Argument Map — Who Should Govern AI Agent Identity?

AI agent identity governance needs to extract four portable institutional elements from 25 years of DNS governance experience: enforceable power allocation, accessible recourse mechanisms, sustainable financial models, and externally auditable transparency. However, the DNS organizational form cannot be transplanted wholesale, because agent identity involves cross-sector legal systems spanning security, consumer protection, labor, finance, healthcare, and beyond. Three design principles serve as the pillars of the governance architecture: accountability must be embedded in the architecture (program code-as-law + responsibility-by-design), legitimacy requires structurally guaranteed multistakeholder representation (Allen's five anchors), and governance must respond to the reality of delegation chains and distributed morality (Floridi distributed morality). This article serves as the enterprise/institutional complement to article 16 (civic-ai-agent-delegation-limits), supplying primary draft material for Ch9.1.

AI agent identity governance must extract four portable institutional elements from 25 years of DNS governance, anchored by three design principles addressing accountability, multistakeholder legitimacy, and distributed moral responsibility.

Formal Notation

Governance(agentic_id) ⊨ ⟨P_acc, P_legit, P_dist⟩

Inherit_from_DNS = ⟨executable_power, recourse, financial_sustainability, transparency⟩  ⊆  applicable(agentic_id)
¬Inherit(organizational_form_DNS, agentic_id)   (cross-sector legal regime mismatch)
P_acc: code-as-law ∧ responsibility-by-design ∧ Strom(accountability_reverse_delegation)
P_legit: Allen_five_anchors ∧ Flanagan_who_pays
P_dist: Floridi(distributed_morality) ∧ Elish(moral_crumple_zone) ∧ Tomasev(5_components)

Agent identity Governance is constituted by the conjunction of three design principles. From DNS governance, only four institutional elements are inherited (enforceable power + recourse + financial model + transparency); the organizational form is not inherited. The three principles are accountability embedded in architecture (P_acc), structural multistakeholder legitimacy (P_legit), and distributed morality and delegation chain governance (P_dist).

Governance(agentic_id): AI agent identity governance framework
P_acc: Accountability principle (code-as-law + responsibility-by-design + reverse accountability)
P_legit: Legitimacy principle (structurally guaranteed multistakeholder representation + sustainable finance)
P_dist: Distributed morality principle (moral crumple zone + five components of delegation chain)
Inherit_from_DNS: Four portable institutional elements from DNS governance
⊨: Satisfies / entails
⊆: Subset
∧: Conjunction (simultaneously holds)
¬: Negation

The formula states the position; the next step is to separate common misreadings. Discourse on agent identity governance is often simplified to "technical standards sufficiency" — once the protocols being advanced by OpenID GAS, DIF, and IETF WIMSE can be integrated, governance problems are automatically solved. But this technicist position obscures the institutional design core — technical standards handle identity verification, while governance handles power allocation, recourse channels, and responsibility attribution; the two have different scopes. The map's first move is to separate "technical standards are sufficient" from the "dual track of institutional design + technical standards."

foundational distinction

❌ Rejected

Technical standards sufficiency (technology determinism)

Reducing agent identity governance to technical standards integration. Once the protocols being advanced by OpenID GAS, DIF, IETF WIMSE, and W3C AI agent identity converge, governance problems are automatically solved. This position assumes "institutions will follow technology," but history shows the reverse — the adoption rate of technical standards is shaped by institutional authorization, commercial incentives, and public trust. Audits of 30 open-source AI agent projects show that 93% still rely on environment variable API keys; the existence of technical standards did not automatically drive adoption. The DigiNotar incident showed that a single certificate authority compromise could undermine the entire trust system; technical completeness cannot guard against institutional defects.

Governance(agentic_id) ⇐ technical_standards (reducing governance to technical integration)

✓ Defended

Dual track of institutional design + technical standards

Agent identity governance requires simultaneous advancement of technical standards and institutional design. Technical standards handle identity verification, permission management, and audit records; institutional design handles power allocation, recourse channels, responsibility attribution, and sustainable finance. The two have different scopes; either one missing constitutes governance failure. Four portable institutional elements are inherited from 25 years of DNS/ICANN experience (enforceable power + recourse + financial model + transparency), but the organizational form is not. Three design principles serve as the pillars of the governance architecture — P_acc: accountability embedded in architecture, P_legit: structural multistakeholder legitimacy, P_dist: distributed morality and delegation chain governance.

Governance(agentic_id) ⊨ ⟨P_acc, P_legit, P_dist⟩   ;   Inherit_from_DNS = ⟨executable, recourse, finance, transparency⟩

The distinction is merely a declaration. To prove that the "dual track of institutional design + technical standards" holds, five independent sources of support are needed. On the analogy front, portable institutional elements are extracted from 25 years of DNS/ICANN governance experience; on the theoretical front, the principal-agent framework (Jensen-Meckling + Strom + Kolt) establishes the analytical backbone for agency problems; on the philosophical front, responsibility attribution and distributed morality address the many-hands problem; on the experiential front, global digital identity cases (DigiNotar / Let's Encrypt / Estonia / Aadhaar / UK Verify / NIIMS) yield institutional conditions from failures and successes; on the evolutionary front, two trajectories — human digital identity and AI agent identity — are compared to reveal predictable tensions in power redistribution. Five pillars correspond to five types of argument.

supporting arguments

§2 — Analogy (25 years of DNS governance experience)

Four institutional elements are portable; the organizational form cannot be transplanted wholesale

whyProvides institutional precedent; if AI agent identity governance is viewed as an "entirely new design," the institutional burden of proof must be built from scratch. Extracting portable elements from 25 years of DNS/ICANN governance experience significantly reduces the burden of proof; at the same time, which elements cannot be transplanted must be explicitly stated to avoid over-analogy.

