Internet-Draft AI/Agent WG Intended status: standards-track March 2026 Expires: September 10, 2026 Cross-Organizational AI Agent Liability Attribution Framework (COALAF) draft-ai-ai-agent-liability-00 Abstract As AI agents increasingly operate autonomously across organizational boundaries, determining liability when harm occurs becomes complex and legally ambiguous. This document defines a standardized framework for establishing liability attribution chains when AI agents from different organizations interact and cause harm. The framework introduces liability anchor points, cross-organizational liability contracts, and standardized evidence collection mechanisms that integrate with existing accountability protocols. COALAF enables insurance providers, legal systems, and organizations to establish clear liability boundaries before autonomous interactions occur, reducing litigation costs and enabling broader AI agent deployment. The framework builds upon existing cryptographic delegation protocols and execution tracing standards to create tamper-evident liability trails that can be validated across jurisdictions. This specification addresses the gap between single-organization AI safety standards and the reality of multi-party autonomous agent ecosystems, providing a foundation for sustainable cross- organizational AI collaboration. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document is intended to have standards-track status. Distribution of this memo is unlimited. Table of Contents 1. Introduction ................................................ 3 2. Terminology ................................................. 4 3. Problem Statement ........................................... 5 4. Liability Attribution Architecture .......................... 6 5. Cross-Organizational Liability Contracts .................... 7 6. Evidence Collection and Validation .......................... 8 7. Liability Resolution Procedures ............................. 9 8. Security Considerations ..................................... 10 9. IANA Considerations ......................................... 11 1. Introduction As artificial intelligence agents become increasingly autonomous and capable of operating across organizational boundaries, the question of liability attribution when these systems cause harm has emerged as a critical challenge for both technical and legal communities. Unlike traditional software systems where liability typically follows clear organizational ownership patterns, autonomous AI agents may make decisions, enter into agreements, and cause harm through complex chains of interaction that span multiple organizations, jurisdictions, and legal frameworks. Current liability attribution mechanisms, designed primarily for single-organization contexts or human-mediated transactions, prove insufficient when autonomous agents from different organizations interact independently to produce harmful outcomes. The proliferation of cross-organizational AI agent interactions in domains such as automated trading, supply chain management, and autonomous vehicle coordination has exposed fundamental gaps in existing accountability frameworks. When an AI agent from Organization A interacts with an agent from Organization B, and their combined autonomous decisions result in harm to Organization C, determining which organization bears primary liability requires examination of decision-making processes, data contributions, and contractual relationships that may not have been explicitly documented or agreed upon in advance. Traditional approaches that rely on post-incident investigation and human testimony become inadequate when dealing with autonomous systems that may process thousands of interactions per second across multiple organizational boundaries. Existing technical standards for AI accountability, including execution tracing protocols defined in various industry frameworks and cryptographic delegation mechanisms outlined in emerging Internet-Drafts, address intra-organizational liability but do not provide mechanisms for cross-organizational liability attribution. Legal frameworks similarly struggle with autonomous agent liability, as they typically assume human decision-makers can be identified and held accountable for system behavior. The resulting ambiguity creates significant barriers to cross-organizational AI collaboration, as organizations face unlimited and unpredictable liability exposure when their agents interact with external autonomous systems. This document addresses these challenges by defining the Cross- Organizational AI Agent Liability Attribution Framework (COALAF), which establishes standardized mechanisms for pre-establishing liability boundaries, collecting tamper-evident evidence of cross- organizational agent interactions, and resolving liability disputes through automated and semi-automated procedures. The framework builds upon existing cryptographic protocols and extends current accountability standards to support multi-party scenarios where autonomous agents operate independently across organizational boundaries. By providing clear technical and procedural foundations for liability attribution, COALAF enables organizations to engage in cross-organizational AI collaboration while maintaining predictable and manageable liability exposure. 