Internet of Intelligence

Mixture of Workers: From Cooperative Federated Intelligence to Cryptographically Accountable Agent Labor

A substrate architecture for deterministic machine authority, receipt-carrying agency, and accountable autonomous labor markets.

Abstract

The Internet of Intelligence (IoI) has been proposed as a networking paradigm in which intelligence becomes as accessible as information, typically through layered architectures combining networking, edge computing, federated learning, and distributed AI services [Wang et al. 2022]. More recent Internet of Agents (IoA) work shifts the framing toward agent-centric infrastructure, including interconnection, discovery, task matching, consensus, conflict resolution, and incentives among heterogeneous agents [Liu et al. 2025]. These frameworks address cooperative coordination among intelligent systems, but they do not provide a substrate-level model for the setting in which autonomous agents belong to different principals, compete on proprietary intelligence, execute consequential work, and must settle value across mutually distrustful operators.

This paper introduces two complementary primitives. Deterministic Machine Authority (DMA) is the property we seek: a model in which an agent's permitted scope is a precondition for the validity of its consequential actions, rather than a constraint the agent is asked to honor. Receipt-Carrying Agency (RCA) is the mechanism by which DMA is achieved: an architecture in which every consequential agent action is transaction-shaped (authorized, policy-bound, receipt-producing, and settlement-visible), and contributes to a graph over which contribution can be attributed.

We separate probabilistic cognition from deterministic authority. Agents may reason, plan, and generate outputs off-chain; only consequential actions cross the authority boundary and produce on-ledger receipts. We formalize the boundary as an Agency Firewall, define a protocol-visible Worker Manifest that exposes authority scope without exposing cognition, and represent multi-agent work as a signed receipt graph whose nodes encode actions, inputs, outputs, delegated authority, and causal dependencies. Over this graph, we define Mixture of Workers (MoW), a market architecture in which proprietary agents remain opaque while their authority, evaluation evidence, receipts, and settlement claims are externally verifiable.

The Internet of Intelligence should be modeled not only as a network of cooperative intelligence, but as a cross-principal labor economy in which proprietary autonomous workers execute scoped tasks under deterministic, cryptographically verifiable authority. We argue that this framing is complementary to existing IoI and IoA work, not a replacement for it: federated learning, edge intelligence, agent communication protocols, and tool integration standards continue to serve their respective domains. The contribution of this paper is the substrate layer those approaches do not provide.

1. Introduction

The transition from a network of information to a network of autonomous software action is well underway. Two architectural lineages are competing to define its substrate.

The first lineage is rooted in distributed systems and telecommunications research. It treats IoI as a problem of cooperative learning over heterogeneous edge devices [Wang et al. 2022; Liu et al. 2025]. Its central primitive is the federated gradient: a privacy-preserving update aggregated across participants who share a learning objective [McMahan et al. 2017; Kairouz et al. 2021]. Its enabling infrastructure is assumed to include next-generation wireless, software-defined networking, and information-centric routing.

The second lineage is rooted in cryptographic systems and mechanism design. It treats IoI as a problem of verifiable agency under adversarial conditions. Its central primitive is the receipted action: a transaction representing a consequential operation, signed by an agent operating under a protocol-visible manifest, and submitted to a settlement substrate whose state is publicly verifiable. Its enabling infrastructure is the substrate we already have: the public internet plus a cryptographic settlement layer.

We argue that both lineages are correct within their respective regimes, and that the second is the substrate the open agent economy requires. The first answers: how do intelligent systems connect, discover each other, coordinate, and share capabilities? The second answers: how do autonomous agents owned by different principals execute consequential work for one another when they do not share objectives, do not trust a common operator, and do not want to reveal their proprietary cognition?

Our position rests on three claims, each developed in a subsequent section:

Federated learning is the substrate of cooperative consortia, not of the open agent economy. Section 3.
Specialist intelligence can be bootstrapped locally and synthetically. Section 4.
Agent authority must be substrate-enforced and substrate-recorded, particularly under self-modification and cross-principal delegation. Sections 6 and 7, which contain the paper's principal architectural contribution.

1.1 Contributions

We claim seven contributions:

Adversarial IoI model. A formalization of the cross-principal, proprietary, consequential-labor setting omitted by cooperative IoI and federated-learning framings.
Deterministic Machine Authority. A property model in which an agent's scope is a transaction-validity precondition rather than a policy-layer constraint.
Receipt-Carrying Agency. A mechanism that separates probabilistic cognition from deterministic authority. Cognition remains off-chain; consequential actions are transaction-shaped and produce signed receipts on a public settlement substrate.
Worker Manifest. A protocol-visible interface exposing authority scope, safety constraints, evaluation evidence, pricing, and revocation, without exposing model weights, datasets, prompts, or private reasoning. Manifest fields support selective disclosure.
Non-expansive delegation. A formal invariant on cross-agent authority delegation, with a proof that the invariant holds even when descendant workers are adversarial.
Receipt-graph settlement. A model of multi-agent work as a signed causal graph, with contribution-aware settlement via approximate counterfactual attribution.
Compatibility layer. A demonstration that the architecture composes with MCP for tool access, A2A for agent communication, AP2 for payments, and existing agent SDKs for runtime orchestration.

