Internet-Draft                                           AI/Agent WG
Intended status: standards-track                             March 2026
Expires: September 10, 2026


         Cross-Organizational AI Agent Liability Attribution Framework (COALAF)
         draft-ai-ai-agent-liability-00

Abstract

   As AI agents increasingly operate autonomously across
   organizational boundaries, determining liability when harm occurs
   becomes complex and legally ambiguous. This document defines a
   standardized framework for establishing liability attribution
   chains when AI agents from different organizations interact and
   cause harm. The framework introduces liability anchor points,
   cross-organizational liability contracts, and standardized
   evidence collection mechanisms that integrate with existing
   accountability protocols. COALAF enables insurance providers,
   legal systems, and organizations to establish clear liability
   boundaries before autonomous interactions occur, reducing
   litigation costs and enabling broader AI agent deployment. The
   framework builds upon existing cryptographic delegation protocols
   and execution tracing standards to create tamper-evident liability
   trails that can be validated across jurisdictions. This
   specification addresses the gap between single-organization AI
   safety standards and the reality of multi-party autonomous agent
   ecosystems, providing a foundation for sustainable cross-
   organizational AI collaboration.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This document is intended to have standards-track status.
   Distribution of this memo is unlimited.

Table of Contents

   1.  Introduction  ................................................  3
   2.  Terminology  .................................................  4
   3.  Problem Statement  ...........................................  5
   4.  Liability Attribution Architecture  ..........................  6
   5.  Cross-Organizational Liability Contracts  ....................  7
   6.  Evidence Collection and Validation  ..........................  8
   7.  Liability Resolution Procedures  .............................  9
   8.  Security Considerations  .....................................  10
   9.  IANA Considerations  .........................................  11

1.  Introduction

   As artificial intelligence agents become increasingly autonomous
   and capable of operating across organizational boundaries, the
   question of liability attribution when these systems cause harm
   has emerged as a critical challenge for both technical and legal
   communities. Unlike traditional software systems where liability
   typically follows clear organizational ownership patterns,
   autonomous AI agents may make decisions, enter into agreements,
   and cause harm through complex chains of interaction that span
   multiple organizations, jurisdictions, and legal frameworks.
   Current liability attribution mechanisms, designed primarily for
   single-organization contexts or human-mediated transactions, prove
   insufficient when autonomous agents from different organizations
   interact independently to produce harmful outcomes.

   The proliferation of cross-organizational AI agent interactions in
   domains such as automated trading, supply chain management, and
   autonomous vehicle coordination has exposed fundamental gaps in
   existing accountability frameworks. When an AI agent from
   Organization A interacts with an agent from Organization B, and
   their combined autonomous decisions result in harm to Organization
   C, determining which organization bears primary liability requires
   examination of decision-making processes, data contributions, and
   contractual relationships that may not have been explicitly
   documented or agreed upon in advance. Traditional approaches that
   rely on post-incident investigation and human testimony become
   inadequate when dealing with autonomous systems that may process
   thousands of interactions per second across multiple
   organizational boundaries.

   Existing technical standards for AI accountability, including
   execution tracing protocols defined in various industry frameworks
   and cryptographic delegation mechanisms outlined in emerging
   Internet-Drafts, address intra-organizational liability but do not
   provide mechanisms for cross-organizational liability attribution.
   Legal frameworks similarly struggle with autonomous agent
   liability, as they typically assume human decision-makers can be
   identified and held accountable for system behavior. The resulting
   ambiguity creates significant barriers to cross-organizational AI
   collaboration, as organizations face unlimited and unpredictable
   liability exposure when their agents interact with external
   autonomous systems.

   This document addresses these challenges by defining the Cross-
   Organizational AI Agent Liability Attribution Framework (COALAF),
   which establishes standardized mechanisms for pre-establishing
   liability boundaries, collecting tamper-evident evidence of cross-
   organizational agent interactions, and resolving liability
   disputes through automated and semi-automated procedures. The
   framework builds upon existing cryptographic protocols and extends
   current accountability standards to support multi-party scenarios
   where autonomous agents operate independently across
   organizational boundaries. By providing clear technical and
   procedural foundations for liability attribution, COALAF enables
   organizations to engage in cross-organizational AI collaboration
   while maintaining predictable and manageable liability exposure.