2. Terminology This section defines terminology used throughout this specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. **Liability Anchor Point**: A cryptographically-identified decision point within an AI agent's execution where liability attribution can be definitively established. Each anchor point MUST contain sufficient contextual information to determine the responsible organization, the decision rationale, and the preceding chain of interactions that led to the decision. Liability anchor points serve as immutable checkpoints in the attribution chain and MUST be implemented using tamper-evident cryptographic signatures as specified in [RFC9162]. **Cross-Organizational Liability Contract (COLC)**: A machine- readable contract that establishes liability boundaries, attribution procedures, and resolution mechanisms between two or more organizations before their AI agents interact. COLCs MUST specify liability caps, evidence requirements, dispute resolution procedures, and applicable jurisdictions. These contracts build upon existing smart contract frameworks but include specific provisions for autonomous agent interactions and MUST be digitally signed by authorized representatives from each participating organization. **Liability Attribution Chain**: An ordered sequence of liability anchor points that traces the causal path from an autonomous interaction to resulting harm. Each chain MUST maintain cryptographic integrity through hash-linked structures and SHOULD include timestamps, decision contexts, and inter-organizational handoff points. Attribution chains serve as the primary evidence artifact for liability determination and MUST be constructed in real-time during agent interactions to ensure completeness and authenticity. **Autonomous Interaction Context**: The operational environment and circumstances under which AI agents from different organizations interact without direct human supervision. This context MUST include the triggering conditions, available resources, active constraints, and applicable liability contracts. The context serves as the foundational framework for liability attribution and MUST be established and agreed upon by all participating organizations before autonomous interactions commence. **Liability Attribution Authority (LAA)**: An entity responsible for validating attribution chains, interpreting cross- organizational liability contracts, and facilitating dispute resolution. LAAs MAY be implemented as distributed systems, third- party arbitrators, or consortium-managed services. Each LAA MUST maintain cryptographic credentials for chain validation and SHOULD provide standardized APIs for liability inquiry and resolution as defined in Section 7. **Cross-Organizational Harm Event**: An occurrence where an autonomous AI agent interaction between multiple organizations results in measurable damage, loss, or negative impact to external parties or participating organizations. Harm events trigger the liability attribution process and MUST be reported to all participating organizations within the timeframe specified in the applicable COLC. The definition of harm MUST be established in the cross-organizational liability contract and MAY include financial loss, privacy violations, safety incidents, or regulatory compliance failures. 3. Problem Statement Current liability frameworks operate under the assumption that AI agents function within well-defined organizational boundaries with clear chains of command and responsibility. However, as autonomous agents increasingly interact across organizational boundaries to accomplish complex tasks, these frameworks encounter fundamental limitations. When an AI agent from Organization A delegates a subtask to an agent from Organization B, and that interaction subsequently causes harm to a third party, existing legal and technical systems lack standardized mechanisms to determine which organization bears primary liability, secondary liability, or contributory responsibility. Consider a scenario where a logistics AI agent from Company A contracts with a financial AI agent from Company B to process a payment, which then interacts with a regulatory compliance agent from Company C to verify transaction legality. If this chain of autonomous interactions results in regulatory violations and financial harm, current frameworks provide no standardized method to trace liability attribution across the three organizations. Each organization's internal accountability systems may function correctly, but the lack of interoperable liability tracking creates gaps where responsibility becomes legally ambiguous. The problem intensifies when organizations operate under different jurisdictions with varying liability standards and when agents make autonomous decisions that were not explicitly programmed by their respective organizations. Existing accountability protocols such as those defined in draft- ietf-rats-architecture focus primarily on attestation and verification within single administrative domains. While these protocols provide excellent foundations for establishing trust and traceability, they do not address the legal and contractual complexities that arise when autonomous agents create binding commitments across organizational boundaries. Current AI governance frameworks similarly concentrate on single-organization risk management and fail to provide standardized mechanisms for liability attribution when multiple organizations' agents contribute to harmful outcomes through their autonomous interactions. The absence of standardized cross-organizational liability attribution mechanisms creates several critical problems: organizations become reluctant to allow their agents to interact autonomously with external agents due to unclear liability exposure, insurance providers cannot accurately assess risks associated with multi-party AI agent interactions, and legal systems lack consistent frameworks for resolving disputes when autonomous agents cause harm through cross-organizational collaborations. These gaps significantly limit the potential for beneficial AI agent collaboration and create barriers to the development of robust multi-organizational autonomous systems that could provide substantial economic and social benefits. 