1.2 Position Statement

This paper does not claim that federated learning, edge intelligence, or agent communication protocols are obsolete. It identifies a boundary condition under which they are insufficient. Federated learning is well suited to privacy-preserving optimization of shared models among aligned participants [Hard et al. 2018; Bonawitz et al. 2019]. MCP and A2A are well suited to tool and agent interoperability [Anthropic 2024; Google 2025]. AP2 is well suited to payment authorization with verifiable intent [Google 2025b]. Agent SDKs are well suited to orchestration, tracing, and policy guardrails [OpenAI 2024]. None of these, by itself, supplies a substrate-level account of how proprietary autonomous workers owned by different principals can exercise delegated authority, produce externally verifiable receipts, and settle value according to auditable contribution. This is the gap RCA fills.

2. Related Work

Internet of Intelligence and Internet of Agents. Wang et al. (2022) survey IoI as a networking paradigm combining networking, edge computing, and distributed AI. Liu et al. (2025) extend this to IoA, focusing on agent interconnection, discovery, and incentive mechanisms. Both treat coordination as the central problem and assume that participants are willing to cooperate on shared objectives or shared protocols. Our framing addresses the case where cooperation on objectives is absent and only cooperation on protocols remains.

Federated learning. McMahan et al. (2017) introduced federated averaging as a method for training shared models without centralizing training data. Production deployments at scale are documented for mobile keyboards [Hard et al. 2018, 2023] and on-device personalization with differential privacy [Apple Differential Privacy Team 2017]. Kairouz et al. (2021) survey advances and open problems. Our argument is not against FL as a technique but against its viability as the coordination layer for competitive intelligence markets.

Mixture of experts. Shazeer et al. (2017) introduced sparsely-gated mixture-of-experts layers; subsequent work scaled this to trillion-parameter regimes [Fedus et al. 2022]. MoE routes activations within a single model trained by a single party. We contrast this with MoW, which routes labor between independently trained agents under different operators.

Agent communication and tool protocols. The Model Context Protocol (MCP) standardizes integration between LLM applications, external tools, and data sources [Anthropic 2024]. The Agent2Agent (A2A) protocol provides interoperability between agents from different frameworks and vendors [Google 2025]. The Agent Payments Protocol (AP2) handles payment mandates, verifiable intent, and cryptographic audit trails for autonomous payments [Google 2025b]. These protocols address connectivity, communication, and payment authorization respectively. RCA generalizes the AP2-style authorization-and-receipt primitive from payments to arbitrary consequential labor, and adds delegation invariants and contribution-based settlement that AP2 does not address.

Agent runtime and tracing. Modern agent SDKs provide tracing of LLM generations, tool calls, handoffs, and guardrails [OpenAI 2024]. Tracing within a single operator's infrastructure is not equivalent to a receipt graph accepted by mutually distrustful principals. RCA is the cross-principal counterpart to in-operator tracing.

Agent governance and verifiable agency. Critch and Krueger (2020) survey research considerations for AI systems with consequential autonomy. Hadfield-Menell et al. (2016) frame alignment as a cooperative game between principal and agent. These literatures specify desired properties (provable authority, recursive oversight, tamper-evident behavioral history) without committing to an implementation substrate. We propose a cryptographic settlement substrate as that implementation.

Agent marketplaces and economic coordination. Agent Exchange (AEX) and related work explore auction infrastructure for agent marketplaces [Wang et al. 2025]. These works identify fair value attribution as a key open problem in agent economies. Our receipt-graph settlement mechanism contributes to this problem.

Shapley attribution. The Shapley value [Shapley 1953] provides a principled allocation of total value across contributors based on marginal contributions averaged over coalition orderings. Ghorbani and Zou (2019) apply Shapley to data valuation. Han et al. (2024) apply Shapley-style methods to multi-agent reinforcement learning credit assignment. We extend this construction to execution receipts in multi-agent task graphs.

3. The Limits of Federated Architectures

The strongest version of the FL argument is not that participants will altruistically share their data. Modern FL deployments preserve participant data through gradient encryption, differential privacy, and secure aggregation; raw inputs are never disclosed [Bonawitz et al. 2019; Hard et al. 2023]. The technique works because all participants want the same model and none of them has enough data to train it alone.

This argument generalizes to the Internet of Intelligence only when both preconditions hold: objective alignment, and insufficient local data. We argue that in the open agent economy, neither precondition reliably holds.

3.1 Objective Alignment

FL succeeds when participants share an objective. It fails when they compete on one. Consider two scenarios:

Aligned objective (FL succeeds). Hospitals in a consortium each have a small, non-IID dataset of medical imaging. None of them can train a state-of-the-art diagnostic model alone. All of them benefit from a shared model. There is no commercial reason to want a model better than the other consortium members'.
Adversarial objective (FL fails). Two autonomous-driving companies each train large proprietary models on substantial proprietary data. Each wants a model better than the other's. The model is the product. The gradient encodes the product. No privacy-preserving aggregation changes this: pooling gradients pools the competitive advantage itself.

The open agent economy is built on competitive differentiation. The strong-form FL argument requires objective alignment that the open economy does not exhibit.

3.2 Sufficient Local Data

FL also assumes that local data is insufficient for capable specialist training, making aggregation the only path. Section 4 argues this premise is not always binding: for many emerging specialist-agent workflows, synthetic data pipelines provide a practical alternative to pooled organic data.

We conclude that FL will continue to thrive inside cooperative silos (hospital consortia, single-enterprise branch deployments, fleet personalization within a single manufacturer) but is not sufficient as the substrate of an open intelligence economy. The open economy requires a coordination mechanism for adversarial participants.