2.  Terminology

   This section defines terminology used throughout this
   specification. The key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
   RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
   interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and
   only when, they appear in all capitals, as shown here.

   **Liability Anchor Point**: A cryptographically-identified
   decision point within an AI agent's execution where liability
   attribution can be definitively established. Each anchor point
   MUST contain sufficient contextual information to determine the
   responsible organization, the decision rationale, and the
   preceding chain of interactions that led to the decision.
   Liability anchor points serve as immutable checkpoints in the
   attribution chain and MUST be implemented using tamper-evident
   cryptographic signatures as specified in [RFC9162].

   **Cross-Organizational Liability Contract (COLC)**: A machine-
   readable contract that establishes liability boundaries,
   attribution procedures, and resolution mechanisms between two or
   more organizations before their AI agents interact. COLCs MUST
   specify liability caps, evidence requirements, dispute resolution
   procedures, and applicable jurisdictions. These contracts build
   upon existing smart contract frameworks but include specific
   provisions for autonomous agent interactions and MUST be digitally
   signed by authorized representatives from each participating
   organization.

   **Liability Attribution Chain**: An ordered sequence of liability
   anchor points that traces the causal path from an autonomous
   interaction to resulting harm. Each chain MUST maintain
   cryptographic integrity through hash-linked structures and SHOULD
   include timestamps, decision contexts, and inter-organizational
   handoff points. Attribution chains serve as the primary evidence
   artifact for liability determination and MUST be constructed in
   real-time during agent interactions to ensure completeness and
   authenticity.

   **Autonomous Interaction Context**: The operational environment
   and circumstances under which AI agents from different
   organizations interact without direct human supervision. This
   context MUST include the triggering conditions, available
   resources, active constraints, and applicable liability contracts.
   The context serves as the foundational framework for liability
   attribution and MUST be established and agreed upon by all
   participating organizations before autonomous interactions
   commence.

   **Liability Attribution Authority (LAA)**: An entity responsible
   for validating attribution chains, interpreting cross-
   organizational liability contracts, and facilitating dispute
   resolution. LAAs MAY be implemented as distributed systems, third-
   party arbitrators, or consortium-managed services. Each LAA MUST
   maintain cryptographic credentials for chain validation and SHOULD
   provide standardized APIs for liability inquiry and resolution as
   defined in Section 7.

   **Cross-Organizational Harm Event**: An occurrence where an
   autonomous AI agent interaction between multiple organizations
   results in measurable damage, loss, or negative impact to external
   parties or participating organizations. Harm events trigger the
   liability attribution process and MUST be reported to all
   participating organizations within the timeframe specified in the
   applicable COLC. The definition of harm MUST be established in the
   cross-organizational liability contract and MAY include financial
   loss, privacy violations, safety incidents, or regulatory
   compliance failures.

3.  Problem Statement

   Current liability frameworks operate under the assumption that AI
   agents function within well-defined organizational boundaries with
   clear chains of command and responsibility. However, as autonomous
   agents increasingly interact across organizational boundaries to
   accomplish complex tasks, these frameworks encounter fundamental
   limitations. When an AI agent from Organization A delegates a
   subtask to an agent from Organization B, and that interaction
   subsequently causes harm to a third party, existing legal and
   technical systems lack standardized mechanisms to determine which
   organization bears primary liability, secondary liability, or
   contributory responsibility.

   Consider a scenario where a logistics AI agent from Company A
   contracts with a financial AI agent from Company B to process a
   payment, which then interacts with a regulatory compliance agent
   from Company C to verify transaction legality. If this chain of
   autonomous interactions results in regulatory violations and
   financial harm, current frameworks provide no standardized method
   to trace liability attribution across the three organizations.
   Each organization's internal accountability systems may function
   correctly, but the lack of interoperable liability tracking
   creates gaps where responsibility becomes legally ambiguous. The
   problem intensifies when organizations operate under different
   jurisdictions with varying liability standards and when agents
   make autonomous decisions that were not explicitly programmed by
   their respective organizations.