ICANN has operated since 1998; in fiscal year 2024 its consolidated revenue was approximately USD 149.4 million, sustained through contractual relationships and registry/registrar fees. Following the 2016 IANA transition, the Empowered Community mechanism was established, giving community power legal teeth — capable of vetoing budgets, blocking bylaw changes, and removing board members under California law. The separation of technical operations and policy-making (PTI executes technical functions; community processes produce policies) provides a layered template for "certificate issuance and revocation" and "governance rule-making." However, the scope of DNS governance is a narrow naming resource; AI agent identity involves cross-sector legal systems. The USD 185,000 application fee for new gTLDs reflects multistakeholder governance's exclusion of the Global South; and the 14-year gap between two rounds of ICANN gTLD evaluations is hard to reconcile with the quarterly pace at which AI agents evolve.

The portable elements are the four items of "enforceable power allocation + accessible recourse mechanisms + sustainable financial model + externally auditable transparency"; the organizational form (contractual relationships based on naming resources) cannot be transplanted wholesale.

Inherit_DNS(agentic_id) = ⟨executable_power, recourse, finance, transparency⟩ ⊊ ICANN_form

§3 — Theory (principal-agent theory)

Four agency problems in delegation chains are amplified in AI scenarios

whyProvides the analytical backbone; without a systematic agency problem framework, the argument for "why governance is difficult" will be scattered. Integration of three theories — Jensen-Meckling + Strom + Kolt — provides a precise classification of four agency problems, giving governance design a corresponding problem list.

Jensen-Meckling 1976 defines agency relationships and their inevitable agency costs (monitoring costs, bonding costs, residual loss). Strom 2000 proposes a parliamentary democracy analytical framework of "accountability direction runs opposite to delegation direction" — delegation flows from principal to agent, accountability flows in reverse. Kolt 2025, in *Governing AI Agents*, identifies four core agency problems: (1) information asymmetry (users have limited knowledge of agent capability and inner workings), (2) scope creep (agents acting beyond authorized scope), (3) loyalty conflict (agents serving developers/advertisers rather than users), and (4) recursive delegation (agents re-delegating to sub-agents). Stocker & Lehr 2025's concept of "shadow principals" deepens the loyalty conflict — users nominally are principals, but agent behavior is shaped by developer, platform provider, and advertiser interests.

All four agency problems are amplified in AI scenarios (not driven by economic incentives + operating at speeds far exceeding human capacity); traditional monitoring and incentive designs fail. Governance design must directly encode "reverse accountability of delegation chains" as a structure.

Agency_problems(AI) = ⟨asym_info, scope_creep, loyalty_conflict, recursive_delegation⟩  ;  Accountability(AI) = reverse(Delegation(AI))

§4 — Philosophy (responsibility attribution and distributed morality)

Moral crumple zones and the many-hands problem are exacerbated under AI delegation chains

whyProvides philosophical foundation; without a clear philosophical framework for "how responsibility should be allocated," governance design easily pushes all responsibility onto the nearest human (moral crumple zone effect), repeating the historical mistakes of responsibility allocation in autonomous vehicles.

Floridi & Sanders 2004, in *Minds and Machines*, argue that AI agents can be regarded as moral agents at an appropriate level of abstraction; they can be accountable but not necessarily responsible. Floridi 2016's concept of "distributed morality" shows that morally significant consequences can emerge from individually harmless actions in distributed systems. Nissenbaum 1996's "many-hands problem" + Thompson 1980's "many hands in political governance" jointly point out that when many people collectively cause a consequence, individual attribution becomes difficult. Elish 2019's "moral crumple zones" describe the typical failure mode in highly automated systems where human operators absorb all responsibility for system failures. van de Poel 2012 advocates "design for responsibility" — treating moral responsibility as a design parameter for engineering systems. Lee & See 2004's trust calibration framework adds that governance systems must provide users with comprehensible trust signals, avoiding both blind trust and wholesale rejection.

Responsibility allocation must be distributed proportionally along the causal chain, avoiding concentration in the nearest human; governance systems must provide comprehensible trust calibration signals, and cannot rely solely on technical log disclosure.

Liability_dist(AI_chain) = ⟨proportional_to_causality, responsibility_by_design, ¬moral_crumple⟩

§5 — Experience (lessons from global digital identity cases)

Institutional conditions determine the construction and maintenance of trust

whyProvides empirical foundation; with only theoretical arguments, governance recommendations lack reference cases of success and failure. Recurring patterns of institutional conditions are extracted from six cases: DigiNotar / Let's Encrypt / Estonia / Aadhaar / UK Verify / NIIMS.

The DigiNotar 2011 intrusion (certificate forgery involving hundreds of websites, insufficient basic security measures, delayed notification) led to systemic de-trusting through browser vendors and the Dutch government revoking the trust root, ultimately resulting in corporate bankruptcy. Let's Encrypt, operated by ISRG as a nonprofit, surpassed 420 million active certificates in 2024, with community donations and sponsorships as the main revenue sources — demonstrating how transparency + automation + public interest narrative can scale trust construction. Estonia's X-Road connects 929 institutions and 1,887 systems, originating from the 1996 trauma of a contractor selling a "super database," leading to a decentralized architecture with no central database. Singapore's SingPass has reached 97% adoption among eligible citizens; IMDA published the world's first agentic AI governance framework in January 2026. The UK's Gov.UK Verify consumed GBP 233 million but achieved a verification success rate of only 48% (against a 90% target), shutting down in 2023–2024 — insufficient political legitimacy and public trust directly reversed large-scale identity infrastructure. India's Aadhaar has issued 1.418 billion numbers as of March 2025, but fieldwork in Jharkhand shows a 20% exclusion error rate and dozens of hunger-related deaths. Kenya's NIIMS High Court ruling identified issues with the legislative process, data protection framework inadequacy, and public participation.