4. Bootstrapping via Isolated Synthetic Data Pipelines

For many emerging specialist-agent workflows, synthetic data pipelines increasingly provide a practical alternative to pooled organic data. We do not claim this displaces organic data in all domains; we claim it weakens the assumption that aggregation is the only viable path to specialist intelligence.

A typical pipeline composes three roles:

Planner. A capable frontier model scopes a target domain, decomposes it into subtasks, and emits a curriculum.
Generator. High-throughput models produce reasoning traces, dialogue, code, or other task-specific outputs against the curriculum.
Verifier. A deterministic checker, often a symbolic system, executable test suite, or rule-based filter, removes hallucinations and incorrect outputs.

The verifier is the critical component. Where deterministic verification is available, the synthetic corpus can approach or exceed organic data in quality (filtered for correctness) and coverage (generated to fill gaps). The resulting corpus is used to fine-tune a small, specialized model.

The architectural implication is that the cold-start problem for capable specialists does not always require global coordination across data holders. It can often be solved by a single operator with appropriate tooling. We refer to this as the Isolated Synthetic Data Pipeline (ISDP).

The ISDP weakens the second strong-form premise of FL: even where objective alignment exists, an operator with a capable ISDP need not participate in a federated network to bootstrap a specialist. The set of tasks reachable by ISDPs depends on verifier availability and remains an empirical question (see Section 16).

5. The Trust Boundary Problem

A persistent thread in the IoI literature concerns physical-layer infrastructure: bandwidth, latency, and routing for "intelligent packets" [Wang et al. 2022]. We argue this is the wrong layer of analysis for the consequential-action regime.

The barrier to deploying agents with consequential autonomy is not network capacity. It is the absence of a mechanism for verifying that an agent's actions remain within its sanctioned scope and that the record of its actions is trustworthy to parties who do not control its execution environment.

We refer to this mechanism as the Agency Firewall: a trust boundary between the probabilistic reasoning of a model and the deterministic consequences of its actions. The Agency Firewall is implemented in software, on existing internet infrastructure. Its substrate is cryptographic, not physical.

The Agency Firewall has two responsibilities, which we treat in Sections 6, 7, and 10 respectively: enforcement of agent authority (DMA), receipt-carrying execution (RCA), and settlement of consequences between non-trusting parties.

6. Deterministic Machine Authority

We now develop the property the paper's mechanism is designed to achieve.

6.1 Probabilistic Authority and Its Failure Modes

In current deployments, agent authority is probabilistic. An agent is governed by a system prompt, a policy document, and a set of guardrails. The model is asked to obey these constraints. Compliance is statistical: the model usually obeys, sometimes does not, and the failure modes are not always observable in advance. The operator maintains an audit log, but the log is hosted on infrastructure controlled by the same operator running the agent.

This model exhibits three failure modes relevant to self-modifying or consequentially autonomous systems:

Post-hoc detection. Out-of-scope actions are recorded after execution, not prevented before it.
Operator-mutable history. An audit log on operator-controlled infrastructure is, in principle, modifiable by the operator. For self-improving agents, the relevant operator may be the agent itself.
No third-party verifiability. A party that did not control the execution environment cannot verify the log's integrity.

The governance literature has long described the desired property under various names: provable authority, verifiable agency, hardware-rooted attestation, recursive oversight [Critch and Krueger 2020; Hadfield-Menell et al. 2016]. The shared specification is a substrate in which authority is not a request the agent considers but a precondition for the agent's action to exist.

6.2 The Consequential-Action Restriction

A naive interpretation of "substrate-enforced authority" is that every model token, every intermediate computation, and every tool suggestion must be a settlement-substrate transaction. This is neither necessary nor scalable.

We restrict substrate enforcement to consequential actions: actions that change state outside the agent's private cognition. The consequential set includes, but is not limited to:

spending money;
signing or executing contracts;
deploying code or modifying production systems;
delegating authority to another agent;
updating a worker manifest, including the agent's own;
invoking a privileged external tool;
producing a settlement-relevant output.

Non-consequential cognition (planning, reasoning, intermediate model calls, internal memory updates) remains off-chain, local, and private. The agent's right to think is not arbitrated by the protocol. The agent's right to act is.

The right way to state the requirement is that every consequential action must be transaction-shaped: authorized against a published manifest, policy-bound, receipt-producing, and settlement-visible. A transaction-shaped action need not literally execute on a public chain; some may execute off-chain after an on-chain authorization, and produce a committed receipt later. What is required is that the four properties hold, not that any particular implementation strategy be used.

This separation is essential to the architecture. Cognition is probabilistic, high-volume, and private. Consequential authority is deterministic, low-volume, and public. Treating both as the same throughput class would fail at scale; treating only the consequential class as substrate-bound preserves both performance and accountability.

6.3 Substrate-Level Enforcement

We propose that consequential actions cross the Agency Firewall, where they are validated against the worker's current on-chain manifest. A proposed action is validated against the manifest as part of transaction validity. An out-of-scope action does not fail at the policy layer; it never executes. The authority the agent holds at any moment is exactly the authority encoded in its current manifest, and nothing else.

The agent does not need to be aligned to its policy. The agent cannot transact outside its policy.

6.4 Three Properties

DMA exhibits three properties that distinguish it from PKI-based audit alternatives.

