Argument Map — Institutional Limits of AI Agency in Civic Action: Conjoint Necessity Matrix of Tomasev's Five-Element Delegation and the Civic Proof Triple

Tomasev (2026) five-element delegation has a hierarchical 2+3 structure (formal elements AT + RT; dynamic governance elements AA + BS + TC), which, when conjoined with the civic proof triple ⟨𝒩, ℱ, ℬ⟩, yields a 5×3 = 15 cell necessity matrix (9 conditions satisfiable, 4 probabilistically degraded, 2 structurally unsatisfiable: RT-ℬ ✗ + AA-ℬ ✗). This demarcates three civic action zones (θ₁ ≈ 0.2, θ₂ ≈ 0.7): delegable, conditionally delegable, and structurally non-delegable. Structural non-delegability subdivides into intrinsic type (determined by ℬ philosophical foundation) and contextual type (determined by co-failure of 𝒩 and ℱ). CRPD Art 12 General Comment No. 1 §26–29 is a normative hard constraint on the conditionally delegable zone (not a legal basis); cross-jurisdictional liability vacuums are subdivided into three types; the A14 category-5 gap is split into Q10a + Q10b; and FTLA-Agent four-layer governance exhibits asymmetric thickness in 2026, requiring time-staged responses (5 / 5–10 / 10–15 years).

AI agent intervention in civic action requires conjoint analysis of Tomasev's five-element delegation × civic proof's ⟨𝒩, ℱ, ℬ⟩ triple, yielding a 5×3 necessity matrix that demarcates three civic action zones; CRPD Art 12 GC1 §26-29 is a normative hard constraint, cross-jurisdictional liability vacuum splits into three types, and FTLA-Agent four-layer governance is asymmetrically thick.

Formal Notation

Delegate(action) ≜ ⟨AT, RT, AA, BS, TC⟩       (Tomasev five elements as 2+3 structure)
⟨𝒩, ℱ, ℬ⟩ ≜ civic proof triple
ℬ = ⌊Arendt ∧ Habermas ∧ Pettit⌋               (composite lower bound)

M[i, j] ∈ {✓, △, ✗}  for i ∈ {AT, RT, AA, BS, TC}, j ∈ {𝒩, ℱ, ℬ}
|✓| = 9, |△| = 4, |✗| = 2  ;  M[RT, ℬ] = ✗ ∧ M[AA, ℬ] = ✗

Zone(action) =
  Z₁ (delegable)             if  P_degrade ≤ θ₁ ≈ 0.2 ∧ ∄ ✗ cell
  Z₂ (conditionally delegable) if θ₁ < P_degrade ≤ θ₂ ≈ 0.7 ∧ ∄ ✗ cell
  Z₃ (structurally non-delegable) if P_degrade > θ₂ ∨ ∃ ✗ cell

Z₃ = Z₃-intrinsic (ℬ-determined) ∪ Z₃-contextual (𝒩 ∧ ℱ co-failure)

CRPD Art 12 GC1 §26-29 ≜ hard_constraint(Z₂)
Distinguishability(supported, substituted) ⇔ ex_ante ∧ ex_post_reversibility ∧ decision_trace
Multi-tenant ≠ Multi-profile

Vacuum(cross_juris) ∈ {moral_crumple, algorithmic_opaque, cross_juris_diffusion}
Q10 = Q10a (authority transfer 密碼學歸責) ∪ Q10b (accountability allocation 跨境多方歸責)
FTLA-Agent = ⟨G_industry^A, G_state^A, G_recognition^A, G_oversight^A⟩  (asymmetric thickness 2026)

The three-zone demarcation of delegation is determined by the 5×3 necessity matrix. The two cells RT-ℬ and AA-ℬ in matrix M are structurally unsatisfiable, corresponding to the intrinsic non-delegable type. CRPD Art 12 GC1 §26–29 is the normative hard constraint on Z₂; the distinguishability between supported and substituted must be established simultaneously across three layers — ex-ante deliberation, ex-post reversibility, and decision trace. The cross-jurisdictional liability vacuum is subdivided into three types; the A14 category-5 gap is split into Q10a and Q10b at SA3+SA5. FTLA-Agent four-layer governance exhibits asymmetric thickness in 2026.

AT / RT / AA / BS / TC: Tomasev five elements (authority transfer / responsibility transfer / accountability allocation / boundary setting / trust calibration)
⟨𝒩, ℱ, ℬ⟩: civic proof triple (normative carrier / formal scope / philosophical foundation)
M[i, j]: Cell for element i × component j in the 5×3 necessity matrix (✓ condition satisfiable / △ probabilistically degraded / ✗ structurally unsatisfiable)
Z₁ / Z₂ / Z₃: Three zones (delegable / conditionally delegable / structurally non-delegable)
Z₃-intrinsic / Z₃-contextual: Two modalities of structural non-delegability (intrinsic / contextual)
P_degrade: Probabilistic degradation function (cell degradation probability given context)
θ₁ / θ₂: Zone boundary thresholds (≈ 0.2 / ≈ 0.7, policy recommendation values)
Q10a / Q10b: Subcategories of the A14 category-5 gap (cryptographic accountability / cross-border multi-party accountability)
G_industry^A / G_state^A / G_recognition^A / G_oversight^A: FTLA-Agent four-layer governance (forward-linked to A8 FTLA)
≜: Defined as
⌊·⌋: Composite lower bound (conjunctive formation)
∧: Conjunction
⇔: If and only if

The formal expression states the position; the next step is to separate common misreadings. In current policy discourse, AI agents are frequently treated as reducible to traditional principal-agent models. If this categorisation stands, the conceptual scaffolding of existing delegation theory suffices to cover civic action scenarios, and AI agents are merely new tools. The map's first move is to draw a line between this reductionist account and the conjoint analysis of "Tomasev five elements × civic proof triple."

foundational distinction

❌ Rejected

AI agents in civic action are reducible to the traditional principal-agent model

Treats AI agents as an extended form of principal-agent reducible to a two-element structure (authority transfer + responsibility transfer). This structure assumes that the conceptual scaffolding of existing delegation theory (Pitkin trustee/delegate, Jensen-Meckling principal-agent, Eisenhardt agency theory) suffices to cover all civic action scenarios; the civic proof triple ⟨𝒩, ℱ, ℬ⟩ is "identity infrastructure regulation" rather than civic action regulation, and does not automatically carry over to AI agent scenarios. Under this classification, AI agent failures need only be addressed through existing GDPR Art 22, EU AI Act Art 25, and principal-agent litigation pathways — no new conjoint necessity matrix or FTLA-Agent four-layer governance is required.

Delegate(action) ≜ ⟨AT, RT⟩ ∧ ⟨𝒩, ℱ, ℬ⟩ ⊥ Delegate

✓ Defended

AI agents in civic action require Tomasev five-element × civic proof triple conjoint analysis

Tomasev (2026) five elements have a 2+3 structure (formal delegation elements AT + RT; dynamic governance elements AA + BS + TC). The three dynamic governance elements bear special weight in civic action scenarios — AA handles multi-party accountability, BS handles scope minimisation, and TC handles long-term trust calibration. When reduced to two elements, the three dynamic governance elements have nowhere to go. The civic proof triple ⟨𝒩, ℱ, ℬ⟩ passes downward to the accountable layer of citizenship exercise through the A15 precursor right framework; W1 adopts a precise interface transmission of the position (the interface layer transmits fully; the substantive layer requires separate grounding in political philosophy). The conjoint cross-product yields a 5×3 necessity matrix: 9 cells condition-satisfiable, 4 cells probabilistically degraded, 2 cells structurally unsatisfiable (RT-ℬ ✗ + AA-ℬ ✗), corresponding to the three-zone demarcation Z₁/Z₂/Z₃.

Delegate(action) ≜ ⟨AT, RT, AA, BS, TC⟩ ∧ ⟨𝒩, ℱ, ℬ⟩ ⊆ ⋂ M[i, j]

The distinction is merely a declaration. Proving that AI agents in civic action require five-element × triple conjoint analysis (rather than being reducible to two elements) calls for five independent lines of support. The deductive strand provides the conjoint necessity matrix and the probabilistic degradation function; the political philosophy strand provides the ontological basis for the structurally non-delegable zone; the inductive strand provides evidence of liability vacuums across multiple cases; the abductive strand provides CRPD Art 12's engineering-design constraint derived in reverse; and the analogical strand provides the extension of FTLA-Agent four-layer governance to AI agent scenarios. The five pillars correspond to five argument types — any one missing and the position degrades to advocacy.

supporting arguments

§3 — Deductive (Tomasev five elements × ⟨𝒩, ℱ, ℬ⟩ conjoint necessity matrix)

The 5×3 = 15 cell matrix determines the three-zone demarcation

whyProvides the formal skeleton of conjoint analysis — without formalising the five elements and triple as a matrix, the three-zone demarcation remains at the linguistic level; without measurable parameters in the degradation function, the θ₁/θ₂ thresholds are merely rhetorical.