Institutional conditions (legal authorization, data protection, public participation, perceived public benefit, avoiding exclusionary discrimination) determine the construction and maintenance of trust; technical completeness cannot compensate for institutional defects.

Trust(id_system) ⇐ ⟨legal_authority, data_protection, public_participation, perceived_public_benefit, ¬exclusion⟩

§6 — Evolution (two trajectories: human identity vs AI agent identity)

AI agent identity replays the human identity evolution path on a compressed timeline

whyProvides forward-looking analysis; without explicit predictions of evolutionary tensions, governance recommendations can only address the present and cannot foresee the future. The three stages of human identity (institutionally conferred → federated → portable and autonomous) provide a structurally isomorphic reference for AI agent identity.

Three stages of human digital identity evolution. The first stage is institutionally conferred identity (passport, social security number, Estonia 2002 e-ID, India Aadhaar 2009). The second stage is federated identity (OAuth, SAML enable identity to extend across platforms, but control is concentrated in a few intermediaries such as Google / Facebook / Apple). The third stage is portable self-sovereign identity (DID + VC + EU eIDAS 2.0 wallet). AI agent identity replays this on a compressed timeline. Today's environment variable API keys correspond to the most primitive form of "institutionally conferred"; Microsoft Entra Agent ID + Google A2A promote federation but control remains locked to platforms; DIF Trusted AI Agents Working Group + W3C Agent Protocol Community Group explore a portable identity layer. Three fundamental differences complicate prediction: (i) scale and speed (milliseconds vs years), (ii) identity ontological status (agents have no prior existence; identity is defined by their creator), and (iii) trust anchor (humans anchor to nation/law/social contract; agents anchor to platforms or cryptography, but neither can handle dispute compensation and recourse).

Evolution(AI_id) ≅ compressed(Evolution(human_id))   ;   Δ(speed, ontology, trust_anchor)  ⇒  divergence_at_inflection_points

The pillars are affirmative arguments. The Aadhaar case provides a specific causal chain from "2009 compulsory linkage design" to "2024 accumulated exclusion deaths," where the first part is normatively necessary (compulsory linkage + administrative legitimacy failure) and the latter part is probabilistic (20% exclusion error rate + Jharkhand hunger deaths). The purpose of unfolding the chain is to translate the abstract "insufficient institutional conditions" into a mechanically traceable event sequence.

causal chain

Six-step causal chain of Aadhaar exclusion deaths (compulsory linkage → institutional condition failure → marginalized group harm)

T0 ⇒

2009–2016 — Aadhaar compulsory linkage to PDS/subsidy system design established, with no inclusion impact assessment (normatively necessary)

T1 ⇒

Marginalized groups (laborers with dry fingers, elderly people, those with low digital literacy) face biometric authentication failures (normatively necessary)

T2 ⇒

Jean Dreze fieldwork shows exclusion error rates of up to 20% in Jharkhand and other areas (based on data sampling, still a reproducible phenomenon)

T3 ◊⇒

2017–2024 — At least dozens of hunger-related deaths in Jharkhand linked to Aadhaar exclusion (external trigger, varies by individual case)

T4 ◊⇒

2017–2018 — *Puttaswamy I/II* Supreme Court of India rulings establish privacy as a fundamental right; Aadhaar compulsory linkage partially curtailed after 2018

T5 ◊⇒

2025+ — UN Special Rapporteur Alston 2019 report labels Aadhaar-linked deaths as a representative failure of the digital welfare state; institutional remediation underway

⇒ Mechanistically necessary (structural, does not depend on external trigger)

◊⇒ Probabilistic (requires an external trigger to materialize, but probability is non-negligible)

Once the position and causal chain are established, counterarguments pose a genuine threat. Mueller's regulatory capture counterargument claims the ICANN model itself has structural bias; Hofmann's procedural worship counterargument claims multistakeholder governance may become formalized; the commercial platform lock-in counterargument claims platform dominance is inevitable. Carefully examining the empirical strength of each counterargument reveals that they not only fail to refute the map's position but actually flip to support the three design principles — that is, the evidential structure of the counterarguments themselves is precisely the second layer of support for the map.

border cases — flip to support

Counterargument 1

Mueller — ICANN model has a structural tendency toward regulatory capture

pivotThe counterargument appeals to Mueller 2002 *Ruling the Root* + 2010 *Networks and States*, pointing out that ICANN's revenue heavily dependent on regulated entities naturally carries regulatory capture risk; the ICANN model as a governance reference itself has structural bias. Empirically, the correlation between ICANN's revenue structure and policy tendencies has scholarly consensus.

On closer inspection, Mueller's argument actually highlights the necessity of "not transplanting the DNS organizational form wholesale." The map's position already explicitly states that only four institutional elements are inherited (enforceable power + recourse + financial model + transparency), not the organizational form (contractual relationships based on naming resources). Mueller's critique inversely supports the distinction between "portable institutional elements vs non-portable organizational form," which is precisely the core conclusion of pillar §2.