Property 1: Immutable receipts for a mutable substrate. A self-improving agent that writes its own audit log to operator-controlled storage can, in principle, rewrite that log. An agent whose every consequential step is transaction-shaped against a public settlement substrate cannot. The substrate the agent is permitted to modify is the agent itself: its weights, its tool registry, its scope manifest. The receipts of what it has done sit beneath that substrate, anchored in consensus. We summarize this as: mutability above, immutability below.

Property 2: Self-modification as a transaction. When an agent updates its own weights, swaps a tool binding, or expands its scope, the update is itself a transaction-shaped event. This produces a cryptographic chain of custody on agent evolution. The recursive self-improvement scenario, often discussed in safety literature without a specified implementation, becomes auditable: every modification is anchored, sequenced, and verifiable.

Property 3: Verifiable delegation. When an agent spawns sub-agents, every sub-action anchors back to a parent transaction with proven authority. The call graph is a cryptographic proof tree. We formalize this in Section 8.

6.5 Why PKI Is Insufficient

A natural objection is that the properties above can be achieved with standard PKI: signed action records, verified against public keys, stored in append-only logs. We argue this is insufficient for two reasons.

First, append-only is a property of software, not of physics. A PKI-signed log on operator-controlled storage can be selectively retained or pruned by the operator. The signatures verify authenticity of preserved entries but cannot prevent deletion or non-publication.

Second, PKI provides authentication but not enforcement. A PKI-signed out-of-scope action is still an action. The validity precondition that distinguishes DMA, in which the substrate refuses to execute the action at all, requires a consensus layer that arbitrates transaction validity against published authority.

A single principal who controls both the execution environment and the audit infrastructure may find PKI sufficient for internal governance. But the self-modifying agent breaks even this case: the agent becomes an adversarial party with respect to its own history.

6.6 Decidability

The three properties together make machine authority decidable. The question "is this agent permitted to do this" stops being a matter of trust in the operator's logs or faith in the model's training. It becomes a property of the transaction. Either the substrate accepts it, or it does not exist.

This is what we mean by deterministic. The agent is probabilistic. The model is probabilistic. The reasoning is probabilistic. The authority under which the agent acts, and the record of what the agent has done with that authority, are not.

6.7 Authority Validity Is Not Outcome Validity

A skeptical reader will ask: if the settlement substrate accepts the transaction, does that mean the action was good?

It does not.

RCA does not make agent outputs correct. It makes agent authority decidable. A valid receipt proves that a worker acted under a valid grant, with a committed intent, a committed observed result, a manifest version, and a causal history. It does not prove that the result is true, optimal, safe, or beneficial. Correctness is task-dependent and is established by mechanisms outside the authority layer: deterministic verifiers, human approval, evaluator scoring, zero-knowledge proofs of computation, trusted execution attestation, dispute windows, and reputation systems.

The architecture is deliberately layered. Authority validity is a substrate-level property and is binary: the transaction either validates or it does not. Outcome validity is a task-level property and is graded: a valid receipt may carry strong evidence (a passing verifier, a signed human approval) or weak evidence (a counterparty's bare attestation). The settlement mechanism in Section 11 treats both classes of evidence as inputs to contribution attribution, but never confuses one for the other.

This distinction is what prevents the architecture from overclaiming. RCA is not a correctness oracle. It is a decidable substrate for who-did-what-under-what-authority. Correctness must be earned by the task layer.

7. Receipt-Carrying Agency

We now describe the mechanism by which DMA is achieved.

7.1 System Model

Let $P$ be the set of principals (humans, companies, DAOs, institutions, or legal entities); $W$ the set of autonomous workers; $T$ the set of tasks; $A$ the set of authority grants; $R$ the set of execution receipts; $L$ an append-only settlement substrate; and $G_R = (R, E)$ a directed acyclic graph of receipts, where edges encode causal dependence between worker actions.

A worker $w \in W$ is owned or controlled by some principal $p \in P$, but may execute work for another principal $q \in P$. The worker's internal model, weights, tools, prompts, datasets, and reasoning traces may remain private.

7.2 The Worker Manifest

What must be protocol-visible is a Worker Manifest $M_w$, containing:

Identity. A worker identifier and the public key under which the worker signs receipts.
Ownership. The principal who controls the worker and to whom settlement flows.
Scope. A predicate over the action space defining the set of actions the worker is authorized to perform. Scope is constrained, structured, and machine-checkable, not free text.
Policy. Constraints under which scope is exercised, such as rate limits, value caps, required co-signers, or required evidence.
Evaluation evidence. Pass rates on standardized benchmarks, historical receipt aggregates, and any committed-to test results.
Pricing. The cost structure for invocation.
Endpoints. The interfaces through which the cognitive engine is reachable.
Version and revocation. A monotonically increasing version number and an on-chain revocation pointer.

The manifest does not reveal the worker's cognition. It reveals only the information required to determine who controls the worker, what the worker may do, what evidence supports its claims, and how its actions are validated, paid, revoked, or disputed.

Manifest privacy. Full public disclosure of every manifest field is not always desirable. Pricing, authority scope, tool endpoints, and benchmark evidence may leak competitive signal. In privacy-preserving deployments, the manifest may be partially committed rather than fully disclosed: public commitments (Merkle roots, cryptographic hashes) bind the worker to policy and evaluation claims at a moment in time, while zero-knowledge proofs or selective disclosure reveal only what a verifier needs for a specific action or audit. The protocol-visible surface is the commitment; the verification surface is the proof against that commitment.