The Tomasev 2026 five-element decomposition can be restructured as a "2+3 structure": formal delegation elements (AT authority transfer + RT responsibility transfer) + dynamic governance elements (AA accountability allocation + BS boundary setting + TC trust calibration). AT+RT are preconditions; AA+BS+TC are operational conditions. Reducing to two elements means abandoning the formalisability of dynamic governance. In the civic proof triple ⟨𝒩, ℱ, ℬ⟩, ℬ is not a single value (e.g. Arendt plurality alone) but a "composite lower bound" formed by the conjunction of Arendt plurality + Habermas communicative validity + Pettit contestability. Of the 15 cells, 9 are condition-satisfiable, 4 are probabilistically degraded, and 2 are structurally unsatisfiable (M[RT, ℬ] = ✗ + M[AA, ℬ] = ✗). The parameters α, β, θ of the degradation function P_degrade(scenario | cell) are calibrated according to three scenario types: cross-jurisdictional, shared device, and behavioural incapacity. The three-zone criteria depend on θ₁ ≈ 0.2, θ₂ ≈ 0.7, plus the condition "∃ ✗ cell." Structural non-delegability is divided into Z₃-intrinsic (determined by ℬ; non-delegable regardless of technological maturity) and Z₃-contextual (determined by co-failure of 𝒩 + ℱ; boundary can shift with institutional repair).

The matrix provides the formal skeleton for the three-zone demarcation. The two cells M[RT, ℬ] = ✗ + M[AA, ℬ] = ✗ are the mathematical expression of intrinsic structural non-delegability; downstream writers may not revert to the draft version of "five elements in parallel + triple as single value."

M ∈ {✓, △, ✗}^{5×3} ; |✓|=9, |△|=4, |✗|=2 ; Z₃-intrinsic ⇔ ∃ M[i, j] = ✗

§4 — Deductive (Arendt + Habermas + Pettit three-strand conjunction)

The structurally non-delegable zone is covered by a four-dimensional structural criterion conjunction

whyProvides the ontological basis — without proving that the criteria for the structurally non-delegable zone are philosophical necessities rather than policy choices, the three-zone demarcation will be hollowed out by the Coeckelbergh relational personhood objection; without distinguishing the ontological level of plurality from output diversity, AI agents need only provide heterogeneous perspectives to satisfy the criterion, and intrinsic Z₃ ceases to exist.

The structurally non-delegable zone is covered by a four-dimensional structural criterion conjunction: ⟨first-personal stance ∧ ontological plurality ∧ communicative orientation ∧ active-stance contestation⟩. Arendt 1958 *The Human Condition* §1 Prologue (p. 7) and §27 provide the ontological definition of plurality; §24–26 (pp. 175–188) discuss action plurality and unique disclosure; §44 (p. 313) discusses mortality stake. Plurality is ontological, not functional — each agent possesses unrepeatable natality and the capacity to disclose a unique self, grounded in the existential condition of finitude, mortality, and being born into the world. Habermas 1981 *TKH* Bd. I §III.1–§III.4 distinguishes four action types (teleological, strategic, norm-regulated, communicative); civic action in §III.3 belongs to communicative action, not strategic action. Pettit 1997 *Republicanism* + 2012 *On the People's Terms*: contestation requires an active stance (stepping forward to assert, bearing consequences, entering institutional contestation) — not merely supplying a dissenting opinion. Pitkin 1967 *The Concept of Representation* §5 distinction between trustee and delegate provides the conceptual framework for "execution delegable vs. attribution non-delegable" — AI agents may take on execution but cannot take on attribution, since they are "agents without a subject of attribution."

The four-dimensional criterion conjunction constitutes the ontological basis of the structurally non-delegable zone. Any one of Arendt + Habermas + Pettit independently renders the action non-delegable; all three together place it at the categorical core. The ontological plurality stance is a philosophical position choice (rejecting Coeckelbergh) and must be stated explicitly within the honesty boundary.

Z₃-intrinsic ⇔ first_personal ∧ ontological_plurality ∧ communicative ∧ active_contestation

§6 — Inductive (moral crumple zone three types × 6 case-tracing)

Cross-jurisdictional liability vacuum subdivided into three types; category-5 gap split into Q10a + Q10b

whyProvides empirical evidence — without verifying the monotonic expansion of liability vacuums across jurisdictions through multi-case analysis, "FTLA-Agent four-layer governance" is mere prophecy; without splitting the A14 category-5 gap, the governance response will be hollowed out by the objection that "LLM-agents are a new category to which the Elish framework does not apply."

The Elish 2019 moral crumple zone framework was subdivided after 2019 by Selbst 2021, Mittelstadt 2023, and Cobbe & Singh 2024 into three types: (i) moral buffer zone type (the nearest human absorbs the impact) + (ii) algorithmic opacity type (even the nearest human cannot attribute) + (iii) cross-jurisdictional diffusion type (liability ping-pongs between multiple jurisdictions). All three types stack simultaneously in the LLM-agent wallet scenario. Six case-tracing cases: Robodebt (Australia 2016–2020 welfare automation) + Dutch SyRI / Toeslagenaffaire (2018–2024) + Aadhaar PDS / NREGA-ABPS (India 2020–2025) + State v Loomis (Wisconsin 2016 sentencing) + Tornado Cash series (2022–2025) + SCHUFA C-634/21 (CJEU 2023). The Elish framework in LLM-agent scenarios needs to be expanded into a "liability buffer chain" (chain-form) to replace the single buffer zone (explicitly stated as an extension, not original text). The A14 §3.5 category-5 "candidate gap" is split into two subtypes: Q10a "authority transfer cryptographic accountability gap" (cryptographic distinction between holder self-signing vs. agent co-signing a VC presentation; prompt injection scenarios) + Q10b "accountability allocation cross-border multi-party accountability gap" (liability proportions among issuer / verifier / wallet provider / agent provider / model provider in cross-border settings). Q10 five-segment chain L1 (agent developer) → L2 (agent operator) → L3 (wallet provider) → L4 (issuer) → L5 (verifier): existing law (GDPR Art 22, AI Act Art 25, eIDAS 2.0 Art 5b, Brussels I Recast) each covers only one segment of the chain.

Three types of liability vacuum + five-segment chain + Q10a/Q10b split jointly support "cross-jurisdictional liability vacuums cannot be resolved by a single governance layer"; downstream writers may not treat the category-5 gap as a single new gap.

Vacuum ∈ {crumple, opaque, diffusion} ; Q10 = Q10a ∪ Q10b ; L1...L5 ⊆ jurisdictions

§5 — Abductive (CRPD Art 12 × wallet engineering degradation)

CRPD Art 12 GC1 §26–29 is a normative hard constraint; supported/substituted distinguishability established across three simultaneous layers

whyProvides the abductive argument — inferring engineering design criteria in reverse from the legal norm of supported decision-making. If CRPD Art 12 is treated merely as "legal basis," wallet engineering may dilute supported decision-making under a "gradual transition to agency" framework; if supported/substituted distinguishability relies only on behavioural-layer judgement, the W4 objection holds — the two are nearly indistinguishable at the behavioural level.

