on irrevocable rails can be nothing beyond the sales contract.</span></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0xBJ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0xBJ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 424w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 848w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 1272w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0xBJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png" width="1456" height="1066" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1066,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0xBJ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 424w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 848w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 1272w, https://substackcdn.com/image/fetch/$s_!0xBJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F769d1c9d-59b3-4d89-8d13-eeeb1d339336_2046x1498.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p style="text-align: center;"><em><span>The liability switch. For each failure class, a rule agreed in advance names which balance sheet absorbs the loss.</span></em></p><p><span>Goodwin&#8217;s June 2026 analysis agrees on the banking side: whether an institution may treat an agent&#8217;s instruction as authorized is a question of existing agency principles, while the dispute between enterprise and provider stays a matter of whatever their contract says.</span></p><p><span>Today their contract says nothing, which is why the shipped market looks the way it does. OpenAI&#8217;s specification leaves settlement, refunds, and chargebacks with the merchant and its processor. Stripe names the business, never Stripe, as merchant of record. Coinbase&#8217;s terms make the user &#8220;fully responsible for all activity&#8221; under the account. Rational opening positions, and together they describe the vacuum exactly: three sophisticated institutions, each pointing away from itself. A disclaimer is not an underwriter, and that gap is the market&#8217;s remaining work.</span></p><p><span>The vacuum has an enterprise-side twin, and it may be the operative one. Inside every deployment decision sits a named person who has to sign it, and executives do not attach their names to risks with no counterparty. When the stack cannot say who owns a failure, that person has no one to point to, and the signature never comes. The switch gives them someone to name.</span></p><h3><strong><span>Auditable autonomy</span></strong></h3><p><span>Two disciplines make the switch writable.</span></p><p><span>First, program everything you can. Wherever the flow can be enumerated, treasury sweeps, payroll, threshold rebalancing, it belongs in deterministic code inside the regulated perimeter that already exists; JPMorgan&#8217;s Kinexys runs event-driven programmable payments there today. Agents earn their place only past the boundary of prediction, where counterparties multiply and states cannot be listed in advance. The one deployment worth studying respects the line: Ramp&#8217;s AP agents, live since October 2025 across a self-reported base of more than 50,000 customers, automate much of invoice processing inside customer-defined policies and approval structures, with straight-through execution set by configuration. Autonomy shipping today is delegated inside written limits, which is what insurable autonomy looks like.</span></p><p><span>Second, intent has two jobs, and the design fails if they are confused. Before settlement, intent is prevention: the minimum conditions that must hold, verified while the money still cannot move, checking both sides, the buying agent&#8217;s mandate against the selling side&#8217;s offer conditions. After settlement, intent is evidence, and evidence on its own does nothing. A log assigns no loss. Assigning one takes a chain: the protocol produces the record, a contract defines what it triggers, a claims operation evaluates it, capital funds the remedy, and recourse redistributes the cost. Every link after the first is missing from the current stack, and no cryptography supplies them.</span></p><p><span>One limit is the deepest fact in the design. A signed mandate proves what was encoded. It cannot prove what the principal actually meant. Delegating to a human assistant carries the same gap: brief the assistant poorly and the failure is yours, an outcome centuries of agency practice already assign. The machine version still has to be written. Between encoded intent and true intent sits a residual gap that better tooling narrows and never closes, and my procurement example lives inside it. A gap that cannot be engineered away can only be priced. So price it.</span></p><h3><strong><span>The product, specified</span></strong></h3><p><span>Here is what I think the contract looks like. Call it a mandate warranty, sold by the agent provider, and the identity matters. Not the frontier labs, whose terms already disclaim this liability and whose horizontal position argues against carrying any one vertical&#8217;s losses. The seller is the layer that assembles agents on top of the labs and sells them to enterprises: the integrator that writes the encoded instructions, controls the tooling, and owns the customer. That layer exists because the labs will not occupy this ground, and the warranty is how it stops competing on demos.</span></p><p><span>The first covered event is violation of the signed instructions: first-dollar reimbursement whenever the execution record diverges from what was encoded, an objective trigger requiring no negligence finding, paid within five business days of a documented claim, capped per transaction and in aggregate, funded by a provider reserve and reinsured through the specialist AI-performance market that already exists. For a defined slice of the third class, the authorized-but-wrong outcomes that recur in patterns, an optional outcome warranty covers enumerated events: duplicate-intent purchases, executions against stale context, price anomalies beyond a stated band, priced in basis points on covered volume. Exclusions drafted properly: policies the enterprise never encoded, data it supplied, collusion, and, above all, a per-occurrence cap on correlated losses, because one bad model update producing ten thousand simultaneous claims is what kills an unprepared underwriter. That same exposure gives the underwriter a lever: it decides which models are covered, and clears a new one only after a staged rollout and a clean test.