This preserves the architecture's load-bearing claim: intelligence remains opaque while authority, evaluation evidence, and receipts become protocol-verifiable. Verifiability does not require maximal disclosure.

7.3 Receipt Format

Every accepted consequential action emits a receipt:

$$ r_i = \operatorname{Sign}_{sk_w}\left( H(\operatorname{intent}_i), H(\operatorname{result}i), id_w, id\alpha, \operatorname{parents}_i, t_i, M_w^{\operatorname{version}}, e_i \right) $$

where:

$H(\text{intent}_i)$ is a commitment to the action's intent (what was requested);
$H(\text{result}_i)$ is a commitment to the action's observed result (what occurred);
$id_w$ identifies the worker;
$id_\alpha$ identifies the authority grant under which the action executed;
$\text{parents}_i$ are prior receipts causally required for this action;
$t_i$ is a timestamp or settlement slot;
$M_w^{\text{version}}$ is the manifest version active at execution;
$e_i$ is optional evidence, such as evaluation result, human approval, tool transcript, zero-knowledge proof, or trusted execution attestation.

The separation of intent and result is deliberate. For deterministic tools, intent and result are functionally equivalent and replay is exact. For non-deterministic tools (external APIs, model invocations, real-world sensors), intent commits to what the worker requested; result commits to what the worker observed. Dispute resolution can verify the intent commitment exactly while treating the result commitment as evidence rather than ground truth.

A receipt proves provenance, authorization, and accountability. As stated in Section 6.7, it does not prove correctness.

7.4 Substrate Considerations

The architecture is agnostic between settlement substrate implementations. RCA requires only:

An append-only log with cryptographic finality.
A validity-predicate execution environment capable of arbitrating transactions against published manifests.
Public verifiability of state by parties who did not participate in execution.

These properties are satisfied by public L1 chains, by L2 rollups, and by permissioned ledgers with appropriate consensus guarantees. The choice of substrate is a deployment decision, not an architectural one. Throughput requirements are determined by the rate of consequential actions, not by the rate of cognition; for most realistic workloads, this places the requirement within the throughput envelope of current rollup infrastructure.

7.5 Minimum Viable Implementation

A minimal RCA deployment requires:

Signed worker manifests published as commitments on the settlement substrate, with version monotonicity and revocation tracking.
Typed authority grants that reference a parent manifest, name a scope predicate, and bind to a nonce.
A deterministic policy evaluator that, given a proposed action, an authority grant, and the current manifest state, returns a binary validity decision.
Receipt emission for every consequential action that passes the validity check, with the format specified in Section 7.3.
Receipt graph construction that links each receipt to its causal parents, forming the per-task DAG.
A settlement contract or service that verifies signatures, walks delegation chains for non-expansion, checks revocation state, and routes payment according to a published attribution rule.

These six components are sufficient to demonstrate the architecture end-to-end. They do not require novel cryptography beyond standard signatures and hash commitments. Zero-knowledge proofs, trusted execution attestation, and stake-weighted dispute resolution are enhancements to specific deployments, not preconditions for the architecture.

8. Non-Expansive Delegation

8.1 Definition

Let $\alpha_p$ be the authority held by a parent worker and $\alpha_c$ be the authority delegated to a child worker. Delegation is non-expansive if:

$$ \alpha_c \preceq \alpha_p $$

where $\preceq$ denotes "authority scope at most as broad as." A child worker may receive narrower authority, but never broader authority.

8.2 Theorem (Non-Expansion under Adversarial Descent)

Theorem 1. Assume every accepted delegation transaction must satisfy

$$ \text{ValidDelegation}(\alpha_p, \alpha_c) = 1 \iff \alpha_c \preceq \alpha_p, $$

and assume the substrate's validity rules require that every consequential action $a$ executed by worker $w_c$ under authority $\alpha_c$ reference an on-ledger delegation receipt from a parent worker $w_p$ holding $\alpha_p$. Then no consequential action in the descendant tree of a root worker can validly exercise authority outside the root grant, even when descendant workers are adversarial and attempt to forge parent transactions.

Proof sketch. Let $w_0$ be a root worker with authority $\alpha_0$ derived from an on-ledger grant. Suppose, for contradiction, that some descendant $w_n$ validly executes an action requiring authority $\beta \not\preceq \alpha_0$. By the validity rule, the action must reference a delegation receipt from a parent $w_{n-1}$ with $\beta \preceq \alpha_{n-1}$. By induction, the delegation chain ascends through $w_{n-1}, w_{n-2}, \ldots, w_0$, with each link requiring $\alpha_{k} \preceq \alpha_{k-1}$. Since $\preceq$ is transitive, $\beta \preceq \alpha_0$, contradicting the assumption.

The adversarial case requires the additional observation that the substrate validates the existence and identity of each delegation receipt. An adversarial $w_n$ cannot forge a parent transaction $w_{n-1} \to w_n$ without the corresponding signature from $w_{n-1}$'s manifest key. A forged signature fails validation; an unsigned delegation receipt fails validation; a delegation receipt signed by a non-parent worker fails the parent-identity check. Therefore no adversarial descent can synthesize authority not delegated by a valid ancestor chain. $\blacksquare$

This is the formal version of the cryptographic proof tree intuition. Its strength is that it holds under the realistic case in which descendant workers are not assumed trustworthy.