CRPD Art 12 General Comment No. 1 (2014) §26–29 explicitly requires states to "abolish all substituted decision-making regimes" — this is a normative hard constraint, not a negotiable basis. Supported and substituted are nearly indistinguishable at the behavioural level (both present as "someone else pressed the button"); distinguishability must be established simultaneously across three layers: (i) ex-ante deliberation layer (who participated in the decision, how the agenda was formed) + (ii) ex-post reversibility layer (whether the represented party can unilaterally withdraw) + (iii) decision-trace layer (deliberation provenance, not merely a transaction log). The EUDI Wallet ARF v1.4–v1.5 provides multi-profile (multiple profiles for the same holder) but does **not** provide multi-tenant delegated key custody (multiple independent legal subjects coexisting, each retaining independently exercisable key capabilities and independently revocable consent capabilities). The POTENTIAL UC6 + NOBID + DC4EU + EWC four large-scale pilot 2025 mid-term reports all acknowledge that holder-side delegated key custody has not been implemented. CRPD Art 12 flows back through ICCPR Art 26 (equal protection) + ICESCR Art 9 (social security access) as a universal engineering obligation for all wallet users — this is a normative argument, not an expansive interpretation. Three engineering corrections: audit-by-design (capturing deliberation provenance) + minimal delegation (scope minimisation + dynamic assessment + unilaterally revocable) + multi-tenant delegated key custody (W3C DID Core 1.0 controller-subject separation + the "independently revocable coexisting subject" primitive absent from EUDI ARF). Legal comparison table: UK Mental Capacity Act 2005 + 2019 amendment (CRPD Concluding Observations 2017 §30–31 have already criticised best-interests as disguised substituted decision-making) + Israel 2016 §67B–67F (first global full legal implementation of GC1) + Peru DL 1384 (2018) (most thorough abolition of substituted regime in Latin America, abolishing interdicción) + Taiwan's new voluntary guardianship system (still "voluntarily chosen substituted," not yet reaching the CRPD supported standard).

CRPD Art 12 GC1 §26–29 is the normative hard constraint on the Z₂ conditionally delegable zone. The three wallet engineering defaults — personal ownership / personal identification / personal private key — simultaneously push supported decisions down three degradation paths into substituted decisions. All three engineering corrections are necessary.

GC1 §26-29 ≜ hard_constraint(Z₂)  ;  Distinguishability ⇔ ex_ante ∧ ex_post_rev ∧ trace  ;  Multi-tenant ≠ Multi-profile  ;  CRPD ⊕ ICCPR Art 26 ⊕ ICESCR Art 9 ⇒ universal_obligation

§7 — Analogical (extending the FTLA four-layer governance framework to AI agent scenarios)

FTLA-Agent four-layer thickness asymmetric + time staging + five-party liability ratio

whyProvides a governance response — if the FTLA framework cannot be extended to AI agent scenarios, the A8 forward-link fails; if the four governance layers are treated as parallel and equivalent, the relative weakness of G_state and G_recognition in 2026 will be masked by the comparative strength of G_industry and G_oversight; without time staging, the objection "cross-border governance is always politically infeasible" will hollow out the entire governance pathway.

The A8 FTLA four-layer governance framework (G_industry protocol interoperability / G_state legal bearing / G_recognition cross-border recognition / G_oversight consumer and data protection baseline) is extended to AI agent scenarios as FTLA-Agent. The structural isomorphism argument must be made explicit — FTLA originates from the governance history of networked information infrastructure (DNS, IATA, SWIFT, Basel); AI agent governance involves "agency authority of behavioural agents," an element absent from identity infrastructure, so structural isomorphism holds in the "protocol and standards" dimension but requires Tomasev's five elements as a supplement in the "behavioural agent accountability" dimension. The four layers exhibit asymmetric thickness in 2026: G_industry^A and G_oversight^A have high thickness (W3C VC v2.0, DIF, MCP/A2A, EDPB 2024 update, EU AI Act Annex III); G_state^A is weak (most jurisdictions' AI agent rights legislation not yet mature); G_recognition^A is weakest (no AI agent cross-border mutual recognition framework). GDPR Art 22 + EU AI Act Art 25 are the EU-internal minimum baseline, not a cross-border mutual recognition mechanism; the expanded interpretation of Art 22 in SCHUFA C-634/21 (CJEU 2023) is effective only within the EU. Time staging: G_industry^A / G_oversight^A can advance within 5 years; G_state^A can advance to agent rights legislation recognition within 5–10 years; G_recognition^A can achieve OECD-internal mutual recognition within 10–15 years, with coverage gaps persisting outside the OECD. The specific governance response to Q10b is a five-party joint liability ratio: issuer 25 / verifier 25 / wallet provider 15 / agent provider 25 / model provider 10 (policy recommendation values, pending actuarial calibration + cross-border dispute statistics). CoE AI Convention CETS 225 + Hiroshima Process Friends Group supplements with the "Cross-Border Agent Rights Recognition Agreement for AI Agents" in 2027–2028; APEC CBPR + Global CBPR Forum adds an AI agent working group.

FTLA-Agent four-layer governance is the necessary response to the Q10b cross-border multi-party accountability gap. The four-layer thickness asymmetry and time staging are analytical recommendations, not predictions; the five-party liability ratio 25/25/15/25/10 must be calibrated with actuarial data + cross-border dispute statistics.

FTLA-Agent ≜ ⟨G_industry^A, G_state^A, G_recognition^A, G_oversight^A⟩  ;  thickness asymmetric (2026)  ;  Liability = (25, 25, 15, 25, 10)

The pillars constitute the affirmative argument. An LLM-agent wallet that automatically co-signs credentials provides a concrete causal chain running from "agent developer design" to "holder cross-border rights failure." The upstream segment is normative necessity (agent intervention replaces the liability path with a five-segment chain), and the downstream segment is a probabilistic event (accountability vacuum under specific jurisdictional combinations). Unfolding the chain translates the abstract Q10a + Q10b split into a mechanistically traceable event sequence.

causal chain

LLM-Agent Wallet Automatic Credential Co-Signing × Cross-Border Rights Failure Five-Segment Chain (Formalisation of A14 Category-5 Gap)

L1 ⇒

The agent developer designs the agent's decision authority and trust calibration (normative necessity — agent intervention necessarily introduces a new governance layer; corresponds to Tomasev's TC element)

L2 ⇒

The agent operator / principal selects the deployment scenario and issues high-level instructions (normative necessity — the delegation structure shifts from direct holder action to a dual holder + agent operator layer; corresponds to Tomasev's AT + BS elements)

L3 ⇒

The wallet provider / EUDI Wallet issuer supplies cryptographic primitives for holder/agent distinction; EUDI ARF v1.4–1.5 provides multi-profile but not multi-tenant (normative necessity + engineering reality — absence of multi-tenant means supported degrades to substituted)

L4 ◊⇒

The issuer issues a misused credential (probabilistic event — whether the issuer verified holder self-signing vs. agent co-signing depends on issuer policy and W3C VC v2.0 conformance)

L5 ◊⇒

The verifier accepts agent-automated co-signing (probabilistic event — whether the verifier identifies the presentationOrigin=agent tag depends on verifier policy and interoperability standard maturity; when the 5 segments span different countries across jurisdictions, the liability vacuum spreads from a single node to the entire five-segment chain)

⇒ Normative necessity (structural; governance layer necessarily present after agent intervention)

◊⇒ Probabilistic (realised depending on specific policy, standards maturity, and jurisdictional combination, but probability non-negligible)

Once the position and the causal chain hold, objections become genuinely threatening. Coeckelbergh's relational personhood claims AI agents can satisfy plurality; GDPR Art 22 + EU AI Act Art 25 claims existing law already covers AI agents' cross-border obligations; the reductionist view claims Tomasev's five elements can be reduced to traditional principal-agent models. Careful examination of the empirical strength of each objection reveals that they not only fail to overturn the map's position but actually flip to support the three-zone demarcation and the FTLA-Agent four-layer governance — the evidentiary structure of each objection turns out to be the map's second-order support.

border cases — flip to support

Objection 1

Coeckelbergh relational personhood — AI agents can satisfy the functional requirements of plurality

pivotThe objection draws on *AI Ethics* (2020) and "Robot Rights" (2022), arguing that AI agents acquire personhood through relational practices, so plurality is not exclusive to humans; as long as AI agents can provide heterogeneous perspectives (multi-model ensemble: GPT-5 + Claude 4.7 + Gemini Ultra + Grok-4), they satisfy the functional requirements of Arendt plurality, and intrinsic Z₃ does not exist. Empirically, relational personhood has structural support in Chinese-language scholarship and parts of European-continental AI ethics research.

On closer inspection, Arendt's §1 Prologue defines plurality as "the fact that men, not Man, live on the earth and inhabit the world" — explicitly specifying "the coexistence of multiple *who*s," where *who* is subjecthood at the ontological level, not output diversity. A multi-model ensemble satisfies "functional perspectival heterogeneity" (epistemological heterogeneity), not Arendt's "Erscheinen vor Anderen" (appearing before others — phenomenological presence). Conflating the two is a category error, analogous to confusing "diversity of photographs" with "diversity of human community." The Coeckelbergh objection, read carefully, supports the argument's discipline of distinguishing "ontological vs. functional" — this paper's response is in §4 directly, with an explicit acknowledgement that this is a philosophical position choice (stated within the honesty boundary). The CF3 counterfactual stress test (if relational personhood is fully accepted, the ℬ column of the matrix must be redone but RT-ℬ ✗ + AA-ℬ ✗ remain standing) shows "downgrades one level, not two."