4. Liability Attribution Architecture The COALAF liability attribution architecture consists of three core components that work together to establish clear liability boundaries across organizational boundaries. The architecture builds upon existing accountability protocols defined in RFC 8520 (Manufacturer Usage Description) and draft standards for AI agent traceability to ensure compatibility with current organizational infrastructure. Each component operates independently while maintaining cryptographic links to create an immutable attribution chain that can be validated by legal systems and insurance providers. Liability anchor points serve as the foundational elements of the attribution architecture, representing specific moments in cross- organizational agent interactions where liability responsibility transfers between organizations. Each anchor point MUST contain a unique identifier, timestamp, organizational context, agent state information, and cryptographic proof of the interaction state at the moment of transfer. Anchor points are established through mutual agreement between participating organizations and are digitally signed by both parties to prevent later disputes about the interaction context. The anchor point structure follows a standardized JSON schema that includes fields for liability limits, coverage boundaries, and escalation procedures that were pre-negotiated in the cross-organizational liability contracts. Attribution chain structures provide the mechanism for linking liability anchor points across multiple organizational boundaries and agent interactions. Each attribution chain MUST maintain a chronological sequence of anchor points, cryptographic hashes linking each point to the next, and metadata describing the nature of each inter-organizational transfer. The chain structure uses a directed acyclic graph (DAG) format to handle complex scenarios where multiple agents from different organizations contribute to a single harmful outcome. Chain validation requires that each participating organization can independently verify the integrity of the entire chain using standard cryptographic verification procedures defined in RFC 8032 (EdDSA signatures). Cross-organizational contract templates define the standardized formats and negotiation protocols that organizations use to establish liability boundaries before agent interactions occur. These templates MUST specify liability limits, coverage areas, evidence collection requirements, and dispute resolution procedures in a machine-readable format that autonomous agents can process during runtime. The templates integrate with existing contract negotiation protocols and support dynamic modification based on interaction context, allowing organizations to adjust liability boundaries for different types of agent tasks or risk levels. Contract templates include provisions for insurance integration, regulatory compliance across jurisdictions, and compatibility with existing organizational risk management frameworks. The integration layer connects COALAF components with existing accountability protocols through standardized APIs and data exchange formats. Organizations MUST implement COALAF-compatible interfaces that can generate liability anchor points, maintain attribution chains, and enforce contract terms without requiring modifications to existing agent architectures. The integration layer supports both real-time liability tracking during agent operations and post-incident reconstruction for liability resolution procedures. This approach ensures that organizations can adopt COALAF incrementally while maintaining compatibility with current AI safety and accountability systems. 5. Cross-Organizational Liability Contracts Cross-organizational liability contracts provide the foundational legal and technical framework for establishing liability boundaries before AI agents interact autonomously across organizational boundaries. These contracts MUST be established between participating organizations prior to enabling autonomous agent interactions and SHOULD specify liability allocation percentages, coverage limits, and dispute resolution mechanisms. The contracts serve as legally binding agreements that define how liability will be distributed when harm occurs during cross- organizational agent interactions, eliminating the need for post- incident liability negotiations that can result in prolonged litigation. The framework defines three standardized contract templates that organizations MAY adopt based on their risk tolerance and operational requirements: proportional liability contracts that allocate liability based on each agent's contribution to the harmful outcome, primary-secondary liability contracts that designate one organization as primarily liable with fallback provisions, and joint liability contracts where organizations share equal responsibility regardless of individual agent contributions. Each template MUST include mandatory fields for liability caps, insurance requirements, governing jurisdiction, and compatibility with existing accountability protocols as defined in Section 4. Organizations SHOULD negotiate contract terms through the standardized Liability Contract Negotiation Protocol (LCNP) which enables automated contract parameter exchange and compatibility verification between different organizational liability frameworks. Contract formats MUST be machine-readable to enable autonomous agent processing during runtime liability decisions and evidence collection procedures. The framework specifies the Cross- Organizational Liability Contract Language (COLCL), an extension of existing contract specification languages that includes liability-specific constructs for dynamic liability calculation, real-time insurance verification, and automated escalation triggers. COLCL contracts MUST be digitally