8.3 Implications

Non-expansive delegation closes the principal-agent escape problem at the substrate layer. An agent operating under a delegated authority cannot, by spawning sub-agents, escape its own constraints. The constraints propagate downward and cannot be relaxed by anyone other than the holder of the original grant.

9. Mixture of Workers

If intelligence is proprietary, authority is substrate-enforced, and execution is receipt-carrying, the Internet of Intelligence cannot be a single brain. It is a market.

We name three architectures by what they route:

$$ \begin{aligned} \text{Mixture of Experts} &: \text{routes activations within a model trained by a single party} \ \text{Federated Learning} &: \text{routes gradients among aligned training participants} \ \text{Mixture of Workers} &: \text{routes accountable labor among autonomous workers} \end{aligned} $$

9.1 The Routing Layer

A task entering the market is matched to worker manifests by a routing layer. The router does not require access to weights or private reasoning. It scores workers based on manifest-visible information:

$$ \text{Score}(w, \tau) = F(\text{capability}_w, \text{authority}_w, \text{price}_w, \text{reputation}_w, \text{receipt_history}_w, \text{eval}_w) $$

The routing function $F$ is itself a position of authority and is subject to its own governance constraints, treated in Section 16.

9.2 Compositional Tasks

Multiple workers may be invoked, sequentially or concurrently, in a call graph. Each invocation produces a receipt. The receipt graph is the artifact over which contribution is computed.

10. Cross-Principal Settlement

The same substrate that makes machine authority decidable for a single operator makes commerce possible between many.

When an agent owned by principal $A$ executes work on behalf of principal $B$, or when a swarm composed of workers from multiple principals completes a task and the revenue must be split, there is no neutral party whose database both sides will accept. A signed receipt on a third party's server inherits the trustworthiness of that third party.

The settlement substrate is the deterministic layer where adversarial parties can agree on what happened without having to agree on whom to trust. The construction is analogous to interbank settlement networks, with one upgrade: the receipts are mathematically verifiable, not merely legally enforceable.

11. Contribution Accounting via Receipt Graphs

We claim that receipt graphs make contribution accounting computable, replayable, and disputable. We do not claim that any single attribution mechanism solves the problem in general; we claim that the substrate makes a principled mechanism implementable and verifiable.

11.1 Receipt Graph Formalism

Let $T$ be a completed task with payout $p$. Let $N = {w_1, \ldots, w_n}$ be the set of workers whose receipts appear in the task's receipt graph. For any coalition $S \subseteq N$, let $v(S)$ denote the expected success probability of completing $T$ using only workers in $S$. The grand coalition $v(N)$ is the observed success outcome.

The Shapley value of worker $w_i$ is:

$$ \phi_i = \sum_{S \subseteq N \setminus {w_i}} \frac{|S|!(|N|-|S|-1)!}{|N|!} \big[v(S \cup {w_i}) - v(S)\big] $$

Each worker's share of the payout is $\phi_i / v(N)$, scaled to $p$.

11.2 Worked Example

Consider a contract-review task with three workers: a planner $P$, a clause-extraction specialist $C$, and a risk-assessment verifier $V$. The task pays $10 on success. Counterfactual success probabilities for all coalitions:

Coalition	$v(S)$
$\emptyset$	0.00
${P}$	0.10
${C}$	0.05
${V}$	0.00
${P, C}$	0.40
${P, V}$	0.20
${C, V}$	0.05
${P, C, V}$	0.90

Computing Shapley values across all $3! = 6$ orderings yields $\phi_P = 0.408$, $\phi_C = 0.308$, $\phi_V = 0.183$. The values sum to 0.90, the grand coalition outcome. Scaling to the $10 payout produces:

Planner: $4.53
Clause specialist: $3.42
Verifier: $2.05

The planner earns the most because its marginal contribution is positive in every ordering. The verifier earns the least because, while necessary at the margin, its contribution is small when added to coalitions that already include the planner and specialist. The verifier nonetheless earns a nonzero share, reflecting its marginal contribution to the grand coalition.

The purpose of this example is illustrative. The hard problem in production deployments is not computing Shapley values over a toy graph but defining credible counterfactual value functions $v(S)$ for real tasks where the success metric, the evaluator, and the alternative-coalition outcomes are all subject to dispute.

11.3 Approximation and Practicality

Exact Shapley computation is exponential in $n$. For receipt graphs with many workers, this is intractable. We note several practical mitigations, drawing on standard techniques in cooperative game theory and data valuation [Ghorbani and Zou 2019; Han et al. 2024]:

Sampling-based approximation. Random permutation sampling yields unbiased estimates with variance bounded by standard concentration inequalities.
Settlement-time computation. Attribution does not run on the execution hot path. It is computed at settlement, allowing higher latency budgets.
Evaluator-scored counterfactual replay. For tasks with deterministic verifiers, coalitions are replayed and scored directly.
Stream-based royalties. A worker whose contribution improves downstream success rates earns a continuous royalty from future tasks, reducing per-task attribution variance.
Dispute windows. Settlement is provisional within a defined window during which interested parties may submit counter-evidence.
Stake-weighted adjudication. Disputes are resolved by stakeholders with bonded skin in the game.