Counterargument 2

Hofmann — Multistakeholder governance as "procedural worship"

pivotThe counterargument appeals to Hofmann 2016 *Multi-stakeholderism in Internet governance — putting a fiction into practice*, pointing out that multistakeholder governance risks devolving into "procedural worship" — when procedure itself is treated as the source of legitimacy, substantive power allocation issues are obscured. van Klyton et al. 2023's analysis of ICANN meeting texts reveals hegemony in language and agendas. Empirical strength is high.

Hofmann and van Klyton's critique actually highlights the necessity of the P_legit design principle — "structurally guaranteed multistakeholder representation" (including Allen's five anchors + Flanagan sustainable finance + dedicated funding for civil society advisory committees + structural guarantees for the Global South) is precisely the specific mechanism responding to the risk of procedural worship. The counterargument inversely supports the concrete design of P_legit, rather than refuting multistakeholder governance itself.

Counterargument 3

Commercial platform lock-in is inevitable (Apple/Google/Microsoft structural advantage)

pivotThe counterargument claims that AI platform operators (Microsoft Entra Agent ID + Google A2A + Anthropic MCP) already de facto dominate governance at the code level; Lessig's "code is law" applies doubly in the agent ecosystem. OpenSecrets 2024 data shows AI lobbying expenditures exceeding USD 100 million annually; civil society resource asymmetry cannot substantively challenge platform dominance. Empirical strength is high.

The history of platform lock-in is not evidence of governance failure but evidence of governance necessity. In the history of human identity moving from centralized to decentralized (Facebook login vs Apple Sign in vs DID/VC), every turning point was accompanied by power redistribution. The EU eIDAS 2.0 institutional precedent shows that cross-platform agent identity interoperability can be driven jointly by regulatory pressure and enterprise user pushback. The WE BUILD coalition policy recommendations + Christopher Allen's five anchors + Talao MCP/OIDC4VP implementation demonstrate three pathways for preserving institutional choice space under current platform dominance. The counterargument inversely supports the P_legit design of "platform independence" and "20-year architectural vision."

Once counterarguments are absorbed, what remains are design implications. Under what conditions can the "dual track of institutional design + technical standards" be considered a legitimate policy path? Six conditions translate the abstract three design principles into verifiable engineering or institutional obligations, filling in the P_acc / P_legit / P_dist of the core formula.

procedural conditions

The legitimacy of any agent identity governance framework must first pass six conditions

valid_governance(g) ⇔ V_account ∧ V_recourse ∧ V_finance ∧ V_transparency ∧ V_dist_moral ∧ V_evolution

Enforceable power allocation (V_account)

The governance framework must include enforceable power allocation mechanisms — community power has legal teeth, capable of executing vetoes, removals, and blocking changes under the contract law of the relevant jurisdiction. Modeled after ICANN's Empowered Community mechanism enforced under California law.

V_account: ∀ governance_decision d : ∃ community_power(d) ∧ legal_enforceability(d)

Accessible recourse mechanisms (V_recourse)

Affected citizens, enterprises, and developers must have concrete accessible recourse channels — three pathways of judicial, administrative, and ADR simultaneously open. Modeled after the judicial recourse pathway demonstrated in the Kenya NIIMS High Court ruling.

V_recourse: ∀ harm h : ∃ remedy_path(h) ⊆ ⟨judicial, administrative, ADR⟩

Sustainable financial model (V_finance)

Governance operations must have a sustainable financial model that does not depend on a single regulated entity's sponsorship. Modeled after Let's Encrypt's community donations + enterprise sponsorships + nonprofit model, responding to Flanagan's core question of "who keeps operations running?"

V_finance: ∀ governance_org : ∃ financial_model(org) ∧ diversified_sources(org)

Externally auditable transparency (V_transparency)

Governance decisions, audit records, and financial reports must be accessible to external scrutiny. Modeled after Let's Encrypt transparency logs + ICANN's open policy processes, avoiding the moral crumple zone effect concentrating on users.

V_transparency: ∀ decision d, audit a : public(d) ∧ public(a) ∧ challengeable(d, a)

Distributed moral responsibility allocation (V_dist_moral)

Responsibility allocation must be distributed proportionally along the causal chain, avoiding concentration in the nearest human; the reverse accountability structure of delegation chains must be encoded as a core function of governance protocols (modeled after Tomasev 2026's five components: permission transfer, responsibility transfer, accountability distribution, boundary setting, trust calibration).

V_dist_moral: ∀ delegation chain : Liability_dist(chain) ∝ causality(chain) ∧ ¬moral_crumple

Forward-looking design for evolutionary tensions (V_evolution)

The governance architecture must incorporate a 20-year architectural vision (Allen's five anchors), preserve optionality, maintain platform independence, require non-governmental parties to bear obligations, and establish institutional safeguards. Short-term 2026–2028 platform dominance → medium-term 2028–2032 cross-platform interoperability → long-term reputation capital — governance must preserve institutional space at each inflection point.

V_evolution: ∃ 20yr_horizon(g) ∧ platform_independence(g) ∧ ⟨2026-2028, 2028-2032, 2032+⟩ inflection_points

Bringing together the normative, analogical, theoretical, philosophical, case-based, evolutionary, and design-principle layers, what the map ultimately argues is a political-economy achievement (governance quality depends on deliberate construction in an era of trust deficits, not natural evolution) and an asymmetric principle running through all levels — the ceiling of AI agent identity governance quality is determined by the institutional carrying capacity we deliberately design, not by the maturity of technical standards.