   Existing accountability protocols such as those defined in draft-
   ietf-rats-architecture focus primarily on attestation and
   verification within single administrative domains. While these
   protocols provide excellent foundations for establishing trust and
   traceability, they do not address the legal and contractual
   complexities that arise when autonomous agents create binding
   commitments across organizational boundaries. Current AI
   governance frameworks similarly concentrate on single-organization
   risk management and fail to provide standardized mechanisms for
   liability attribution when multiple organizations' agents
   contribute to harmful outcomes through their autonomous
   interactions.

   The absence of standardized cross-organizational liability
   attribution mechanisms creates several critical problems:
   organizations become reluctant to allow their agents to interact
   autonomously with external agents due to unclear liability
   exposure, insurance providers cannot accurately assess risks
   associated with multi-party AI agent interactions, and legal
   systems lack consistent frameworks for resolving disputes when
   autonomous agents cause harm through cross-organizational
   collaborations. These gaps significantly limit the potential for
   beneficial AI agent collaboration and create barriers to the
   development of robust multi-organizational autonomous systems that
   could provide substantial economic and social benefits.

4.  Liability Attribution Architecture

   The COALAF liability attribution architecture consists of three
   core components that work together to establish clear liability
   boundaries across organizational boundaries. The architecture
   builds upon existing accountability protocols defined in RFC 8520
   (Manufacturer Usage Description) and draft standards for AI agent
   traceability to ensure compatibility with current organizational
   infrastructure. Each component operates independently while
   maintaining cryptographic links to create an immutable attribution
   chain that can be validated by legal systems and insurance
   providers.

   Liability anchor points serve as the foundational elements of the
   attribution architecture, representing specific moments in cross-
   organizational agent interactions where liability responsibility
   transfers between organizations. Each anchor point MUST contain a
   unique identifier, timestamp, organizational context, agent state
   information, and cryptographic proof of the interaction state at
   the moment of transfer. Anchor points are established through
   mutual agreement between participating organizations and are
   digitally signed by both parties to prevent later disputes about
   the interaction context. The anchor point structure follows a
   standardized JSON schema that includes fields for liability
   limits, coverage boundaries, and escalation procedures that were
   pre-negotiated in the cross-organizational liability contracts.

   Attribution chain structures provide the mechanism for linking
   liability anchor points across multiple organizational boundaries
   and agent interactions. Each attribution chain MUST maintain a
   chronological sequence of anchor points, cryptographic hashes
   linking each point to the next, and metadata describing the nature
   of each inter-organizational transfer. The chain structure uses a
   directed acyclic graph (DAG) format to handle complex scenarios
   where multiple agents from different organizations contribute to a
   single harmful outcome. Chain validation requires that each
   participating organization can independently verify the integrity
   of the entire chain using standard cryptographic verification
   procedures defined in RFC 8032 (EdDSA signatures).

   Cross-organizational contract templates define the standardized
   formats and negotiation protocols that organizations use to
   establish liability boundaries before agent interactions occur.
   These templates MUST specify liability limits, coverage areas,
   evidence collection requirements, and dispute resolution
   procedures in a machine-readable format that autonomous agents can
   process during runtime. The templates integrate with existing
   contract negotiation protocols and support dynamic modification
   based on interaction context, allowing organizations to adjust
   liability boundaries for different types of agent tasks or risk
   levels. Contract templates include provisions for insurance
   integration, regulatory compliance across jurisdictions, and
   compatibility with existing organizational risk management
   frameworks.