Objection 2

GDPR Art 22 + EU AI Act Art 25 — existing law already covers AI agents' cross-border obligations

pivotThe objection holds that GDPR Art 22's coverage of fully automated decision-making has been expansively interpreted in SCHUFA (C-634/21, 2023); EU AI Act Art 25 covers cross-border obligations on providers; no new FTLA-Agent four-layer governance is needed. Empirically, these two rules are the most important current tools for AI agent governance, covering 450 million EU citizens.

On closer inspection, GDPR Art 22 + EU AI Act Art 25 are the EU-internal minimum baseline, **not cross-border mutual recognition mechanisms**. Art 22's application to AI agents in wallet scenarios (mostly semi-automated: human-triggered, AI-executed) falls in a grey area; the SCHUFA expansive interpretation is effective only within the EU. Art 25 enforcement depends on member-state market surveillance authorities, whose cross-border coordination operates in parallel with — but is not integrated with — GDPR Art 56's lead supervisory authority. Neither provision has direct applicability to cross-border AI agent behaviour outside the EU. The GDPR/AI Act objection, read carefully, supports the argument's discipline of "layered governance" — the Q10a + Q10b split shows that Art 22 (covering part of Q10a) + Art 25 (covering part of G_oversight^A) are only partial bearers of two layers within FTLA-Agent, and the G_recognition^A cross-border mutual recognition layer remains vacant in 2026.

Objection 3

Reductionism — Tomasev's five elements can be reduced to the traditional principal-agent model

pivotThe objection holds that the Jensen-Meckling (1976) + Eisenhardt (1989) principal-agent model already covers all important aspects of delegation structure; Tomasev's five elements can be reduced to two (authority transfer + responsibility transfer), with the remaining three (accountability allocation + boundary setting + trust calibration) being merely operational details. Empirically, the principal-agent model has more than half a century of application in management, economics, and law, with high external validity.

On closer inspection, the principal-agent model implicitly presupposes utility maximisation and one-shot delegation (contract-bound). The goals of civic action are often not utility-based (dignity, recognition, voice), and AI agent delegation is long-term and dynamic rather than one-shot. The three dynamic governance elements of Tomasev's five elements (AA + BS + TC) are precisely designed for scenarios involving "continuity + non-utility goals + multiple connections." Reducing to two elements leaves dynamic governance without a home — AA handles multi-party accountability, BS handles scope minimisation, and TC handles long-term trust calibration. These three elements bear special weight in civic action scenarios (multi-party interaction in democratic action + scope minimisation is essential for supported decision-making + trust calibration is the maintenance mechanism after 6–18 months of model drift). The reductionist objection, read carefully, supports the argument's discipline of the "2+3 structure" — the layering of formal delegation elements (AT+RT) and dynamic governance elements (AA+BS+TC) is necessary, not redundant.

Once the objections are absorbed, what remains are design implications. Under what conditions can the "institutional limits of AI agents in civic action" be translated into verifiable engineering or legal obligations? Six conditions translate the abstract three-zone demarcation, normative hard constraints, and cross-jurisdictional governance responses into testable provisions, while filling in the ✓/△/✗ positions of the core matrix.

procedural conditions

Translating the institutional limits of AI agents in civic action into verifiable engineering or legal obligations requires passing six conditions

deployable_agent(action) ⇔ V_matrix ∧ V_phil ∧ V_crpd ∧ V_multitenant ∧ V_ftla_agent ∧ V_q10_split

Explicit 5×3 necessity matrix

Every AI agent deployment in civic action must submit a 5×3 necessity matrix assessment report prior to deployment, explicitly stating that 9 cells are condition-satisfiable, 4 cells are probabilistically degraded, and 2 cells are structurally unsatisfiable (M[RT, ℬ] = ✗ + M[AA, ℬ] = ✗). The α, β, θ parameters of the P_degrade function must be calibrated to the cross-jurisdictional, shared-device, and behavioural incapacity risks of the specific deployment scenario.

V_matrix: ∀ deployment d : matrix_report(d) ∧ ∀ cell ∈ M : explicit_status(cell)

ℬ philosophical foundation composite lower bound

ℬ must not be treated as a single value. Any determination of the "structurally non-delegable zone" must pass the conjoint coverage test of the composite lower bound formed by Arendt plurality + Habermas communicative validity + Pettit contestability. First-personal presence, political speech, final voting, expression of personality, and criminal liability belong to the intrinsic Z₃-intrinsic type (non-delegable regardless of technological maturity).

V_phil: ℬ = ⌊Arendt ∧ Habermas ∧ Pettit⌋  ;  Z₃-intrinsic ⇔ first_personal ∧ ontological_plurality ∧ communicative ∧ active_contestation

CRPD Art 12 GC1 §26–29 normative hard constraint

Deployments in the conditionally delegable zone Z₂ must pass the normative hard constraint of CRPD Art 12 General Comment No. 1 §26–29. The distinguishability of supported / substituted must be established simultaneously across three layers — ex-ante deliberation layer + ex-post reversibility layer + decision-trace layer. Failure of any one layer constitutes a substituted decision, violating CRPD Art 4(1)(a).

V_crpd: deploy(Z₂) ⇒ hard_constraint(GC1 §26-29) ∧ Distinguishability ⇔ ex_ante ∧ ex_post_rev ∧ trace

Multi-tenant delegated key custody (not multi-profile)

Wallet engineering must provide multi-tenant delegated key custody, defined as "multiple independent legal subjects coexisting, each retaining independently exercisable key capabilities and independently revocable consent capabilities." The multi-profile provided by EUDI ARF v1.4–v1.5 does not satisfy this condition. POTENTIAL UC6 phase 2 holder-side delegated key custody must advance to W3C specification in 2027–2028. The chooser_signature must be signed with the subject's private key; otherwise, it is cryptographically equivalent to substituted. The comprehension_attestation is mandatory. The revocation key must be held by the subject.

V_multitenant: wallet ⇒ multi_tenant ≠ multi_profile  ;  chooser_signature: signed_by(subject)  ;  revocation_key: held_by(subject)

FTLA-Agent four-layer governance activation

Prior to cross-jurisdictional AI agent deployment, an FTLA-Agent four-layer governance assessment must be submitted. G_industry^A aligns with W3C VC v2.0 + AgentDelegationProof2026; G_state^A aligns with each country's AI agent rights legislation (to advance within 5–10 years); G_recognition^A aligns with the CoE CETS 225 supplementary protocol or the Hague Conference 1996 PoA Convention digital version (to advance within OECD in 10–15 years); G_oversight^A aligns with the EDPB + EU AI Office + ENISA tripartite coordination.

V_ftla_agent: deploy(cross_juris) ⇒ ⟨G_industry^A, G_state^A, G_recognition^A, G_oversight^A⟩ : assessed

Q10a + Q10b split + five-party joint liability

The A14 category-5 gap must be split into Q10a (authority transfer cryptographic accountability) + Q10b (accountability allocation cross-border multi-party accountability). LLM-agent automatic credential co-signing must introduce an AgentDelegationCapability VC (holder self-signed enabling envelope + restricted delegation scope + publicly queryable revocation endpoint) + a presentationOrigin tag (distinguishing agent vs. holder). The civic-action-receipt must contain five-party legal entity identifiers and ZK-proof. The five-party joint liability ratio is: issuer 25 / verifier 25 / wallet provider 15 / agent provider 25 / model provider 10 (policy recommendation values, pending actuarial calibration).

V_q10_split: Q10 = Q10a ∪ Q10b  ;  Liability = (25, 25, 15, 25, 10)  ;  ∀ presentation p : presentationOrigin(p) ∈ {holder, agent}

Drawing together six layers — the matrix, political philosophy, liability vacuums, CRPD constraints, FTLA-Agent governance, and time staging — the map ultimately argues that institutional limits are not engineering limits, and that the five-party liability ratio and time staging are analytical recommendations, not predictions. For readers in Taiwan: when the TW DIW moves into the LLM-agent phase, if AI agents continue to be treated as tools rather than as agents with independent delegation structures, the intrinsic structurally non-delegable zone will be crossed by engineering means, and supported decisions will degrade into substituted decisions under wallet engineering defaults.