signed by authorized organizational representatives and SHOULD be registered with designated liability contract repositories to enable third-party validation and enforcement. The language includes support for conditional liability clauses that can adjust liability allocation based on runtime factors such as agent behavior patterns, environmental conditions, or detected security incidents. Liability contracts MUST specify integration requirements with existing cryptographic delegation protocols and execution tracing standards to ensure evidence collected during agent interactions can be properly attributed to contractual obligations. Contracts SHOULD define liability anchor points that correspond to specific interaction phases, enabling granular liability attribution when multiple agents contribute to complex multi-step processes that result in harm. The framework requires contracts to include standardized liability resolution procedures that specify automated calculation methods for damages, insurance claim procedures, and escalation mechanisms for disputes that cannot be resolved through automated processes. Organizations MAY establish liability contract hierarchies for complex multi-party scenarios where agents from more than two organizations interact simultaneously. These hierarchical contracts MUST maintain consistency with bilateral contracts and SHOULD specify conflict resolution mechanisms when overlapping liability boundaries create ambiguous attribution scenarios. The framework supports contract amendments and versioning to accommodate evolving organizational requirements while maintaining backward compatibility with existing agent deployments and ensuring that liability boundaries remain clearly defined throughout the contract lifecycle. 6. Evidence Collection and Validation During cross-organizational AI agent interactions, evidence collection mechanisms MUST create tamper-evident logs that can be independently verified by all participating organizations and external auditors. The evidence collection system SHALL implement cryptographic integrity protection using mechanisms compatible with RFC 3161 timestamping services and MUST maintain chronological ordering of all inter-agent communications and decision points. Each participating organization MUST deploy evidence collection endpoints that implement standardized logging interfaces defined in this framework, ensuring that evidence trails remain consistent across organizational boundaries even when agents operate with different internal architectures. Evidence records MUST include interaction context metadata, agent decision rationales, and complete message traces between organizations as specified in Section 4. The logging format SHALL be based on structured data formats such as JSON-LD or Protocol Buffers to ensure machine readability across different organizational systems. Evidence collection points MUST capture not only successful interactions but also failed attempts, timeout conditions, and any agent behavior that deviates from pre- established cross-organizational contracts. Each evidence record SHALL include cryptographic signatures from all participating agents and MUST reference the specific liability anchor points established during interaction initiation. Integration with existing execution tracing protocols SHOULD leverage established frameworks such as OpenTelemetry distributed tracing while extending them with liability-specific metadata requirements. The evidence collection system MUST support real- time evidence sharing between organizations during ongoing interactions, allowing each party to maintain synchronized evidence trails without exposing sensitive internal agent architectures. Evidence validation procedures SHALL implement multi-party verification protocols where each organization can cryptographically attest to the accuracy of evidence records without requiring trust in external parties. Long-term evidence preservation requirements mandate that evidence records remain accessible and verifiable for periods defined by the applicable legal frameworks in each participating jurisdiction, typically ranging from seven to twenty years. Evidence storage systems MUST implement redundant backup mechanisms and SHALL provide standardized APIs for evidence retrieval during liability resolution procedures. The framework defines evidence portability standards that enable migration between different storage providers while maintaining cryptographic integrity, ensuring that evidence remains valid even as organizational infrastructure evolves. Evidence access controls MUST balance transparency requirements for liability resolution with privacy protections for sensitive business operations, implementing role-based access mechanisms that can be audited by regulatory authorities. 7. Liability Resolution Procedures This section defines standardized procedures for resolving liability disputes arising from cross-organizational AI agent interactions. The liability resolution process operates in three phases: automated attribution calculation, evidence validation, and escalation procedures. Organizations deploying AI agents MUST implement liability resolution endpoints that can process attribution requests and respond with liability calculations based on pre-established contracts and collected evidence. The resolution procedures are designed to minimize human intervention in straightforward cases while providing clear escalation paths for complex disputes that require legal or technical review. The automated liability calculation phase begins when a harm event triggers the liability attribution process. The affected party's liability resolution system MUST collect all relevant evidence from the liability anchor points identified in the attribution chain, validate the cryptographic