</span></p><p><span>The economics are not exotic, because payments has always sold responsibility; it just never itemized the invoice. Part of what interchange pays for is the issuer&#8217;s guarantee: the issuer carries fraud risk in exchange for a spread, and that spread built the card industry. The mandate warranty applies the same logic to a new decision-maker, responsibility priced as a revenue line rather than carried as a compliance cost. The division of labor follows the incentives: the processor administers claims, the specialist insurer supplies capital, and the integrator sells the warranty, because it controls the tooling that elicits complete instructions, and so controls its own loss ratio.</span></p><p><span>Launch sequence: one narrow workflow, accounts payable or single-category procurement, instrumented for loss data from the first transaction, repriced quarterly, expanded class by class as loss ratios earn it, classes that do not earn their capital killed without sentiment. Every number here is negotiable. The structure is not, because it is the structure every priced payment risk has converged on: defined event, objective trigger, funded remedy, capped correlation, staged expansion. The fragments all exist, signed mandates, spend policies, identity registries, affirmative AI insurance. Nobody has assembled them into a warranty a risk committee can file.</span></p><h3><strong><span>Who underwrites, who disclaims</span></strong></h3><p><span>Sort the landscape by whose capital stands behind an agent&#8217;s mistake, and it separates cleanly.</span></p><p><span>The most interesting position holds a single announcement. On April 14, 2026, American Express published Agent Purchase Protection: a prospective commitment to cover eligible US cardmember charges arising from agent error, for agents registered through its developer framework that transmit the customer&#8217;s authenticated purchase intent. The terms are conditional and parts are still to come, so read it as a test, not proof. But the design choice is the one this essay predicts, verifiable intent as the eligibility evidence for a funded remedy, and a closed-loop network is a natural first mover because it sees both sides of the transaction, which is another way of saying it holds the best evidence.</span></p><p><span>Beside it sits a small but real specialist market: Armilla, a Lloyd&#8217;s coverholder, has expanded affirmative AI-liability coverage to $25 million limits, and Munich Re&#8217;s aiSure has guaranteed model performance for years. Moving the opposite way, standard-form exclusions effective January 2026 strip AI exposure out of the general policies most US businesses carry. The specialist edge prices defined slices of the risk while the mainstream withdraws its silent coverage, and both movements tell an operator the same thing: the exposure is now real enough that everyone is drafting around it.</span></p><p><span>The card networks mark the line: Visa and Mastercard have both shipped agent authentication and intent-evidence architecture, and neither has published who eats fraud or error for the transactions it will carry. The gap sits inside the rulebooks of the market&#8217;s largest institutions.</span></p><h3><strong><span>What I cannot prove yet</span></strong></h3><p><span>The claim underneath this essay is causal: that the unwritten responsibility contract is what holds enterprise agentic payments in pilot. Here is what the evidence establishes, and what it does not.</span></p><p><span>Established: the rails carry identified B2B volume; announced agent infrastructure vastly exceeds demonstrated agent commerce; every shipping player allocates responsibility away from itself; the third failure class has no owner in any published rulebook or standard policy wording I can find; and the institutions closest to the transaction evidence, a closed-loop network and the specialist insurers, are moving first. Not established: that liability, rather than integration cost, data quality, model reliability, thin demand, or plain organizational caution, is the binding constraint. Deloitte&#8217;s 2025 survey work puts legacy integration and risk-and-compliance concerns at the top of enterprise AI challenges, and no survey I can find ranks liability first. My reading is that these bind at different stages: integration difficulty slows pilots, while the unallocated loss is what a risk committee cannot sign past at the production decision. That reading is not proven. It is my operating hypothesis, and it is falsifiable.</span></p><p><span>Here is the evidence that would settle it either way: one B2B deployment that cleared integration, compliance, security, and economics, then stalled on an unresolved loss-allocation clause. The redline. The risk-committee memo conditioning production approval on a funded remedy. I have not seen that deal file. If you have sat in that meeting, on either side of the table, I want the anonymized version, and I will publish what it does to this argument, including if it breaks it.</span></p><p><span>The reliability objection cuts the other way. Agents fail often, on definitions that vary too much to compress into one number, and that narrows my claim rather than supporting it: a warranty market can only start where error distributions are measurable, which is why the launch sequence begins with one narrow workflow and not autonomy in general. Unreliability does not make the product impossible. It makes the first version small, and honest about being small.