The ceiling of AI agent identity governance quality is determined by the institutional carrying capacity we deliberately design, not by the maturity of technical standards. Four institutional elements are inherited from 25 years of DNS governance experience (enforceable power + recourse + financial model + transparency); the organizational form is not. Three design principles (P_acc: accountability embedded in architecture, P_legit: structural multistakeholder legitimacy, P_dist: distributed morality) are the pillars of the governance architecture.

In the short term 2026–2028, platform-dominated federated agent identity is the mainstream; in the medium term 2028–2032, cross-platform interoperability becomes an urgent need; the long-term key indicator is whether agents develop "reputation capital" independent of their principals. Digital identity systems cannot create values that do not exist in the society in which they are deployed (Nyabola). The quality of agent identity governance depends on whether we can deliberately and inclusively construct institutions in an era of trust deficits (McKinsey AI trust 2.3/5).

This article serves as the enterprise/institutional complement to article 16 (civic-ai-agent-delegation-limits), supplying primary draft material for Ch9.1 of the dissertation. The key values of the civic context (democratic legitimacy + micro-level authenticity) and the key values of the enterprise context (commercial efficiency + legal entity responsibility) cannot be directly extrapolated to one another; this article focuses on governance structure and DNS analogy in the enterprise context, forming, together with the civic complement of article 16, a complete argument for Ch9.

Final form:
  Governance(agentic_id) ⊨ ⟨P_acc, P_legit, P_dist⟩
  Inherit_from_DNS = ⟨executable_power, recourse, financial_sustainability, transparency⟩
  ¬Inherit(organizational_form_DNS, agentic_id)
  Evolution(AI_id) ≅ compressed(Evolution(human_id))  ;  inflection_points ∈ {2026-2028, 2028-2032, 2032+}
  Liability_dist(AI_chain) ∝ causality  ∧  ¬moral_crumple_zone

Argdown

Formal Render

HTML Source

Who Should Govern AI Agent Identity? Argdown graph

Source

===
title: 誰來治理 AI 代理人的身分？
subTitle: Agentic Identity Governance — Argument Map (v2, retrofit R1)
slug: 2026-04-01-agentic-id-governance
author: research-article-pipeline argdown export
model:
  removeTagsFromText: true
===

# Central Thesis

[Core Thesis]
  + <Formal Core>
  + [Accepted]
  + <P1>
  + <P2>
  + <P3>
  + <P4>
  + <P5>
  + <Causal Chain>
  + [Deployment Conditions]
  + <Conclusion>
  - [Rejected]
    - [Accepted]
  + [Accepted]
  - [Objection 1]
    - <Reply 1>
  + <Reply 1>
  - [Objection 2]
    - <Reply 2>
  + <Reply 2>
  - [Objection 3]
    - <Reply 3>
  + <Reply 3>

[Core Thesis]: AI 代理人身分治理需要從 DNS 治理 25 年經驗中提取四項可移植的制度元素 可執行的權力分配、可訴諸的救濟機制、可持續的財務模型、可被外部審視的透明度。但 DNS 組織形式不可整套移植，因為代理人身分涉及資安、消費者保護、勞動、金融、醫療等跨部門法律體系。三個設計原則為治理架構的支柱 問責必須被嵌入架構（program code-as-law responsibility-by-design）、正當性需要有結構保障的多方代表性（Allen 五錨點）、治理必須回應委任鏈與分散式道德的現實（Floridi distributed morality）。本文為 article 16（civic-ai-agent-delegation-limits）的 enterprise institutional 補集，提供 Ch9.1 主稿素材。 #thesis

<Formal Core>: Formula Governance(agentic id) P acc, P legit, P dist Inherit from DNS executable power, recourse, financial sustainability, transparency applicable(agentic id) Inherit(organizational form DNS, agentic id) (cross-sector legal regime mismatch) P acc code-as-law responsibility-by-design Strom(accountability reverse delegation) P legit Allen five anchors Flanagan who pays P dist Floridi(distributed morality) Elish(moral crumple zone) Tomasev(5 components) Caption 代理人身分治理 Governance 由三項設計原則合取構成。從 DNS 治理只繼承四項制度元素（可執行權力 救濟 財務模型 透明度），不繼承組織形式。三原則為問責嵌入架構（P acc）、結構性多方正當性（P legit）、分散式道德與委任鏈治理（P dist）。 #formal

[Accepted]: 制度設計 技術標準雙軌. 代理人身分治理需要技術標準與制度設計同步推進。技術標準處理身分驗證、權限管理、稽核紀錄 制度設計處理權力分配、救濟管道、責任歸屬、永續財務。兩者範疇不同，缺一即構成治理失敗。從 DNS ICANN 25 年經驗繼承四項可移植制度元素（可執行權力 救濟 財務模型 透明度），但不繼承組織形式。三個設計原則為治理架構的支柱——P acc 問責嵌入架構、P legit 結構性多方正當性、P dist 分散式道德與委任鏈治理。 #accepted

[Rejected]: 技術標準完備即可（technology determinism）. 把代理人身分治理化約為技術標準整合。OpenID GAS、DIF、IETF WIMSE、W3C AI agent identity 各自推進的協定一旦匯流，治理問題就自動解決。這個立場預設「制度會跟著技術走」，但歷史經驗顯示反向——技術標準的採用率受到制度授權、商業誘因、公民信任的形塑。30 個開源 AI 代理人專案的審計顯示 93% 仍依賴環境變數 API 金鑰，技術標準的存在並未自動推動採用 DigiNotar 事件顯示單一憑證機構失守即可瓦解整個信任體系，技術完備性無法防範制度缺陷。 #rejected