   The integration layer connects COALAF components with existing
   accountability protocols through standardized APIs and data
   exchange formats. Organizations MUST implement COALAF-compatible
   interfaces that can generate liability anchor points, maintain
   attribution chains, and enforce contract terms without requiring
   modifications to existing agent architectures. The integration
   layer supports both real-time liability tracking during agent
   operations and post-incident reconstruction for liability
   resolution procedures. This approach ensures that organizations
   can adopt COALAF incrementally while maintaining compatibility
   with current AI safety and accountability systems.

5.  Cross-Organizational Liability Contracts

   Cross-organizational liability contracts provide the foundational
   legal and technical framework for establishing liability
   boundaries before AI agents interact autonomously across
   organizational boundaries. These contracts MUST be established
   between participating organizations prior to enabling autonomous
   agent interactions and SHOULD specify liability allocation
   percentages, coverage limits, and dispute resolution mechanisms.
   The contracts serve as legally binding agreements that define how
   liability will be distributed when harm occurs during cross-
   organizational agent interactions, eliminating the need for post-
   incident liability negotiations that can result in prolonged
   litigation.

   The framework defines three standardized contract templates that
   organizations MAY adopt based on their risk tolerance and
   operational requirements: proportional liability contracts that
   allocate liability based on each agent's contribution to the
   harmful outcome, primary-secondary liability contracts that
   designate one organization as primarily liable with fallback
   provisions, and joint liability contracts where organizations
   share equal responsibility regardless of individual agent
   contributions. Each template MUST include mandatory fields for
   liability caps, insurance requirements, governing jurisdiction,
   and compatibility with existing accountability protocols as
   defined in Section 4. Organizations SHOULD negotiate contract
   terms through the standardized Liability Contract Negotiation
   Protocol (LCNP) which enables automated contract parameter
   exchange and compatibility verification between different
   organizational liability frameworks.

   Contract formats MUST be machine-readable to enable autonomous
   agent processing during runtime liability decisions and evidence
   collection procedures. The framework specifies the Cross-
   Organizational Liability Contract Language (COLCL), an extension
   of existing contract specification languages that includes
   liability-specific constructs for dynamic liability calculation,
   real-time insurance verification, and automated escalation
   triggers. COLCL contracts MUST be digitally signed by authorized
   organizational representatives and SHOULD be registered with
   designated liability contract repositories to enable third-party
   validation and enforcement. The language includes support for
   conditional liability clauses that can adjust liability allocation
   based on runtime factors such as agent behavior patterns,
   environmental conditions, or detected security incidents.

   Liability contracts MUST specify integration requirements with
   existing cryptographic delegation protocols and execution tracing
   standards to ensure evidence collected during agent interactions
   can be properly attributed to contractual obligations. Contracts
   SHOULD define liability anchor points that correspond to specific
   interaction phases, enabling granular liability attribution when
   multiple agents contribute to complex multi-step processes that
   result in harm. The framework requires contracts to include
   standardized liability resolution procedures that specify
   automated calculation methods for damages, insurance claim
   procedures, and escalation mechanisms for disputes that cannot be
   resolved through automated processes.

   Organizations MAY establish liability contract hierarchies for
   complex multi-party scenarios where agents from more than two
   organizations interact simultaneously. These hierarchical
   contracts MUST maintain consistency with bilateral contracts and
   SHOULD specify conflict resolution mechanisms when overlapping
   liability boundaries create ambiguous attribution scenarios. The
   framework supports contract amendments and versioning to
   accommodate evolving organizational requirements while maintaining
   backward compatibility with existing agent deployments and
   ensuring that liability boundaries remain clearly defined
   throughout the contract lifecycle.

6.  Evidence Collection and Validation

   During cross-organizational AI agent interactions, evidence
   collection mechanisms MUST create tamper-evident logs that can be
   independently verified by all participating organizations and
   external auditors. The evidence collection system SHALL implement
   cryptographic integrity protection using mechanisms compatible
   with RFC 3161 timestamping services and MUST maintain
   chronological ordering of all inter-agent communications and
   decision points. Each participating organization MUST deploy
   evidence collection endpoints that implement standardized logging
   interfaces defined in this framework, ensuring that evidence
   trails remain consistent across organizational boundaries even
   when agents operate with different internal architectures.