</span></p><h3><strong><span>The underwriter&#8217;s test</span></strong></h3><p><span>The framework compresses to four questions that work on any agentic-payments pitch. For each failure class: whose balance sheet pays? What documented evidence moves the loss? Who makes the injured party whole, how fast, under what exclusions? What funds the remedy, and does the funding survive correlated losses? Passing takes more than answers. A vendor can produce all four with an undercapitalized indemnity and a claims process that has never paid a claim. Passing means enforceable terms, funded capacity, and a remedy stress-tested against the day a model update generates a thousand simultaneous claims. The compressed version fits on an index card: </span><strong><span>no funded remedy, no production order.</span></strong></p><p><span>If the diagnosis is right, it says something about how this industry restructures, not just how it writes contracts. Evidence advantage becomes market position: closed-loop networks and bank-perimeter platforms, the players who see both sides of a transaction, stand first in line to underwrite it. Agent integrators that sell warranties stop being pure software companies and start carrying a sliver of an insurer&#8217;s balance sheet, with the discipline that implies. Enterprises stop buying autonomy as a feature and start buying it the way they buy every other operational risk, as a warranted service with terms attached. The first institution to assemble that stack will not have the best model. It will have the best evidence, the clearest trigger, and the capital to stand behind both.</span></p><h4><strong><span>Sources and data notes</span></strong></h4><p><span>All figures verified against the sources below, July 2026. Self-reported company figures are labeled as such in the text. Prospective or announced programs are identified as such.</span></p><p><span>1. x402 cumulative activity: Eco.com agentic commerce synthesis (165M transactions, ~$50M cumulative value, late April 2026); Chainalysis analysis of x402 activity on Base (June 2026) identifying meme-token farming as a major driver of observed transaction counts.</span></p><p><span>2. Stablecoin payment volume: Artemis, stablecoin payments research and August 2025 update ($10.2B monthly identified payments; $6.4B B2B, ~63 percent). Headline on-chain transfer measures use different denominators and are not comparable.</span></p><p><span>3. x402 atomicity and context-binding failures: arXiv security analysis of x402 implementations (2026).</span></p><p><span>4. Same-day ACH growth on capability: Federal Reserve Payments Study data (2018 to 2021).</span></p><p><span>5. EMV liability shift: network rules effective October 1, 2015; Federal Reserve Bank of Kansas City (Hayashi et al., 2018) on post-shift loss-rate allocation (mag-stripe versus chip-to-chip); B&amp;R Supermarket v. Visa, $231.7M settlement (preliminary approval October 2025), resolving merchant allegations without adjudication; UK chip-and-PIN program (2004 to 2006) as the coordinated comparison.</span></p><p><span>6. trivago advertiser price spread: trivago N.V. Form F-1, SEC, 2016 (cheapest advertiser averaging 19 percent below most expensive). The account of user complaints and blame attribution is the author&#8217;s direct professional experience.</span></p><p><span>7. UCC Article 4A: &#167;&#167; 4A-201 through 4A-204 (Uniform Commercial Code; scope covers wholesale funds transfers including commercial wire and many commercial ACH credit transfers). Choice Escrow &amp; Land Title v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014). Patco Construction v. People&#8217;s United Bank, 684 F.3d 197 (1st Cir. 2012); procedure held commercially unreasonable, claim revived, matter settled on remand with repayment and interest. Experi-Metal v. Comerica (E.D. Mich. 2011); judgment $561,399 on the good-faith prong.</span></p><p><span>8. Agency law and agentic payments: Goodwin, &#8220;Authorizing Agentic Payments,&#8221; June 2026.</span></p><p><span>9. &#8220;Mistakes without negligence&#8221; and AI performance underwriting: Munich Re, aiSure materials and AI insurance white papers (phrase used as insurance-market framing, not a settled legal category).</span></p><p><span>10. Amex Agent Purchase Protection: American Express agentic commerce page, published April 14, 2026; program described as prospective and conditional, with components under development.</span></p><p><span>11. AI liability insurance: Armilla (Lloyd&#8217;s coverholder; affirmative AI liability coverage, $25M limits as of January 2026).</span></p><p><span>12. AI exclusions: ISO endorsements effective January 1, 2026, narrowing AI exposure in standard commercial forms; comparable carrier filings.</span></p><p><span>13. Network agent frameworks: Visa Trusted Agent Protocol (October 2025); Mastercard Agent Pay (April 2025). Both publish authentication and intent-evidence architecture; as of July 2026, neither has published loss-allocation rules for agent-initiated transactions.</span></p><p><span>14. Platform terms: OpenAI Agentic Commerce Protocol documentation (settlement, refunds, chargebacks with merchant and PSP); Stripe ACP documentation (business as merchant of record); Coinbase User Terms (&#8221;fully responsible for all activity&#8221;).</span></p><p><span>15. Interchange and the issuer guarantee: card network interchange documentation; interchange compensates issuers for, among other costs, fraud losses and the payment guarantee.</span></p><p><span>16. Kinexys programmable payments: JPMorgan Kinexys product documentation.</span></p><p><span>17. Ramp AP agents: Ramp announcement, October 6, 2025 (customer base self-reported; degree of straight-through execution configuration-dependent).</span></p><p><span>18. Enterprise adoption blockers: Deloitte AI adoption survey work, 2025 (legacy integration and risk/compliance ranked as top challenges).</span></p>]]></content:encoded></item></channel></rss>