integrity of the evidence using the procedures defined in Section 6, and apply the liability calculation rules specified in the applicable cross-organizational liability contracts. The calculation engine SHOULD utilize standardized liability algorithms that consider factors including agent autonomy levels, contract-specified liability caps, and proportional responsibility based on causal contribution to the harm. If multiple organizations are involved in the attribution chain, the system MUST coordinate liability calculations across all parties and produce a preliminary liability distribution that reflects each organization's contractual obligations and causal involvement. Evidence validation procedures ensure that liability calculations are based on tamper-evident and cryptographically verifiable data. Resolution systems MUST verify the integrity of all evidence artifacts using the cryptographic signatures and hash chains established during the original agent interactions. When evidence validation fails or when evidence is missing from critical points in the attribution chain, the system SHOULD flag the case for manual review and MAY apply conservative liability assumptions as specified in the relevant contracts. Organizations MUST maintain evidence validation logs that record the success or failure of each validation step, providing an audit trail for subsequent legal proceedings if automated resolution is unsuccessful. Escalation procedures activate when automated liability calculation cannot produce a definitive resolution within the confidence thresholds specified in the cross-organizational contracts. Common escalation triggers include conflicting evidence from different liability anchor points, liability calculations that exceed contractual caps, or disputes involving organizations that have not implemented compatible versions of COALAF. The escalation process MUST preserve all evidence and preliminary calculations while transferring the dispute to human reviewers or designated arbitration systems. Organizations SHOULD implement graduated escalation procedures that attempt technical resolution through expert system review before proceeding to formal arbitration or legal proceedings. The liability resolution system MUST generate standardized resolution reports that document the final liability attribution, the evidence used in the calculation, and any escalation decisions made during the process. These reports serve as the authoritative record for insurance claims, legal proceedings, and organizational accountability processes. Resolution reports MUST include machine- readable sections that allow automated processing by insurance systems and legal databases, as well as human-readable summaries that explain the liability determination in accessible terms. Organizations MAY implement resolution report notification systems that automatically inform affected parties of liability determinations and provide mechanisms for formal dispute of the automated calculations within specified time frames. 8. Security Considerations The security of cross-organizational liability attribution systems presents unique challenges that extend beyond traditional single- organization security models. Liability attribution chains MUST be protected against tampering, unauthorized modification, and replay attacks throughout their entire lifecycle, from initial contract establishment through final dispute resolution. Organizations implementing COALAF MUST employ cryptographic integrity protection mechanisms that ensure liability evidence remains tamper-evident across organizational boundaries and jurisdictional transfers. The distributed nature of cross-organizational interactions creates expanded attack surfaces where malicious actors may attempt to manipulate liability assignments, forge evidence, or exploit differences in security implementations between participating organizations. Evidence collection systems MUST implement strong cryptographic signatures and hash-based integrity verification to prevent post- hoc manipulation of liability-relevant data. Each liability anchor point MUST cryptographically sign all evidence records using organization-specific private keys, with public key verification available through standardized certificate authorities or blockchain-based key distribution systems. The evidence collection mechanism SHOULD implement tamper-evident timestamps using trusted timestamping services as specified in RFC 3161, ensuring that liability events can be temporally ordered across different organizational systems. Organizations MUST maintain cryptographic audit trails that link evidence collection events to specific AI agent actions, preventing evidence injection or selective omission attacks that could skew liability determinations. Contract manipulation represents a critical threat vector where malicious organizations might attempt to alter liability terms after autonomous interactions have commenced but before liability events occur. Cross-organizational liability contracts MUST be cryptographically sealed using multi-party digital signatures that require explicit consent from all participating organizations for any modifications. The contract verification system SHOULD implement immutable storage mechanisms, such as distributed ledger technologies or cryptographically-linked append-only logs, that prevent unauthorized contract alterations. Organizations MUST implement contract versioning systems that maintain complete change histories and require cryptographic proof of authorized modifications, ensuring that liability terms cannot be retroactively altered to avoid responsibility. Privacy protection mechanisms MUST balance the need for comprehensive liability evidence with organizational confidentiality requirements and regulatory