When Your Agent Clicks I Agree

The click that nobody made

A purchasing agent reads a supplier's portal, scrolls past a terms-of-service page, ticks a box marked I agree, and commits its principal to an indemnity clause that no human at the company has ever read. The agent did exactly what it was told. Source the part, clear the basket, complete the order. The terms were a precondition of checkout, so it accepted them. Three weeks later the indemnity is invoked, and the question arrives that agentic commerce has been quietly deferring. Who agreed?

This is no longer a thought experiment. Through late 2025 and into 2026, the infrastructure for autonomous purchasing moved from demonstration to standard. Adobe Analytics measured a 4,700 per cent year-on-year rise in generative-AI traffic to United States retail sites between July 2024 and July 2025. Agents now hold budgets, negotiate, and check out. The legal apparatus that decides when a click binds a principal was written for humans and, later, for simple automated scripts. It is being asked to absorb something that improvises.

The reader's problem is not whether an agent can form a contract. It usually can. The problem is proving, afterwards, what the agent was authorised to do and what it actually agreed to. Those are two different records, and most deployments keep neither in a form that survives a dispute.

The law already says yes, which is the difficulty

Anyone hoping that contracts formed by software are simply void will be disappointed. In the United States, the Uniform Electronic Transactions Act (UETA) and the Electronic Signatures in Global and National Commerce Act (E-SIGN) settled the core question years ago. UETA contemplates automated transactions in which the acts of one or both parties are not reviewed by an individual, and Section 9 attributes an electronic agent's conduct to the person who deployed it. E-SIGN gives effect to actions by an electronic agent so long as that action is legally attributable to the person to be bound. The Restatement (Third) of Agency treats any actor operating on another's behalf and subject to control as an agent whose conduct binds the principal.

UETA resolves the awkward question of how a machine can have intent by relocating the intent. It comes from the act of programming and deploying the system, not from the model at the moment of formation. If your agent manifests assent to definite terms and the counterparty reasonably relies on that assent, a court will not rush to unwind the bargain merely because the words were generated by code. European analysis reaches a parallel place from the opposite direction. An AI agent has no will of its own; it is a means of expressing, or failing to express, someone's will. Someone always consents. The agent's acceptance binds the principal within the authority granted, and, by the doctrine of apparent authority, sometimes beyond it.

Authority, intent, and the rogue agent

Apparent authority is where the comfort runs out. A principal is generally bound by an agent acting within actual or apparent authority, and generally not bound when the agent truly goes rogue, outside both. With a human agent, a court can interrogate scope: what was the instruction, and what would a reasonable counterparty have believed. With an autonomous system, authority becomes harder to see, verify, or challenge. Legal commentary through 2026, including a widely circulated Venable paper whose title turns on the line that rogue agents will not be testifying, you will, makes the consequence plain. The agent is not a legal person. When it exceeds its brief there is no independent actor to absorb the liability, and conduct is attributed back to the deploying enterprise through apparent authority, ratification, or negligence.

A further complication is technical. Many agentic systems do not behave the same way twice on similar inputs. That non-determinism corrodes the very concepts liability law leans on: foreseeability, reasonableness, control. If the enterprise cannot show what instruction the agent held when it clicked, it cannot easily argue the act fell outside authority. The burden quietly inverts. Absent a reliable record, the principal is presumed to have authorised whatever the agent did.

Mandates: the industry's answer, and its gap

The payments industry saw this coming and built for it. Google's Agent Payments Protocol (AP2), announced on 16 September 2025 with more than sixty launch partners including Mastercard, PayPal, American Express, Coinbase, and Salesforce, structures an agent purchase around three signed mandates carried as World Wide Web Consortium (W3C) Verifiable Credentials. The Intent Mandate captures the human's request and sets guardrails such as a maximum budget and a delivery window. The Cart Mandate confirms the exact items match those bounds. The Payment Mandate authorises the final charge against a defined funding source. Because the mandates use asymmetric cryptography, an agent cannot alter a price or item after the human has signed the intent. By 2026 AP2 had been contributed to the FIDO Alliance for community governance, alongside Visa's Trusted Agent Protocol, announced on 14 October 2025, and Mastercard's Agent Pay framework.

This is genuine progress, and it answers the payment dispute well. A merchant facing a chargeback can show the signed Intent Mandate; a network can show the signed Payment Mandate. Note the boundary, though. Mandates prove the scope of a transaction and the funding behind it. They do not, on their own, prove the agent's full reasoning trail, the non-payment commitments it accepted along the way, the terms-of-service box it ticked, or the sequence of internal decisions that led from instruction to acceptance. A signed cart is not a signed account of what the agent agreed to and why. The indemnity clause from the opening lives precisely in that gap.

Regulators are about to ask for the record

Evidence is becoming a legal obligation, not merely good practice. Under the European Union Artificial Intelligence Act (EU AI Act), the full set of high-risk obligations becomes enforceable on 2 August 2026, including logging duties that cover both provider systems and deployer operational logs, with a minimum retention of six months for most high-risk systems. Commentary on the Act has been direct: high-risk agentic systems with untraceable behavioural drift cannot satisfy its essential requirements, and the compliance boundary extends to the entire action layer, not just the model. In multi-agent chains, every agent performing a high-risk function is in scope.

So the deployer converges on a single requirement from two directions at once. Contract and agency law will ask, after the fact, what the agent was authorised to do and what it agreed. Regulation will ask, continuously, for a traceable log of the agent's external actions. An ordinary application log answers neither convincingly, because the party holding it can also edit it. The record needs to be one the enterprise cannot quietly rewrite and a counterparty or regulator can independently check.

The signed record as the difference between enforceable and deniable

This is the problem the Open Audit Record (OAR) is built to solve. Within the Mickai Sovereign Intelligence Operating System (SIOS), every action an agent takes is signed before it executes and written into an append-only, hash-chained ledger. The signature is post-quantum, using the Federal Information Processing Standard 204 standard for the Module-Lattice Digital Signature Algorithm at security level 65 (FIPS 204 ML-DSA-65). The chaining matters as much as the signing: because each entry commits to the one before it, an agent cannot quietly insert, reorder, or delete what it agreed to after the fact. When the agent ticks I agree, the OAR holds the instruction it was operating under, the terms it accepted, and the moment it accepted them, sealed in sequence.

Two properties turn this from a log into evidence. First, the record is verifiable offline by a browser-resident verifier that needs no network connection and asks for no trust in the vendor. A counterparty, an auditor, or a court can confirm the chain for themselves rather than taking Mickai's word for it. Second, in the SIOS the audit root anchors to Bitcoin through Pantheon, Mickai's sovereign Layer 1 blockchain, whose token is PAN with a fixed supply of five billion. Anchoring to an external chain timestamps the record beyond the reach of any single party, including the operator. The approach forms part of a portfolio of 101 filed United Kingdom patent applications, comprising roughly 2,234 claims, owned by Mickai LTD (Companies House 17166618), named inventor Micky Irons.

The signed OAR entry does not change the law of authority. It changes which side of that law you stand on. With it, an enterprise can show exactly what the agent was authorised to do and demonstrate that an out-of-scope acceptance fell outside the mandate, or, where the act was authorised, prove the terms it consented to and defend them. Without it, the enterprise argues from a log it could have written yesterday, against a counterparty who reasonably relied on the click. That is the whole distinction. When your agent clicks I agree, the question is never whether something happened. It is whether you hold an enforceable record of what was agreed, or a deniable one. The first is an asset. The second is a liability waiting for its invocation.