The institutional limits of AI agents in civic action are institutional limits, not engineering limits. The Tomasev five-element × civic proof triple conjoint analysis yields a 5×3 = 15 cell necessity matrix: 9 cells condition-satisfiable, 4 cells probabilistically degraded, 2 cells structurally unsatisfiable (M[RT, ℬ] = ✗ + M[AA, ℬ] = ✗). The three-zone demarcation (θ₁ ≈ 0.2, θ₂ ≈ 0.7) — combined with the division of structural non-delegability into intrinsic type (determined by ℬ) and contextual type (determined by co-failure of 𝒩 + ℱ) — jointly supports the normative necessity that physical presence, political speech, final voting, expression of personality, and criminal liability cannot be executed by an AI agent.

The normative hard constraint on the conditionally delegable zone Z₂ comes from CRPD Art 12 General Comment No. 1 §26–29. The distinguishability of supported / substituted must be established simultaneously across the ex-ante deliberation layer, ex-post reversibility layer, and decision-trace layer. The multi-profile provided by EUDI Wallet ARF is not multi-tenant and must be corrected with three engineering measures (audit-by-design + minimal delegation + multi-tenant delegated key custody). CRPD Art 12 flows back through ICCPR Art 26 + ICESCR Art 9 as a universal engineering obligation for all wallet users — it is not an "accessibility accommodation" for special groups.

The cross-jurisdictional liability vacuum is subdivided into three types: moral crumple zone, algorithmic opacity, and cross-jurisdictional diffusion. The A14 category-5 gap is split into Q10a (authority transfer cryptographic accountability) + Q10b (accountability allocation cross-border multi-party accountability). FTLA-Agent four-layer governance exhibits asymmetric thickness in 2026 — G_industry^A and G_oversight^A thick / G_state^A weak / G_recognition^A weakest. Time staging is in three phases of 5 / 5–10 / 10–15 years. The five-party liability ratio 25 / 25 / 15 / 25 / 10 is an analytical recommendation, not a prediction. A key warning for readers in Taiwan: when the TW DIW enters the LLM-agent phase, if AI agents continue to be treated as tools rather than as agents with independent delegation structures, the intrinsic structurally non-delegable zone will be crossed by engineering means, and supported decisions will degrade into substituted decisions under the wallet's three engineering defaults.

Final form:
  Delegate(action) ≜ ⟨AT, RT, AA, BS, TC⟩
  ⟨𝒩, ℱ, ℬ⟩ ≜ civic proof triple  ;  ℬ = ⌊Arendt ∧ Habermas ∧ Pettit⌋
  M ∈ {✓, △, ✗}^{5×3}  ;  M[RT, ℬ] = ✗ ∧ M[AA, ℬ] = ✗
  Zone(action) = Z₁ ∨ Z₂ ∨ Z₃  ;  Z₃ = Z₃-intrinsic ∪ Z₃-contextual
  hard_constraint(Z₂) ≜ CRPD Art 12 GC1 §26-29
  Distinguishability(supported, substituted) ⇔ ex_ante ∧ ex_post_rev ∧ trace
  Multi-tenant ≠ Multi-profile
  Q10 = Q10a ∪ Q10b  ;  Vacuum ∈ {crumple, opaque, diffusion}
  FTLA-Agent = ⟨G_industry^A, G_state^A, G_recognition^A, G_oversight^A⟩
  Liability = (issuer 25, verifier 25, wallet provider 15, agent provider 25, model provider 10)
  Time-staging = (G_industry^A/G_oversight^A: 5y, G_state^A: 5-10y, G_recognition^A: 10-15y OECD)

Argdown

Formal Render

HTML Source

Institutional Limits of AI Agency in Civic Action: Conjoint Necessity Matrix of Tomasev's Five-Element Delegation and the Civic Proof Triple Argdown graph

Source

===
title: AI 代理在公民行動的制度極限：委任五件結構與公民證明三件式的合取必要條件
subTitle: AI Agent Delegation Limits in Civic Action — Argument Map (v1)
slug: 2026-05-10-civic-ai-agent-delegation-limits
author: research-article-pipeline argdown export
model:
  removeTagsFromText: true
===

# Central Thesis

[Core Thesis]
  + <Formal Core>
  + [Accepted]
  + <P1>
  + <P2>
  + <P3>
  + <P4>
  + <P5>
  + <Causal Chain>
  + [Deployment Conditions]
  + <Conclusion>
  - [Rejected]
    - [Accepted]
  + [Accepted]
  - [Objection 1]
    - <Reply 1>
  + <Reply 1>
  - [Objection 2]
    - <Reply 2>
  + <Reply 2>
  - [Objection 3]
    - <Reply 3>
  + <Reply 3>

[Core Thesis]: Tomasev 2026 委任五件具備層級結構的 2+3 構造（形式要件 AT RT 動態治理要件 AA BS TC），與 civic proof 三件式 ⟨𝒩, ℱ, ℬ⟩ 做合取交叉，得到 5×3 15 cell 必要條件矩陣（9 條件可滿足 4 機率退化 2 結構不可滿足 RT-ℬ ✗ AA-ℬ ✗）。據此把公民行動劃分為三區帶（θ₁ 0.2 θ₂ 0.7）可委任 條件可委任 結構不可委任 結構不可委任分常駐型（由 ℬ 哲學基礎決定）與情境型（由 𝒩 ℱ 共同失能決定）。CRPD Art 12 General Comment No. 1 §26-29 是條件可委任區的規範性硬約束（不是法理依據） 跨法域責任真空細分三型 A14 第 5 類缺口拆為 Q10a Q10b FTLA-Agent 四層治理在 2026 年呈非對稱厚度，須以時間階段化（5 5-10 10-15 年）回應。 #thesis

<Formal Core>: Formula Delegate(action) AT RT AA BS TC （Tomasev five elements as 2+3 structure） civic proof triple ℬ Arendt Habermas Pettit （composite lower bound） M i j ✓ △ ✗ for i AT RT AA BS TC j 𝒩 ℱ ℬ ✓ 9 △ 4 ✗ 2 M RT ℬ ✗ M AA ℬ ✗ Zone(action) Z₁ delegable if P degrade θ₁ 0.2 ∄ ✗ cell Z₂ conditionally delegable if θ₁ P degrade θ₂ 0.7 ∄ ✗ cell Z₃ structurally non-delegable if P degrade θ₂ ∃ ✗ cell Z₃ Z₃-intrinsic（ℬ-determined） Z₃-contextual（𝒩 ℱ co-failure） CRPD Art 12 GC1 §26-29 hard constraint(Z₂) Distinguishability supported substituted ex ante ex post reversibility decision trace Multi-tenant Multi-profile Vacuum cross juris moral crumple algorithmic opaque cross juris diffusion Q10 Q10a Q10b FTLA-Agent G industry^A G state^A G recognition^A G oversight^A asymmetric thickness 2026 #formal

[Accepted]: AI 代理在公民行動需要 Tomasev 五件 civic proof 三件式合取分析. Tomasev 2026 五件具備 2+3 結構（形式要件 AT RT 動態治理要件 AA BS TC），三件 dynamic governance 在 civic action 場景特別吃重——AA 處理多方歸責 BS 處理範圍最小化 TC 處理長期信任校準。化約為兩件後 dynamic governance 三件無處安放。civic proof 三件式 ⟨𝒩, ℱ, ℬ⟩ 透過 A15 precursor right 框架下傳到公民資格行使的可問責層 W1 採精準介面傳遞立場（介面層完全傳遞 實質層需另由政治哲學基礎承擔）。合取交叉得到 5×3 必要條件矩陣，9 cell 條件可滿足 4 cell 機率退化 2 cell 結構不可滿足（RT-ℬ ✗ AA-ℬ ✗），對應三區帶劃界 Z₁ Z₂ Z₃。 #accepted

[Rejected]: AI 代理在公民行動可化約為傳統 principal-agent 模型. 把 AI 代理視為「可化約為兩件結構」（authority transfer responsibility transfer）的延伸版 principal-agent。這個結構假設現有委任理論（Pitkin trustee delegate Jensen-Meckling principal-agent Eisenhardt agency theory）的概念骨架足以覆蓋公民行動的所有場景 civic proof 三件式 ⟨𝒩, ℱ, ℬ⟩ 是「身分基礎設施規範」而非公民行動規範，不會自動傳遞到 AI 代理場景。在這個分類下，AI 代理失敗只需用既有 GDPR Art 22 EU AI Act Art 25 principal-agent 訴訟路徑回應，無需新建合取必要條件矩陣或 FTLA-Agent 四層治理。 #rejected