<P1>: Title 可移植四項制度元素，不可整套移植組織形式 Section 2 — 類比（DNS 治理 25 年經驗） Role 提供制度先例 若 AI 代理人身分治理被視為「全新設計」，制度承載須從零辯護。從 DNS ICANN 25 年治理經驗抽取可移植元素，辯護負擔大幅降低 同時必須明示哪些元素不可移植，避免類比過度。 ICANN 自 1998 年起運作，2024 會計年度合併收入約 1.494 億美元，靠契約關係與註冊局 註冊商收費維繫。2016 年 IANA 移轉後建立 Empowered Community 機制，社群權力有法律牙齒——可依加州法執行否決預算、阻擋章程修改、罷免董事。技術運作與政策制定分離（PTI 執行技術、社群程序產出政策）為「憑證發放與撤銷」「治理規則制定」提供分層模板。但 DNS 治理的範圍是窄域命名資源，AI 代理人身分涉及跨部門法律體系 新 gTLD 申請費 185,000 美元的門檻反映多方治理對全球南方的排除 ICANN 兩輪 gTLD 評估間 14 年的速度與 AI 代理人以季度為單位演化的節奏難以相容。 Finding 可移植元素為「可執行的權力分配 可訴諸的救濟機制 可持續的財務模型 可被外部審視的透明度」四項 組織形式（基於命名資源的契約關係）不可整套移植。 Formal Inherit DNS(agentic id) executable power, recourse, finance, transparency ICANN form #pillar

<P2>: Title 委任鏈四種代理問題在 AI 場景下被強化 Section 3 — 理論（委託人-代理人理論） Role 提供分析骨幹 若無系統性的代理問題框架，「為什麼治理難」的論證會散落。Jensen-Meckling Strom Kolt 三家理論整合提供四種代理問題的精確分類，使治理設計有可對應的問題清單。 Jensen-Meckling 1976 定義代理關係及其不可避免的代理成本（監督成本、保證成本、剩餘損失）。Strom 2000 提出「問責方向與委任方向相反」的議會民主分析框架——委任沿委託人到代理人流動，問責反向流動。Kolt 2025 在 Governing AI Agents 辨識四項核心代理問題 (1) 資訊不對稱（使用者對代理人能力與內部運作所知有限）、(2) 權限越界（代理人超出授權範圍）、(3) 忠誠衝突（代理人服務開發者 廣告主而非使用者）、(4) 遞迴委任（代理人再委任給子代理人）。Stocker Lehr 2025 的「影子委託人」概念深化忠誠衝突——使用者表面上是委託人，但代理人行為受開發者、平台提供者、廣告主利益形塑。 Finding 四種代理問題在 AI 場景下全部被強化（不受經濟動機驅動 運作速度遠超人類），傳統監督與激勵設計失效 治理設計必須直接編碼「委任鏈反向問責」結構。 Formal Agency problems(AI) asym info, scope creep, loyalty conflict, recursive delegation Accountability(AI) reverse(Delegation(AI)) #pillar

<P3>: Title 責任緩衝區與多手問題在 AI 委任鏈下加劇 Section 4 — 哲學（責任歸屬與分散式道德） Role 提供哲學基礎 若無「責任如何分配」的明確哲學框架，治理設計易把所有責任推給最近的人類（道德緩衝區效應），重蹈自動駕駛責任分配的歷史錯誤。 Floridi Sanders 2004 在 Minds and Machines 論證 AI 代理人可在適當抽象層次被視為道德行動者 可被追究（accountable）但未必負責（responsible）。Floridi 2016 的「分散式道德」概念顯示道德上有意義的後果可從分散式系統中個別無害的行動中浮現。Nissenbaum 1996 的「多手問題」 Thompson 1980 的「政治治理多手」共同指出，多人共同造成後果使個別歸責困難。Elish 2019 的「道德緩衝區」（moral crumple zones）描述高度自動化系統中人類操作者吸收系統故障全部責任的典型失靈模式。van de Poel 2012 主張「責任設計」（design for responsibility）——把道德責任作為工程系統的設計參數。Lee See 2004 的信任校準框架補充——治理系統必須提供使用者可理解的信任訊號，既避免盲目信任也避免全面拒斥。 Finding 責任分配必須按因果鏈比例分配，避免集中在最近的人類 治理系統須提供可理解的信任校準訊號，不能僅依賴技術性日誌揭露。 Formal Liability dist(AI chain) proportional to causality, responsibility by design, moral crumple #pillar

<P4>: Title 制度條件決定信任建構與維繫 Section 5 — 經驗（全球數位身分案例正反教訓） Role 提供經驗基礎 若僅有理論論證，治理建議缺乏可參照的成敗案例。從 DigiNotar Let s Encrypt Estonia Aadhaar UK Verify NIIMS 六個案例提取制度條件的反覆出現模式。 DigiNotar 2011 入侵事件（憑證偽造涉及數百網站、基本資安措施不足、延遲通報），透過瀏覽器商與荷蘭政府撤除信任根進行系統性去信任，最終公司破產。Let s Encrypt 由 ISRG 營運的非營利模式，2024 年活躍憑證超過 4.2 億張，社群捐助與贊助為主要財源——展示透明度 自動化 公共利益敘事如何規模化建構信任。Estonia X-Road 連接 929 機構與 1,887 系統，源自 1996 年承包商販售「超級資料庫」的創傷經驗，選擇無中央資料庫的分散式架構。新加坡 SingPass 達 97% 合格公民採用率，IMDA 2026-01 發布全球首個代理人式 AI 治理框架。英國 Gov.UK Verify 消耗 2.333 億英鎊但驗證成功率僅 48%（目標 90%），2023-2024 關閉——政治合法性與公共信任不足直接逆轉大規模身分基礎設施。印度 Aadhaar 截至 2025-03 核發 141.8 crore，但 Jharkhand 田野調查顯示 20% 排除錯誤率與十數起飢餓死亡案例。肯亞 NIIMS 高等法院判決指出立法程序、資料保護框架不足與公共參與爭點。 Finding 制度條件（法律授權、資料保護、公共參與、可感知公共利益、避免排除歧視）決定信任建構與維繫 技術完備性不能補償制度缺陷。 Formal Trust(id system) legal authority, data protection, public participation, perceived public benefit, exclusion #pillar