   Evidence records MUST include interaction context metadata, agent
   decision rationales, and complete message traces between
   organizations as specified in Section 4. The logging format SHALL
   be based on structured data formats such as JSON-LD or Protocol
   Buffers to ensure machine readability across different
   organizational systems. Evidence collection points MUST capture
   not only successful interactions but also failed attempts, timeout
   conditions, and any agent behavior that deviates from pre-
   established cross-organizational contracts. Each evidence record
   SHALL include cryptographic signatures from all participating
   agents and MUST reference the specific liability anchor points
   established during interaction initiation.

   Integration with existing execution tracing protocols SHOULD
   leverage established frameworks such as OpenTelemetry distributed
   tracing while extending them with liability-specific metadata
   requirements. The evidence collection system MUST support real-
   time evidence sharing between organizations during ongoing
   interactions, allowing each party to maintain synchronized
   evidence trails without exposing sensitive internal agent
   architectures. Evidence validation procedures SHALL implement
   multi-party verification protocols where each organization can
   cryptographically attest to the accuracy of evidence records
   without requiring trust in external parties.

   Long-term evidence preservation requirements mandate that evidence
   records remain accessible and verifiable for periods defined by
   the applicable legal frameworks in each participating
   jurisdiction, typically ranging from seven to twenty years.
   Evidence storage systems MUST implement redundant backup
   mechanisms and SHALL provide standardized APIs for evidence
   retrieval during liability resolution procedures. The framework
   defines evidence portability standards that enable migration
   between different storage providers while maintaining
   cryptographic integrity, ensuring that evidence remains valid even
   as organizational infrastructure evolves. Evidence access controls
   MUST balance transparency requirements for liability resolution
   with privacy protections for sensitive business operations,
   implementing role-based access mechanisms that can be audited by
   regulatory authorities.

7.  Liability Resolution Procedures

   This section defines standardized procedures for resolving
   liability disputes arising from cross-organizational AI agent
   interactions. The liability resolution process operates in three
   phases: automated attribution calculation, evidence validation,
   and escalation procedures. Organizations deploying AI agents MUST
   implement liability resolution endpoints that can process
   attribution requests and respond with liability calculations based
   on pre-established contracts and collected evidence. The
   resolution procedures are designed to minimize human intervention
   in straightforward cases while providing clear escalation paths
   for complex disputes that require legal or technical review.

   The automated liability calculation phase begins when a harm event
   triggers the liability attribution process. The affected party's
   liability resolution system MUST collect all relevant evidence
   from the liability anchor points identified in the attribution
   chain, validate the cryptographic integrity of the evidence using
   the procedures defined in Section 6, and apply the liability
   calculation rules specified in the applicable cross-organizational
   liability contracts. The calculation engine SHOULD utilize
   standardized liability algorithms that consider factors including
   agent autonomy levels, contract-specified liability caps, and
   proportional responsibility based on causal contribution to the
   harm. If multiple organizations are involved in the attribution
   chain, the system MUST coordinate liability calculations across
   all parties and produce a preliminary liability distribution that
   reflects each organization's contractual obligations and causal
   involvement.

   Evidence validation procedures ensure that liability calculations
   are based on tamper-evident and cryptographically verifiable data.
   Resolution systems MUST verify the integrity of all evidence
   artifacts using the cryptographic signatures and hash chains
   established during the original agent interactions. When evidence
   validation fails or when evidence is missing from critical points
   in the attribution chain, the system SHOULD flag the case for
   manual review and MAY apply conservative liability assumptions as
   specified in the relevant contracts. Organizations MUST maintain
   evidence validation logs that record the success or failure of
   each validation step, providing an audit trail for subsequent
   legal proceedings if automated resolution is unsuccessful.