<P1>: Title 5×3 15 cell 矩陣決定三區帶劃界 Section 3 — 演繹（Tomasev 五件 ⟨𝒩, ℱ, ℬ⟩ 合取必要條件矩陣） Role 提供合取分析骨架——若五件與三件式不能形式化為矩陣，三區帶劃界就只能停在語言層 若退化函數沒有可量測參數，θ₁ θ₂ 閾值就只是修辭。 Tomasev 2026 五件分解可重組為「2+3 結構」形式委任要件（AT 權威移轉 RT 責任移轉） 動態治理要件（AA 責任歸屬分配 BS 邊界設定 TC 信賴校準）。AT RT 是先決條件，AA BS TC 是運行條件 化約為兩件等於放棄 dynamic governance 的可形式化。civic proof ⟨𝒩, ℱ, ℬ⟩ 中 ℬ 並非單一價值（如僅有 Arendt plurality），它是 Arendt plurality Habermas communicative validity Pettit contestability 三家會合的「複合下界」。15 cell 中 9 cell 條件可滿足 4 cell 機率退化 2 cell 結構不可滿足（M RT ℬ ✗ M AA ℬ ✗）。退化函數 P degrade(scenario cell) 的 α β θ 參數依跨法域 共用裝置 行為失能三類情境校準。三區帶判準依賴 θ₁ 0.2 θ₂ 0.7 「∃ ✗ cell」三條件。結構不可委任分 Z₃-intrinsic（由 ℬ 決定，無論技術成熟度皆不可委任）與 Z₃-contextual（由 𝒩 ℱ 共同失能決定，可隨制度修補移動邊界）。 Finding 矩陣為三區帶劃界的形式骨架 M RT ℬ ✗ M AA ℬ ✗ 兩 cell 是常駐型結構不可委任的數學表達，下游 writer 不可回退到「五件平行 三件式單值」的草版。 Formal M ✓ △ ✗ ^ 5 3 ✓ 9 △ 4 ✗ 2 Z₃-intrinsic ∃ M i j ✗ #pillar

<P2>: Title 結構不可委任區由四維結構判準合取覆蓋 Section 4 — 演繹（Arendt Habermas Pettit 三進路合取） Role 提供存在論基礎——若無法證明結構不可委任區的判準是哲學必然而非政策選擇，三區帶劃界會被 Coeckelbergh relational personhood 反論掏空 若無法區分 plurality 的存在論層級與輸出多樣性，AI 代理只要能提供異質視角即滿足判準，常駐型 Z₃ 不存在。 結構不可委任區由 first-personal stance ontological plurality communicative orientation active-stance contestation 四維結構判準合取覆蓋。Arendt 1958 The Human Condition §1 Prologue (p. 7) 與 §27 給出 plurality 存在論定義，§24-26 (pp. 175-188) 論行動 plurality 與 unique disclosure，§44 (p. 313) 論 mortality stake plurality 是存在論而非功能論——每個行動者具備不可重複的誕生性（natality）與揭露獨特自我的能力，依附於有限性 有死性 被誕生於世界中這一存在條件。Habermas 1981 TKH Bd. I §III.1-§III.4 區分四種行動類型（目的論 策略 規範引導 言說），公民行動在 §III.3 屬言說行動而非策略行動。Pettit 1997 Republicanism 2012 On the People s Terms contestation 要求 active stance（站出來主張 承擔後果 進入制度爭訟），不是僅提供異議意見。Pitkin 1967 The Concept of Representation §5 trustee 與 delegate 區分提供「執行可委任 vs 歸屬不可委任」的概念骨架——AI 代理可承擔 execution 但不能承擔 attribution，因為它是「無歸屬主體的代理」。 Finding 四維判準合取構成結構不可委任區的存在論基礎 Arendt Habermas Pettit 三進路任一單獨成立即使該行動不可委任，三者同時成立則該行動處於範疇核心 plurality 存在論立場是哲學立場選擇（拒絕 Coeckelbergh），須在誠實邊界明示。 Formal Z₃-intrinsic first personal ontological plurality communicative active contestation #pillar

<P3>: Title 跨法域責任真空細分三型，第 5 類缺口拆 Q10a Q10b Section 6 — 歸納（moral crumple zone 三型 6 案例 case-tracing） Role 提供經驗證據——若無法用多案例驗證責任真空在跨法域的單調擴張，「FTLA-Agent 四層治理」就只是預言 若 A14 第 5 類缺口未拆分，治理回應會被「LLM-agent 是新範疇不適用 Elish 框架」反論掏空。 Elish 2019 moral crumple zone 框架在 2019 年後被 Selbst 2021 Mittelstadt 2023 Cobbe Singh 2024 細分為三型 (i) 道德緩衝區型（最近的人吸收衝擊） (ii) 演算法不透明型（連最近的人都無法歸因） (iii) 跨法域擴散型（責任在多個法域之間 ping-pong）。三型在 LLM-agent wallet 場景同時疊加。6 個 case-tracing 案例 Robodebt（澳洲 2016-2020 福利自動化） Dutch SyRI Toeslagenaffaire (2018-2024) Aadhaar PDS NREGA-ABPS（印度 2020-2025） State v Loomis (Wisconsin 2016 量刑) Tornado Cash 系列（2022-2025） SCHUFA C-634 21 (CJEU 2023)。Elish 框架在 LLM-agent 場景需擴張為「責任緩衝鏈」（chain-form）以取代單一緩衝區（明示為延伸，非原文表述）。A14 §3.5 第 5 類「候選缺口」拆為兩個次類型 Q10a「authority transfer 密碼學歸責缺口」（agent 代簽 VC presentation 時 holder 親簽 vs agent 代簽的密碼學區分 prompt injection 場景） Q10b「accountability allocation 跨境多方歸責缺口」（issuer verifier wallet provider agent provider model provider 五方在跨境的責任比例）。Q10 五段鏈條 L1（agent 開發者）L2（agent operator）L3（wallet provider）L4（issuer）L5（verifier），現有法律（GDPR Art 22 AI Act Art 25 eIDAS 2.0 Art 5b Brussels I Recast）各只覆蓋鏈中一段。 Finding 三型責任真空 五段鏈條 Q10a Q10b 拆分共同支撐「跨法域責任真空無法用單一治理層解決」 下游 writer 不可把第 5 類缺口當作單一新缺口處理。 Formal Vacuum crumple opaque diffusion Q10 Q10a Q10b L1...L5 jurisdictions #pillar

<P4>: Title CRPD Art 12 GC1 §26-29 是規範性硬約束，三層同步建立 supported substituted 可區分性 Section 5 — 溯因（CRPD Art 12 wallet 工程退化） Role 提供溯因論證——從 supported decision-making 的法律規範反推工程設計判準。若 CRPD Art 12 僅作為「法理依據」處理，wallet 工程可在「漸進過渡到代理」框架下削弱 supported 若 supported substituted 的可區分性僅依賴行為層判斷，W4 反論成立——兩者在行為層幾乎不可區分。 CRPD Art 12 General Comment No. 1（2014）§26-29 明確要求締約國「廢除一切替代決策制度」（abolish substituted decision-making regimes），這是規範性硬約束而非可被討價還價的依據。supported 與 substituted 在行為層幾乎不可區分（兩者皆呈現為「他人按下了那個按鈕」），可區分性必須在三層同步建立 (i) 事前協商層（ex-ante deliberation 誰參與決策 議程如何形成） (ii) 事後可逆層（ex-post reversibility 被代理者是否可單方撤回） (iii) 決策證據鏈層（decision-trace deliberation provenance 而非僅交易 log）。EUDI Wallet ARF v1.4-v1.5 提供 multi-profile（同一 holder 的多檔案）但不提供 multi-tenant delegated key custody（多獨立法律主體並存且各自保有可獨立行使的密鑰能力與可獨立撤回的同意能力） POTENTIAL UC6 NOBID DC4EU EWC 四個 large-scale pilot 2025 mid-term reports 均承認 holder-side delegated key custody 未實作。CRPD Art 12 透過 ICCPR Art 26（平等保護） ICESCR Art 9（社會保障近用）回流為對所有 wallet 使用者的普遍工程義務（不是擴張解釋而是規範性論證）。三項工程修正 audit-by-design（捕捉 deliberation provenance） minimal delegation（範圍最小化 動態評估 可單方撤回） multi-tenant delegated key custody（W3C DID Core 1.0 controller-subject 分離 EUDI ARF 缺失的「獨立可撤回的並存主體」原語）。法律對照表 UK Mental Capacity Act 2005 2019 amendment（CRPD Concluding Observations 2017 §30-31 已批評 best-interests 是 substituted 偽裝） Israel 2016 § 67B-67F（GC1 完整法律化全球第一例） Peru DL 1384 (2018)（拉美最徹底的 substituted regime 廢除，廢除 interdicción） 台灣意定監護新制（仍是「自願選擇的 substituted」，未達 CRPD supported 標準）。 Finding CRPD Art 12 GC1 §26-29 是 Z₂ 條件可委任區的規範性硬約束 wallet 工程的個人擁有 個人識別 個人私鑰三重預設會在三條退化路徑同時把 supported decision 退化為 substituted decision，三項工程修正缺一不可。 Formal GC1 §26-29 hard constraint(Z₂) Distinguishability ex ante ex post rev trace Multi-tenant Multi-profile CRPD ICCPR Art 26 ICESCR Art 9 universal obligation #pillar