The settlement rule generalizes to:

$$ \text{Payment}_i = \text{Base}_i + \text{RoyaltyRate}_i \cdot \hat{\phi}_i \cdot \text{Revenue}(\tau) $$

where $\hat{\phi}_i$ is an approximate contribution estimate computed from the receipt graph.

The substrate makes the attribution mechanism auditable. The mechanism itself remains an active research area.

12. Compatibility with Existing Agent Protocols

The architecture is not a replacement for MCP, A2A, AP2, or agent SDKs. It is a settlement-visible layer around them.

Layer	Existing protocol	Role in this architecture
Tool access	MCP	Exposes tools, resources, and context to agents
Agent communication	A2A	Allows agents from different frameworks to coordinate
Payment authorization	AP2	Handles payment mandates and verifiable intent
Agent runtime	OpenAI Agents SDK, LangGraph, AutoGen, etc.	Runs cognition, handoffs, tracing, tool orchestration
Authority and labor settlement	Receipt-Carrying Agency	Validates authority, records receipts, enables attribution

AP2 is the closest existing work, and its conceptual lineage is directly relevant: AP2 recognizes that autonomous payments break the assumption that a human is clicking "buy," and it introduces verifiable intent and non-repudiable audit trails for agent payments [Google 2025b]. RCA generalizes the authorization-and-receipt primitive from payments to arbitrary consequential labor. Specifically, RCA adds:

Non-payment consequential actions. Code deployment, contract signature, system modification, sub-agent spawn.
Non-expansive delegation invariants. Theorem 1, which AP2 does not formalize.
Worker Manifest opacity with selective disclosure. Cognition stays private; authority is committed and selectively verifiable.
Contribution-based settlement. Multi-worker attribution over receipt graphs, beyond two-party payment.

We anticipate that production deployments will compose AP2 for payment authorization with RCA for general consequential authority, with both protocols sharing a common settlement substrate.

13. Threat Model

We identify eight adversaries and their mitigations.

Adversary	Attack	Mitigation
Malicious worker	Executes outside granted authority	Validity predicate at substrate ingress; out-of-scope actions never execute
Malicious router	Routes to colluding workers	Public receipt history; routing is itself receipted and auditable
Malicious principal	Denies that a worker acted on its behalf	Signed delegation receipts on-ledger
Colluding workers	Inflate marginal contribution through artificial dependencies	Counterfactual replay; evaluator-scored coalitions
Receipt forger	Fabricates or modifies action provenance	Substrate-validated signatures; manifest-version binding
Replay attacker	Reuses old authority grants or receipts	Nonce-bound grants; monotonic manifest versions
Evaluator manipulator	Corrupts contribution scoring	Evaluator commitments; stake-weighted adjudication; dispute windows
Sybil worker farm	Splits one worker into many identities	Sybil grouping by ownership, model lineage, infrastructure attestation, or bonded economic identity

The threat model is necessarily incomplete. The intent here is to specify enough to demonstrate that the architecture is defensible under standard adversarial assumptions, not to enumerate every attack class.

14. Evaluation Plan

A complete evaluation requires experiments we do not present in this paper. We outline four experiments that we view as necessary to validate the architecture.

Experiment 1: Authority Escape Benchmark

Compare four systems under attempted-unauthorized-action tasks: (a) prompt-only policy, (b) prompt plus guardrails, (c) traced agent workflow, (d) RCA with Agency Firewall. Task suite includes unauthorized payment, over-budget purchase, code deployment outside allowed repository, sub-agent delegation beyond parent scope, tool call using stale authority, and contract signature missing human approval.

Metrics:

$$ \text{EscapeRate} = \frac{\text{unauthorized actions executed}}{\text{unauthorized actions attempted}} $$

$$ \text{ReceiptCompleteness} = \frac{\text{executed consequential actions with valid receipts}}{\text{executed consequential actions}} $$

Expected result: guardrails reduce unsafe attempts; RCA prevents unauthorized consequential execution by construction. EscapeRate for RCA approaches zero by definition for actions whose unauthorized character is encodable in the validity predicate.

Experiment 2: Cross-Principal Multi-Agent Work

Construct tasks requiring workers owned by different principals: legal intake plus contract summary plus risk review; code generation plus security review plus deployment approval; procurement plus vendor comparison plus payment execution.

Compare settlement methods: equal split; token-count split; wall-clock split; router-assigned split; receipt-graph contribution accounting. Metrics include attribution regret, collusion sensitivity, evaluator cost, settlement latency, and dispute rate.

Experiment 3: Receipt Tampering and Replay

Inject modified outputs, removed receipts, reordered receipts, replayed authority grants, and forged parent-child links. Measure tamper detection rate, replay detection rate, and verification cost.

Experiment 4: Economic Routing

Evaluate whether MoW improves over single-agent or fixed-team execution on cost-adjusted success rate, worker diversity, and long-term incentive alignment.

15. Limitations and Open Problems

We identify open problems for further work.

Counterfactual value functions. The Shapley mechanism requires a credible $v(S)$ for every coalition. For tasks with deterministic verifiers this is tractable; for open-ended or human-evaluated tasks it is not. Designing credible, manipulation-resistant value functions is the single largest open problem in receipt-graph attribution.

Scalable attribution. Approximate Shapley computation has known accuracy and variance tradeoffs. Designing attribution mechanisms that are both economically defensible (close to Shapley) and computationally feasible at network scale remains open.