   Escalation procedures activate when automated liability
   calculation cannot produce a definitive resolution within the
   confidence thresholds specified in the cross-organizational
   contracts. Common escalation triggers include conflicting evidence
   from different liability anchor points, liability calculations
   that exceed contractual caps, or disputes involving organizations
   that have not implemented compatible versions of COALAF. The
   escalation process MUST preserve all evidence and preliminary
   calculations while transferring the dispute to human reviewers or
   designated arbitration systems. Organizations SHOULD implement
   graduated escalation procedures that attempt technical resolution
   through expert system review before proceeding to formal
   arbitration or legal proceedings.

   The liability resolution system MUST generate standardized
   resolution reports that document the final liability attribution,
   the evidence used in the calculation, and any escalation decisions
   made during the process. These reports serve as the authoritative
   record for insurance claims, legal proceedings, and organizational
   accountability processes. Resolution reports MUST include machine-
   readable sections that allow automated processing by insurance
   systems and legal databases, as well as human-readable summaries
   that explain the liability determination in accessible terms.
   Organizations MAY implement resolution report notification systems
   that automatically inform affected parties of liability
   determinations and provide mechanisms for formal dispute of the
   automated calculations within specified time frames.

8.  Security Considerations

   The security of cross-organizational liability attribution systems
   presents unique challenges that extend beyond traditional single-
   organization security models. Liability attribution chains MUST be
   protected against tampering, unauthorized modification, and replay
   attacks throughout their entire lifecycle, from initial contract
   establishment through final dispute resolution. Organizations
   implementing COALAF MUST employ cryptographic integrity protection
   mechanisms that ensure liability evidence remains tamper-evident
   across organizational boundaries and jurisdictional transfers. The
   distributed nature of cross-organizational interactions creates
   expanded attack surfaces where malicious actors may attempt to
   manipulate liability assignments, forge evidence, or exploit
   differences in security implementations between participating
   organizations.

   Evidence collection systems MUST implement strong cryptographic
   signatures and hash-based integrity verification to prevent post-
   hoc manipulation of liability-relevant data. Each liability anchor
   point MUST cryptographically sign all evidence records using
   organization-specific private keys, with public key verification
   available through standardized certificate authorities or
   blockchain-based key distribution systems. The evidence collection
   mechanism SHOULD implement tamper-evident timestamps using trusted
   timestamping services as specified in RFC 3161, ensuring that
   liability events can be temporally ordered across different
   organizational systems. Organizations MUST maintain cryptographic
   audit trails that link evidence collection events to specific AI
   agent actions, preventing evidence injection or selective omission
   attacks that could skew liability determinations.

   Contract manipulation represents a critical threat vector where
   malicious organizations might attempt to alter liability terms
   after autonomous interactions have commenced but before liability
   events occur. Cross-organizational liability contracts MUST be
   cryptographically sealed using multi-party digital signatures that
   require explicit consent from all participating organizations for
   any modifications. The contract verification system SHOULD
   implement immutable storage mechanisms, such as distributed ledger
   technologies or cryptographically-linked append-only logs, that
   prevent unauthorized contract alterations. Organizations MUST
   implement contract versioning systems that maintain complete
   change histories and require cryptographic proof of authorized
   modifications, ensuring that liability terms cannot be
   retroactively altered to avoid responsibility.

   Privacy protection mechanisms MUST balance the need for
   comprehensive liability evidence with organizational
   confidentiality requirements and regulatory compliance obligations
   such as GDPR or CCPA. Evidence collection systems SHOULD implement
   selective disclosure protocols that allow liability-relevant
   information to be shared without exposing sensitive operational
   data or proprietary algorithms. Organizations MAY employ zero-
   knowledge proof systems to demonstrate compliance with liability
   contracts without revealing underlying business logic or training
   data. The framework MUST support privacy-preserving liability
   calculations that enable automated liability distribution without
   requiring full disclosure of internal agent decision processes to
   external parties.