<P5>: Title FTLA-Agent 四層厚度非對稱 時間階段化 五方責任比例 Section 7 — 類比（FTLA 四層治理延伸到 AI 代理場景） Role 提供治理回應——若 FTLA 框架不能延伸到 AI 代理場景，A8 forward-link 失效 若四層治理被視為平行對等，2026 年 G state 與 G recognition 的薄弱會被 G industry 與 G oversight 的相對厚實掩蓋 若無時間階段化，「跨境治理永遠是政治不可行」反論會掏空整個治理路徑。 A8 FTLA 四層治理框架（G industry 協議互通 G state 法律承載 G recognition 跨境承認 G oversight 消費者保護與資料保護底線）延伸到 AI 代理場景為 FTLA-Agent，結構同構性論證須明示——FTLA 源自網絡訊息基礎設施治理史（DNS IATA SWIFT Basel），AI 代理治理涉及「行為主體的代理權」這個身分基礎設施所沒有的元素，結構同構在「協議與標準」維度成立 在「行為主體歸責」維度需 Tomasev 五件補充。四層在 2026 年呈非對稱厚度——G industry^A 與 G oversight^A 厚度高（W3C VC v2.0 DIF MCP A2A EDPB 2024 update EU AI Act Annex III） G state^A 弱（多數法域 AI 代理權立法尚未成熟） G recognition^A 最弱（無 AI 代理跨境互認框架）。GDPR Art 22 EU AI Act Art 25 是歐盟內部最低底線，不是跨境互認機制 SCHUFA C-634 21 (CJEU 2023) 對 Art 22 的擴大解釋僅在歐盟內生效。時間階段化為 G industry^A G oversight^A 5 年內可推進 G state^A 5-10 年可推進至代理權立法承認 G recognition^A 10-15 年內 OECD 內 mutual recognition OECD 外覆蓋空白將持續存在。Q10b 的具體治理回應為五方連帶責任比例 issuer 25 verifier 25 wallet provider 15 agent provider 25 model provider 10（政策建議數，待保險業精算 跨境爭議統計支撐）。CoE AI Convention CETS 225 Hiroshima Process Friends Group 2027-2028 通過 AI 代理跨境代理權承認協議 補充協議 APEC CBPR Global CBPR Forum 新增 AI 代理工作組。 Finding FTLA-Agent 四層治理是 Q10b 跨境多方歸責缺口的必要回應 四層厚度非對稱與時間階段化是分析性建議而非預測 五方責任比例 25 25 15 25 10 須以保險業精算 跨境爭議統計校準。 Formal FTLA-Agent G industry^A G state^A G recognition^A G oversight^A thickness asymmetric (2026) Liability (25 25 15 25 10) #pillar

<Causal Chain>: Title LLM-agent wallet 自動代簽憑證 跨境權利失敗五段鏈條（A14 第 5 類缺口形式化） L1 (deterministic) agent 開發者設計 agent 的決策權限與 trust calibration（規範必然——agent 介入必然引入新治理層 對應 Tomasev TC 件） L2 (deterministic) agent operator 委託人選擇部署場景並下達高層指令（規範必然——委任結構從 holder 直接行動轉為 holder agent operator 雙層 對應 Tomasev AT BS 件） L3 (deterministic) wallet provider EUDI Wallet 發行者提供 holder agent 區分的密碼學原語 EUDI ARF v1.4-1.5 僅提供 multi-profile 不提供 multi-tenant（規範必然 工程現實——multi-tenant 缺失即 supported 退化為 substituted） L4 (probabilistic) issuer 發行被誤用的 credential（概率事件——issuer 是否驗證了 holder 親簽 vs agent 代簽，依 issuer 政策與 W3C VC v2.0 conformance 而定） L5 (probabilistic) verifier 接受 agent 自動代簽（概率事件——verifier 是否識別了 presentationOrigin agent 標籤，依 verifier 政策與互通標準成熟度而定 當 5 段在跨法域分屬不同國家時，責任真空從單一節點擴散為五段鏈條） #chain

[Deployment Conditions]: 把 AI 代理在公民行動的制度極限翻譯成可被檢驗的工程或法律義務，必須通過六道條件. deployable agent(action) V matrix V phil V crpd V multitenant V ftla agent V q10 split #conditions

<C1>: Title 5×3 必要條件矩陣明示 每個 AI 代理在公民行動的部署前須提交 5×3 必要條件矩陣評估報告，明示 9 cell 條件可滿足 4 cell 機率退化 2 cell 結構不可滿足（M RT ℬ ✗ M AA ℬ ✗） P degrade 函數的 α β θ 參數須以該部署場景的跨法域 共用裝置 行為失能風險校準。 Formal V matrix deployment d matrix report(d) cell M explicit status(cell) #condition

<C2>: Title ℬ 哲學基礎複合下界 ℬ 不得被處理為單一價值 任何「結構不可委任區」判定須通過 Arendt plurality Habermas communicative validity Pettit contestability 三家會合的合取覆蓋檢驗。第一人稱在場性 政治發言 最終投票 人格表意 刑責承擔屬常駐型 Z₃-intrinsic（無論技術成熟度皆不可委任）。 Formal V phil ℬ Arendt Habermas Pettit Z₃-intrinsic first personal ontological plurality communicative active contestation #condition

<C3>: Title CRPD Art 12 GC1 §26-29 規範性硬約束 條件可委任區 Z₂ 的部署須通過 CRPD Art 12 General Comment No. 1 §26-29 的規範性硬約束。supported substituted 可區分性須在事前協商層 事後可逆層 決策證據鏈層三層同步建立 任一層失能即構成 substituted decision，違反 CRPD Art 4(1)(a)。 Formal V crpd deploy(Z₂) hard constraint(GC1 §26-29) Distinguishability ex ante ex post rev trace #condition

<C4>: Title multi-tenant delegated key custody（不是 multi-profile） Wallet 工程須提供 multi-tenant delegated key custody，定義為「多個獨立法律主體並存且各自保有可獨立行使的密鑰能力與可獨立撤回的同意能力」。EUDI ARF v1.4-v1.5 提供的 multi-profile 不滿足此條件 POTENTIAL UC6 phase 2 holder-side delegated key custody 須在 2027-2028 年推進至 W3C 規格化。chooser signature 必須由 subject 私鑰簽，否則密碼學上等於 substituted comprehension attestation 強制 unilateral revocation 鑰必須在 subject 手上。 Formal V multitenant wallet multi tenant multi profile chooser signature signed by(subject) revocation key held by(subject) #condition

<C5>: Title FTLA-Agent 四層治理啟動 AI 代理跨法域部署前須提交 FTLA-Agent 四層治理評估，G industry^A 對齊 W3C VC v2.0 AgentDelegationProof2026 G state^A 對齊各國 AI 代理權立法（5-10 年內推進） G recognition^A 對齊 CoE CETS 225 補充協議或 Hague Conference 1996 PoA Convention 數位版（10-15 年內 OECD 內推進） G oversight^A 對齊 EDPB EU AI Office ENISA 三方協調。 Formal V ftla agent deploy(cross juris) G industry^A G state^A G recognition^A G oversight^A assessed #condition