<P5>: Title AI 代理人身分以壓縮時間軸重走人類身分演化路徑 Section 6 — 演化（人類身分 vs AI 代理人身分兩條軌跡） Role 提供前瞻分析 若無對演化張力的明確預測，治理建議只能應對當下不能預見未來。人類身分三階段（機構賦予 聯邦式 可攜自主）為 AI 代理人身分提供結構同構參考。 人類數位身分演化三階段。第一階段為機構賦予身分（護照、社安號、Estonia 2002 e-ID、印度 Aadhaar 2009）。第二階段為聯邦式身分（OAuth、SAML 使身分擴展跨平台但控制權集中在 Google Facebook Apple 等少數中介者）。第三階段為可攜自主身分（DID VC 歐盟 eIDAS 2.0 wallet）。AI 代理人身分以壓縮時間軸重走。今天的環境變數 API 金鑰對應「機構賦予」最原始形態 Microsoft Entra Agent ID Google A2A 推動聯邦化但控制權仍鎖定平台 DIF Trusted AI Agents Working Group W3C Agent Protocol Community Group 探索可攜身分層。三個根本差異使預測複雜化 (i) 規模與速度（毫秒 vs 年）、(ii) 身分本體論地位（代理人沒有先驗存在，身分由創建者定義）、(iii) 信任錨定點（人類錨定在國家 法律 社會契約，代理人錨定在平台或密碼學但兩者都不能處理糾紛賠償救濟）。 Finding 短期 2026-2028 平台主導聯邦式代理人身分為主流 中期 2028-2032 跨平台互通成為迫切需求 長期關鍵指標為代理人是否發展出獨立於委託人的「信譽資本」（累積行為紀錄 能力認證 合規歷史）。 Formal Evolution(AI id) compressed(Evolution(human id)) Δ(speed, ontology, trust anchor) divergence at inflection points #pillar

<Causal Chain>: Title Aadhaar 排除致死六步因果鏈（強制連結 制度條件失敗 邊緣群體傷害） T0 (deterministic) 2009-2016 — Aadhaar 強制連結 PDS 補貼系統設計確立，無 inclusion impact assessment（規範必然） T1 (deterministic) 邊緣群體（手指乾燥的勞工、年長者、低數位識讀者）面臨生物辨識失敗（規範必然） T2 (deterministic) Jean Dreze 田野調查顯示 Jharkhand 等地排除錯誤率達 20%（依資料採樣，仍屬可重現現象） T3 (probabilistic) 2017-2024 — Jharkhand 邦至少十數起 Aadhaar 排除相關飢餓死亡案例（外部 trigger，依個案而異） T4 (probabilistic) 2017-2018 Puttaswamy I II 印度最高法院判決確立隱私權為基本權 2018 後 Aadhaar 強制連結部分被限縮 T5 (probabilistic) 2025 UN Special Rapporteur Alston 2019 報告把 Aadhaar 致死案標為 digital welfare state 失敗代表 制度修補進行中 #chain

[Deployment Conditions]: 任何代理人身分治理框架的合法性，必須先通過六道條件. valid governance(g) V account V recourse V finance V transparency V dist moral V evolution #conditions

<C1>: Title 可執行的權力分配（V account） 治理框架須包含可執行的權力分配機制——社群權力有法律牙齒，可依司法管轄區的契約法執行否決、罷免、阻擋變更等權力。仿 ICANN Empowered Community 機制依加州法執行。 Formal V account governance decision d community power(d) legal enforceability(d) #condition

<C2>: Title 可訴諸的救濟機制（V recourse） 受影響公民、企業、開發者須有具體可訴諸的救濟管道——司法、行政、ADR 三條路徑同步開放。仿 Kenya NIIMS 高等法院判決示範的司法救濟路徑。 Formal V recourse harm h remedy path(h) judicial, administrative, ADR #condition

<C3>: Title 可持續的財務模型（V finance） 治理運作須有可持續的財務模型，不依賴單一受管制實體贊助。仿 Let s Encrypt 社群捐助 企業贊助 非營利模式，回應 Flanagan「誰來維持運作？」核心提問。 Formal V finance governance org financial model(org) diversified sources(org) #condition

<C4>: Title 可被外部審視的透明度（V transparency） 治理決策、稽核紀錄、財務報告須對外部審視可及。仿 Let s Encrypt 透明日誌 ICANN 公開政策程序，避免「責任緩衝區」效應集中在使用者。 Formal V transparency decision d, audit a public(d) public(a) challengeable(d, a) #condition

<C5>: Title 分散式道德責任分配（V dist moral） 責任分配須按因果鏈比例分配，避免集中在最近的人類 委任鏈反向問責結構須編碼為治理協定的核心功能（仿 Tomasev 2026 五要素 權限轉移、責任移轉、問責分配、邊界設定、信任校準）。 Formal V dist moral delegation chain Liability dist(chain) causality(chain) moral crumple #condition