   Cryptographic key management across organizational boundaries
   introduces additional complexity that MUST be addressed through
   standardized key exchange and rotation protocols. Organizations
   MUST implement secure key escrow mechanisms that ensure liability
   evidence remains accessible even if participating organizations
   cease operations or become uncooperative during dispute resolution
   processes. The liability attribution system SHOULD support
   hierarchical key structures that allow delegation of signing
   authority while maintaining clear chains of cryptographic
   accountability. Cross-organizational key validation MUST be
   supported through standardized certificate authorities or
   decentralized key verification systems that remain operational
   across different jurisdictional and organizational contexts.

   Denial of service attacks against liability attribution systems
   could prevent proper evidence collection during critical
   autonomous interactions, potentially allowing harmful agents to
   operate without adequate accountability mechanisms. Organizations
   MUST implement redundant evidence collection systems and
   distributed liability anchor points that maintain functionality
   even when individual components are compromised or unavailable.
   The framework SHOULD include fallback mechanisms that ensure
   liability attribution continues to function during partial system
   failures, network partitions, or coordinated attacks against
   attribution infrastructure. Organizations MUST establish incident
   response procedures for security breaches that affect liability
   attribution systems, including mechanisms for evidence
   preservation, stakeholder notification, and liability framework
   recovery.

9.  IANA Considerations

   This document requires the creation of several new IANA registries
   to support standardized cross-organizational AI agent liability
   attribution. The registries are necessary to ensure consistent
   identification and processing of liability-related information
   across different organizations, legal jurisdictions, and technical
   implementations. All registry entries MUST include sufficient
   metadata to enable automated processing by AI agents while
   maintaining human readability for legal and regulatory review.

   IANA is requested to create a "Cross-Organizational AI Liability
   Contract Types" registry under the "Artificial Intelligence
   Parameters" category. This registry SHALL contain standardized
   identifiers for different classes of liability contracts as
   defined in Section 5, including but not limited to strict
   liability contracts, proportional liability contracts, and
   hierarchical liability contracts. Each registry entry MUST include
   the contract type identifier (a case-sensitive string), a human-
   readable description, the specification document reference, and
   any required contract parameters. Registration of new contract
   types requires Specification Required as defined in RFC 8126, with
   the designated expert evaluating legal soundness, technical
   feasibility, and compatibility with existing liability frameworks.

   IANA is requested to establish the "AI Agent Liability Attribution
   Chain Formats" registry to standardize the structure and encoding
   of liability attribution chains described in Section 4. Each
   format entry MUST specify the format identifier, the data
   structure specification, cryptographic requirements, and
   validation procedures. The registry SHALL include the default
   JSON-LD format specified in this document as well as provisions
   for compact binary formats and blockchain-based attribution
   chains. New format registrations require Expert Review with
   evaluation criteria including cryptographic security, cross-
   jurisdictional compatibility, and integration capabilities with
   existing accountability protocols such as those defined in RFC
   9000 series documents.

   A "Cross-Organizational Liability Status Codes" registry is
   required to standardize the response codes used in liability
   resolution procedures outlined in Section 7. The registry SHALL
   use a three-digit numeric scheme similar to HTTP status codes,
   with ranges allocated as follows: 1xx for informational liability
   status, 2xx for successful liability resolution, 3xx for liability
   redirection, 4xx for liability attribution errors, and 5xx for
   system errors in liability processing. Each status code entry MUST
   include the numeric code, canonical reason phrase, detailed
   description, and applicable resolution procedures. Registration of
   new status codes in the 1xx-3xx ranges requires IETF Review, while
   4xx-5xx codes require Specification Required to ensure consistency
   with error handling procedures across implementations.

   The designated expert for all liability-related registries SHOULD
   have demonstrated expertise in both AI system architecture and
   legal liability frameworks. Registry maintenance procedures MUST
   include periodic review of registered entries for continued
   relevance and compatibility with evolving legal standards. All
   registry entries SHALL include sunset clauses requiring renewal
   every five years unless superseded by updated specifications,
   ensuring that deprecated liability mechanisms do not accumulate in
   the registries over time.

Author's Address

   Generated by IETF Draft Analyzer
   2026-03-09