<C6>: Title Q10a Q10b 拆分 五方連帶責任 A14 第 5 類缺口須拆為 Q10a（authority transfer 密碼學歸責） Q10b（accountability allocation 跨境多方歸責）。LLM-agent 自動代簽憑證須引入 AgentDelegationCapability VC（holder 親簽 enabling envelope 限制委任範圍 公開可查撤銷端點） presentationOrigin 標籤（agent vs holder 區分） civic-action-receipt 須含五方法人標識與 ZK-proof。五方連帶責任比例為 issuer 25 verifier 25 wallet provider 15 agent provider 25 model provider 10（政策建議數，待精算校準）。 Formal V q10 split Q10 Q10a Q10b Liability (25 25 15 25 10) presentation p presentationOrigin(p) holder agent #condition

<Conclusion>: AI 代理在公民行動的制度極限是制度極限不是工程極限。Tomasev 五件 civic proof 三件式合取分析給出 5×3 15 cell 必要條件矩陣，9 cell 條件可滿足 4 cell 機率退化 2 cell 結構不可滿足（M RT ℬ ✗ M AA ℬ ✗） 三區帶劃界（θ₁ 0.2 θ₂ 0.7） 結構不可委任分常駐型（ℬ 決定）與情境型（𝒩 ℱ 共同失能決定）共同支撐「親自在場性 政治發言 最終投票 人格表意 刑責承擔不可被 AI 代理執行」的規範必然。 條件可委任區 Z₂ 的規範性硬約束來自 CRPD Art 12 General Comment No. 1 §26-29 supported substituted 可區分性須在事前協商層 事後可逆層 決策證據鏈層三層同步建立 EUDI Wallet ARF 提供的 multi-profile 不是 multi-tenant，須以三項工程修正補正（audit-by-design minimal delegation multi-tenant delegated key custody）。CRPD Art 12 透過 ICCPR Art 26 ICESCR Art 9 回流為對所有 wallet 使用者的普遍工程義務。 跨法域責任真空細分為道德緩衝區型 演算法不透明型 跨法域擴散型三型，A14 第 5 類缺口拆為 Q10a（authority transfer 密碼學歸責） Q10b（accountability allocation 跨境多方歸責）。FTLA-Agent 四層治理在 2026 年呈非對稱厚度，G industry^A 與 G oversight^A 厚 G state^A 弱 G recognition^A 最弱 時間階段化為 5 5-10 10-15 年三段 五方責任比例 25 25 15 25 10 是分析性建議而非預測。對台灣讀者的關鍵警示當 TW DIW 即將進入 LLM-agent 階段時，若繼續把 AI 代理當作工具而非具有獨立委任結構的代理，常駐型結構不可委任區會被工程式越界，supported decision 會在 wallet 三重預設下退化為 substituted decision。 Formal Coda Final form Delegate(action) AT RT AA BS TC civic proof triple ℬ Arendt Habermas Pettit M ✓ △ ✗ ^ 5 3 M RT ℬ ✗ M AA ℬ ✗ Zone(action) Z₁ Z₂ Z₃ Z₃ Z₃-intrinsic Z₃-contextual hard constraint(Z₂) CRPD Art 12 GC1 §26-29 Distinguishability supported substituted ex ante ex post rev trace Multi-tenant Multi-profile Q10 Q10a Q10b Vacuum crumple opaque diffusion FTLA-Agent G industry^A G state^A G recognition^A G oversight^A Liability (issuer 25 verifier 25 wallet provider 15 agent provider 25 model provider 10) Time-staging (G industry^A G oversight^A 5y G state^A 5-10y G recognition^A 10-15y OECD) #conclusion

# Deployment Conditions

[Deployment Conditions]
  + <C1>
  + <C2>
  + <C3>
  + <C4>
  + <C5>
  + <C6>

# Objections And Replies

[Objection 1]: Coeckelbergh relational personhood — AI 代理可滿足 plurality 的功能性要求. 反論訴求是 AI Ethics (2020) 與 Robot Rights (2022) 主張 AI 代理透過關係性實踐獲得 personhood，因此 plurality 不專屬於人 只要 AI 代理能提供異質視角（多模型 ensemble GPT-5 Claude 4.7 Gemini Ultra Grok-4）即滿足 Arendt plurality 的功能性要求，常駐型 Z₃ 不存在。實證強度上，relational personhood 在華語學界與部分歐陸 AI ethics 研究有結構性支持。 #objection

<Reply 1>: Title Coeckelbergh relational personhood — AI 代理可滿足 plurality 的功能性要求 仔細看，Arendt §1 Prologue 的 plurality 定義「the fact that men, not Man, live on the earth and inhabit the world」明示「多個 who 的共在」，who 是存在論層級的主體性，不是輸出多樣性。多模型 ensemble 滿足的是「functional perspectival heterogeneity」（認識論異質），而非 Arendt 的「Erscheinen vor Anderen」（appearing before others，現象學在場）。把兩者混為一談是 category error，類似把「擁有照片的多樣性」混為「擁有人類社群的多樣性」。Coeckelbergh 反論反向支撐「存在論 vs 功能論區分」的論證紀律——本論的回應在 §4 直接論證，並承認這是哲學立場選擇（在誠實邊界明示），CF3 反事實壓力測試（若 relational personhood 全面接受，矩陣的 ℬ 列須重做但結構不可委任區的 RT-ℬ ✗ AA-ℬ ✗ 仍站得住）顯示「降一檔不降兩檔」。 #reply

[Objection 2]: GDPR Art 22 EU AI Act Art 25 — 現有法律已涵蓋 AI 代理跨境義務. 反論訴求是 GDPR Art 22 對全自動化決策的覆蓋已被 SCHUFA (C-634 21 2023) 擴大解釋 EU AI Act Art 25 對 provider 的跨境義務涵蓋 無需新建 FTLA-Agent 四層治理。實證強度上，這兩條規則確實是當代 AI 代理治理的最重要工具，覆蓋範圍涉及歐盟 4.5 億公民。 #objection

<Reply 2>: Title GDPR Art 22 EU AI Act Art 25 — 現有法律已涵蓋 AI 代理跨境義務 仔細看，GDPR Art 22 EU AI Act Art 25 是歐盟內部最低底線，不是跨境互認機制。Art 22 對 wallet 場景的 AI 代理（多為半自動化人類觸發 AI 執行）落在灰區，SCHUFA 擴大解釋僅在歐盟內生效 Art 25 的執行依賴成員國 market surveillance authority，跨境協作機制與 GDPR Art 56 lead supervisory authority 平行但未整合。兩者皆無對歐盟外 AI 代理跨境行為的直接適用。GDPR AI Act 反論反向支撐「分層治理」的論證紀律——Q10a Q10b 拆分顯示 Art 22（覆蓋 Q10a 部分） Art 25（覆蓋 G oversight^A 部分）只是 FTLA-Agent 中兩層的局部承載，G recognition^A 跨境互認層在 2026 年仍空白。 #reply

[Objection 3]: 化約論 — Tomasev 五件可化約為傳統 principal-agent 模型. 反論訴求是 Jensen-Meckling (1976) Eisenhardt (1989) 的 principal-agent 模型已涵蓋委任結構的所有重要面向，Tomasev 五件可被化約為兩件（authority transfer responsibility transfer），其餘三件（accountability allocation boundary setting trust calibration）僅是運行細節。實證強度上，principal-agent 模型在管理學 經濟學 法律學的應用紀錄半個世紀以上，外部效度高。 #objection

<Reply 3>: Title 化約論 — Tomasev 五件可化約為傳統 principal-agent 模型 仔細看，principal-agent 模型隱含預設 utility maximization 與一次性委任（contract-bound），公民行動的目標常非 utility（dignity recognition voice），且 AI 代理委任是長期動態而非一次性。Tomasev 五件中的 dynamic governance 三件（AA BS TC）正是針對「持續性 非 utility 目標 多重連繫」場景設計，化約為兩件後 dynamic governance 無處安放——AA 處理多方歸責 BS 處理範圍最小化 TC 處理長期信任校準，這三件在 civic action 場景特別吃重（民主行動的多方互動 範圍最小化是 supported decision-making 必備 信任校準是 6-18 月 model drift 後的維持機制）。化約論反論反向支撐「2+3 結構」的論證紀律——形式委任要件（AT RT）與動態治理要件（AA BS TC）的分層是必要而非冗餘。 #reply