<C6>: Title 演化張力的前瞻設計（V evolution） 治理架構須預留 20 年架構視野（Allen 五錨點），保留選擇權、維持平台獨立性、要求非政府方承擔義務、建立制度性防護措施。短期 2026-2028 平台主導 中期 2028-2032 跨平台互通 長期信譽資本——治理須在每個分岔點保留制度空間。 Formal V evolution 20yr horizon(g) platform independence(g) 2026-2028, 2028-2032, 2032 inflection points #condition

<Conclusion>: AI 代理人身分治理品質的上限，由我們刻意設計的制度承接力決定，而非由技術標準的成熟度決定。 從 DNS 治理 25 年經驗繼承四項制度元素（可執行權力 救濟 財務模型 透明度），不繼承組織形式。三項設計原則（P acc 問責嵌入架構、P legit 結構性多方正當性、P dist 分散式道德）是治理架構的支柱。 短期 2026-2028 平台主導聯邦式代理人身分為主流，中期 2028-2032 跨平台互通成為迫切需求，長期關鍵指標為代理人是否發展出獨立於委託人的「信譽資本」。 數位身分系統無法創造它所部署的社會中不存在的價值 （Nyabola）。代理人身分治理品質取決於我們能否在信任赤字時代（McKinsey AI 信任 2.3 5）刻意且包容地建構制度。 本文為 article 16（civic-ai-agent-delegation-limits）的 enterprise institutional 補集 ，提供博論 Ch9.1 主稿素材。Civic context 的關鍵價值（民主正當性 微觀真實性）與 enterprise context 的關鍵價值（商業效率 法人責任）不可直接外推 本文聚焦 enterprise context 的治理結構與 DNS 類比，與 article 16 的 civic 補集形成 Ch9 完整論證。 Formal Coda Final form Governance(agentic id) P acc, P legit, P dist Inherit from DNS executable power, recourse, financial sustainability, transparency Inherit(organizational form DNS, agentic id) Evolution(AI id) compressed(Evolution(human id)) inflection points 2026-2028, 2028-2032, 2032 Liability dist(AI chain) causality moral crumple zone #conclusion

# Deployment Conditions

[Deployment Conditions]
  + <C1>
  + <C2>
  + <C3>
  + <C4>
  + <C5>
  + <C6>

# Objections And Replies

[Objection 1]: Mueller — ICANN 模式有結構性管制俘獲傾向. 反論訴求是 Mueller 2002 Ruling the Root 2010 Networks and States 指出 ICANN 收入高度依賴受管制實體的模式天然帶有管制俘獲風險 ICANN 模式作為治理參考本身有結構性偏誤。實證強度上，ICANN 收入結構與政策傾向的相關性在學界已有共識。 #objection

<Reply 1>: Title Mueller — ICANN 模式有結構性管制俘獲傾向 仔細看，Mueller 的論證實際上凸顯了「不可整套移植 DNS 組織形式」的必要。地圖立場已明示只繼承四項制度元素（可執行權力 救濟 財務模型 透明度），不繼承組織形式（基於命名資源的契約關係）。Mueller 的批評反向支撐「制度元素可移植 vs 組織形式不可移植」的區分，正好是 pillar 2 的核心結論。 #reply

[Objection 2]: Hofmann — 多方利害關係人治理為「程序崇拜」. 反論訴求是 Hofmann 2016 Multi-stakeholderism in Internet governance — putting a fiction into practice 指出多方治理存在淪為「程序崇拜」的風險——程序本身被視為正當性來源時，實質的權力分配問題被遮蔽。van Klyton et al. 2023 對 ICANN 會議文本的分析揭示語言與議程的霸權性。實證強度高。 #objection

<Reply 2>: Title Hofmann — 多方利害關係人治理為「程序崇拜」 Hofmann 與 van Klyton 的批評實際上凸顯了 P legit 設計原則的必要——「結構保障的多方代表性」（含 Allen 五錨點 Flanagan 永續財務 公民社會諮詢委員會專屬經費 全球南方結構保障）正是回應程序崇拜風險的具體機制。反論反向支撐 P legit 的具體化設計，而非推翻多方治理本身。 #reply

[Objection 3]: 商業平台鎖定不可避免（Apple Google Microsoft 結構性優勢）. 反論訴求是 AI 平台業者（Microsoft Entra Agent ID Google A2A Anthropic MCP）已在程式碼層級事實上主導治理 Lessig 的「程式碼即法律」在代理人生態加倍適用。OpenSecrets 2024 資料顯示 AI 遊說年支出超過 1 億美元，公民社會資源不對稱無法在實質上挑戰平台主導。實證強度高。 #objection

<Reply 3>: Title 商業平台鎖定不可避免（Apple Google Microsoft 結構性優勢） 平台鎖定的歷史並非治理失敗的證據而是治理必要的證據。人類身分從集中走向分散的歷史中（Facebook 登入 vs Apple Sign in vs DID VC），每一次轉折都伴隨權力重新分配。歐盟 eIDAS 2.0 制度先例顯示，跨平台代理人身分互通可由監管壓力與企業用戶反彈共同推動。WE BUILD 聯盟政策建議 Christopher Allen 五錨點 Talao MCP OIDC4VP 實作三條路徑示範了如何在平台主導現況下保留制度選擇空間。反論反向支撐 P legit 的「平台獨立性」與「20 年架構視野」設計。 #reply