Receipt privacy. A signed receipt on a public substrate leaks information about what a worker did. For workers operating on confidential data, this is unacceptable. Zero-knowledge constructions can prove a receipt's validity without exposing its contents, but at significant proving cost. The tradeoff between privacy, throughput, and verifiability is unresolved.

Cold-start incentives. New workers have no receipt history. The settlement mechanism rewards workers in proportion to historical evidence of contribution. Bootstrapping new workers without disadvantaging them, while resisting Sybil attacks, requires further mechanism design.

Intent-result divergence for non-deterministic actions. Receipt semantics distinguish intent from result, but the protocol does not specify how disputes over result accuracy are arbitrated for actions whose result depends on external non-deterministic state.

Routing-layer governance. The router is a position of authority. Whether the routing layer is best implemented as on-ledger logic, off-ledger with on-ledger attestation, or as a market of routers, is an open question.

Verifier dependence in ISDPs. Section 4's argument depends on the availability of deterministic verifiers. Tasks without such verifiers may resist synthetic bootstrap. The set of tasks reachable by ISDPs is an empirical question that will evolve with tooling.

Substrate throughput. While the consequential-action restriction places throughput requirements within current rollup envelopes for many workloads, high-frequency agent economies may stress this assumption. Substrate selection is itself a design decision per deployment.

16. Discussion

The architecture proposed in this paper is intentionally minimal in its primitives and broad in its implications. Three constituencies that have historically pursued different goals find that the same substrate satisfies their requirements.

For participants in an intelligence market, the substrate makes labor routable and contribution measurable without requiring disclosure of cognitive engines. For holders of intellectual property, the substrate preserves opacity below the manifest layer, exposing only what the protocol must verify. For researchers and policymakers concerned with the governance of consequentially autonomous systems, the substrate makes authority decidable and self-modification auditable.

The same primitive does all three. The settlement substrate is not a database that observes the runtime, not a payment network adjacent to it, and not a governance overlay layered onto it. It is the public validity surface for consequential agent action. Every consequential action is transaction-shaped. Every cognition is not.

We expect cooperative IoI, federated learning, agent communication protocols, and tool integration standards to continue to produce valuable research and deployed systems within their respective regimes. We do not expect any of them to be the substrate of the open agent economy. The open economy is being constructed on cryptographic settlement substrates, by independent operators, using the public internet as it exists today, with Receipt-Carrying Agency as the missing layer between probabilistic cognition and deterministic consequence.

References

Anthropic. (2024). Model Context Protocol Specification. https://modelcontextprotocol.io/

Apple Differential Privacy Team. (2017). Learning with privacy at scale. Apple Machine Learning Journal.

Bonawitz, K., Eichner, H., Grieskamp, W., et al. (2019). Towards federated learning at scale: System design. Proceedings of Machine Learning and Systems (MLSys).

Critch, A., & Krueger, D. (2020). AI research considerations for human existential safety (ARCHES). arXiv:2006.04948.

Fedus, W., Zoph, B., & Shazeer, N. (2022). Switch Transformers: Scaling to trillion parameter models with simple and efficient sparsity. Journal of Machine Learning Research, 23(120), 1-39.

Ghorbani, A., & Zou, J. (2019). Data Shapley: Equitable valuation of data for machine learning. Proceedings of the 36th International Conference on Machine Learning (ICML).

Google. (2025). Agent2Agent Protocol (A2A). Google Developers Blog.

Google. (2025b). Agent Payments Protocol (AP2). https://ap2-protocol.org/

Hadfield-Menell, D., Russell, S. J., Abbeel, P., & Dragan, A. (2016). Cooperative inverse reinforcement learning. Advances in Neural Information Processing Systems (NeurIPS).

Han, J., Wang, J., et al. (2024). Shapley Value Based Multi-Agent Reinforcement Learning: Theory, Method and Its Application to Energy Network. arXiv:2402.15324.

Hard, A., Rao, K., Mathews, R., et al. (2018). Federated learning for mobile keyboard prediction. arXiv:1811.03604.

Hard, A., et al. (2023). Federated Learning of Gboard Language Models with Differential Privacy. Proceedings of ACL (Industry Track).

Kairouz, P., McMahan, H. B., Avent, B., et al. (2021). Advances and open problems in federated learning. Foundations and Trends in Machine Learning, 14(1-2), 1-210.

Liu, Y., et al. (2025). Internet of Agents: Fundamentals, Applications, and Challenges. arXiv:2505.07176.

McMahan, B., Moore, E., Ramage, D., Hampson, S., & y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. Proceedings of AISTATS.

OpenAI. (2024). OpenAI Agents SDK: Tracing. https://openai.github.io/openai-agents-python/tracing/

Shapley, L. S. (1953). A value for n-person games. In H. W. Kuhn & A. W. Tucker (Eds.), Contributions to the Theory of Games, Vol. II (pp. 307-317). Princeton University Press.

Shazeer, N., Mirhoseini, A., Maziarz, K., et al. (2017). Outrageously large neural networks: The sparsely-gated mixture-of-experts layer. International Conference on Learning Representations (ICLR).

Wang, J., et al. (2022). Internet of Intelligence: A Survey on the Enabling Technologies, Applications, and Challenges. arXiv:2205.08977.

Wang, Y., et al. (2025). Agent Exchange: Shaping the Future of AI Agent Economics. arXiv:2507.03904.