compliance obligations such as GDPR or CCPA. Evidence collection systems SHOULD implement selective disclosure protocols that allow liability-relevant information to be shared without exposing sensitive operational data or proprietary algorithms. Organizations MAY employ zero- knowledge proof systems to demonstrate compliance with liability contracts without revealing underlying business logic or training data. The framework MUST support privacy-preserving liability calculations that enable automated liability distribution without requiring full disclosure of internal agent decision processes to external parties. Cryptographic key management across organizational boundaries introduces additional complexity that MUST be addressed through standardized key exchange and rotation protocols. Organizations MUST implement secure key escrow mechanisms that ensure liability evidence remains accessible even if participating organizations cease operations or become uncooperative during dispute resolution processes. The liability attribution system SHOULD support hierarchical key structures that allow delegation of signing authority while maintaining clear chains of cryptographic accountability. Cross-organizational key validation MUST be supported through standardized certificate authorities or decentralized key verification systems that remain operational across different jurisdictional and organizational contexts. Denial of service attacks against liability attribution systems could prevent proper evidence collection during critical autonomous interactions, potentially allowing harmful agents to operate without adequate accountability mechanisms. Organizations MUST implement redundant evidence collection systems and distributed liability anchor points that maintain functionality even when individual components are compromised or unavailable. The framework SHOULD include fallback mechanisms that ensure liability attribution continues to function during partial system failures, network partitions, or coordinated attacks against attribution infrastructure. Organizations MUST establish incident response procedures for security breaches that affect liability attribution systems, including mechanisms for evidence preservation, stakeholder notification, and liability framework recovery. 9. IANA Considerations This document requires the creation of several new IANA registries to support standardized cross-organizational AI agent liability attribution. The registries are necessary to ensure consistent identification and processing of liability-related information across different organizations, legal jurisdictions, and technical implementations. All registry entries MUST include sufficient metadata to enable automated processing by AI agents while maintaining human readability for legal and regulatory review. IANA is requested to create a "Cross-Organizational AI Liability Contract Types" registry under the "Artificial Intelligence Parameters" category. This registry SHALL contain standardized identifiers for different classes of liability contracts as defined in Section 5, including but not limited to strict liability contracts, proportional liability contracts, and hierarchical liability contracts. Each registry entry MUST include the contract type identifier (a case-sensitive string), a human- readable description, the specification document reference, and any required contract parameters. Registration of new contract types requires Specification Required as defined in RFC 8126, with the designated expert evaluating legal soundness, technical feasibility, and compatibility with existing liability frameworks. IANA is requested to establish the "AI Agent Liability Attribution Chain Formats" registry to standardize the structure and encoding of liability attribution chains described in Section 4. Each format entry MUST specify the format identifier, the data structure specification, cryptographic requirements, and validation procedures. The registry SHALL include the default JSON-LD format specified in this document as well as provisions for compact binary formats and blockchain-based attribution chains. New format registrations require Expert Review with evaluation criteria including cryptographic security, cross- jurisdictional compatibility, and integration capabilities with existing accountability protocols such as those defined in RFC 9000 series documents. A "Cross-Organizational Liability Status Codes" registry is required to standardize the response codes used in liability resolution procedures outlined in Section 7. The registry SHALL use a three-digit numeric scheme similar to HTTP status codes, with ranges allocated as follows: 1xx for informational liability status, 2xx for successful liability resolution, 3xx for liability redirection, 4xx for liability attribution errors, and 5xx for system errors in liability processing. Each status code entry MUST include the numeric code, canonical reason phrase, detailed description, and applicable resolution procedures. Registration of new status codes in the 1xx-3xx ranges requires IETF Review, while 4xx-5xx codes require Specification Required to ensure consistency with error handling procedures across implementations. The designated expert for all liability-related registries SHOULD have demonstrated expertise in both AI system architecture and legal liability frameworks. Registry maintenance procedures MUST include periodic review of registered entries for continued relevance and compatibility with evolving legal standards. All registry entries SHALL include sunset clauses requiring renewal every five years unless superseded by updated specifications, ensuring that deprecated liability mechanisms do not accumulate in the registries over time. Author's Address Generated by IETF Draft Analyzer 2026-03-09