Why agent ecosystems need their own internet protocols
"Agent infrastructure: technical systems and shared protocols external to agents that are designed to mediate and influence their interactions with and impacts on their environments."
Chan, A., Wei, K., Huang, S., Rajkumar, N., Perrier, E., Lazar, S., Hadfield, G. K., & Anderljung, M. (2025). Infrastructure for AI Agents. Transactions on Machine Learning Research, 05/2025
I've been tracking the infrastructure gaps that could make or break agent adoption at scale, and this comprehensive research from Chan et al. crystallizes why we need to start building the foundational protocols now.
The May 2025 paper in Transactions on Machine Learning Research tackles what the authors call "agent infrastructure"—essentially the equivalent of internet protocols for AI agent ecosystems. Their central insight is that focusing solely on making better agents misses half the picture. We also need external systems that shape how agents interact, just as traffic infrastructure shapes driving behavior regardless of car quality. This framing shifts the conversation from purely technical agent capabilities to the broader ecosystem design decisions that will determine business and legal outcomes.
The research breaks agent infrastructure into three essential functions, each with direct implications for legal and product strategy. Attribution infrastructure would establish chains of responsibility by linking agent actions to identifiable entities. Since "AI agents are not legal entities," this infrastructure becomes crucial for contract enforcement, liability allocation, and regulatory compliance. The proposed identity binding systems could tie agent actions to specific humans or corporations, while certification systems would verify agent properties and capabilities. Agent IDs would serve as unique identifiers carrying relevant information about each agent instance.
The attribution piece has immediate relevance for risk management. Consider agent-enabled scams or prompt injection attacks that cause financial harm. Without identity binding, pursuing recourse becomes nearly impossible. With proper attribution infrastructure, existing legal frameworks could more readily apply to agent interactions. The certification component could support due diligence obligations and potentially influence insurance coverage, creating market incentives for better agent design.
Interaction infrastructure addresses how agents engage with counterparties and each other. Agent channels would create separate digital pathways for agent traffic, potentially enabling different rules, monitoring, and intervention capabilities. This separation could support incident response—imagine being able to halt agent channels while maintaining human access during a security event. Oversight layers would provide intervention points where humans or trusted systems could review and modify agent actions. Inter-agent communication protocols would enable coordination between agents from different organizations. Commitment devices would enforce agreements between agents, similar to escrow mechanisms.
The interaction infrastructure directly impacts product design decisions. Agent channels could reduce attack surfaces by providing interfaces optimized for agents rather than forcing them to navigate human-designed systems. But adoption depends on whether these channels offer sufficient advantages to justify the transition from existing interfaces. The research suggests that higher rate limits, reduced latency, and simplified interactions could drive adoption, but timing matters since agents are rapidly improving at using human interfaces.
Response infrastructure focuses on managing problems after they occur. Incident reporting systems would collect information about harmful agent behavior, with the insight that agents themselves could serve as witnesses to incidents involving other agents. This distributed monitoring approach could provide visibility into agent activities that upstream developers can't observe. Rollback mechanisms would enable voiding or undoing problematic agent actions, extending concepts like credit card chargebacks to agent-mediated transactions.
The business strategy implications become clear when considering adoption dynamics. Network effects dominate some infrastructure categories—communication protocols only work when multiple parties adopt the same standards. This creates opportunities for companies that can establish widely-adopted protocols, but also coordination challenges. The research notes that Google's agent-to-agent communication protocol gained traction by partnering with large enterprises, suggesting that enterprise adoption could drive broader standardization.
Other infrastructure provides immediate value without requiring coordination. Oversight layers and rollbacks can improve agent reliability and user trust even with limited adoption. This suggests a strategic approach: start with infrastructure that provides immediate value, then build network-effect dependent systems as adoption grows.
The competitive dynamics could reshape entire industries. Early infrastructure providers might gain platform-like advantages, but there's significant risk of lock-in to suboptimal solutions. The authors warn that dominant players might limit interoperability to exclude competitors, similar to how social media platforms resist integration. Understanding these dynamics early could inform both product strategy and regulatory engagement.
From a legal perspective, the infrastructure choices will interact with evolving regulatory frameworks. The research suggests that market incentives alone may not provide socially optimal levels of some infrastructure, particularly oversight and incident reporting capabilities. This could drive government intervention similar to consumer protection requirements in financial services. Companies that anticipate these requirements in their infrastructure design could avoid costly retrofitting.
The timing considerations are particularly important for product teams. Some infrastructure only becomes valuable as agent capabilities improve—sophisticated commitment devices matter most when agents can negotiate complex agreements. But other pieces, like identity binding and oversight systems, provide immediate value for managing current agent limitations. The research suggests prioritizing infrastructure that addresses current needs while preparing for future capabilities.
Risk management requires attention to infrastructure vulnerabilities and dependencies. The authors cite BGP as a cautionary example where security problems became entrenched due to coordination difficulties in upgrading protocols. Similar lock-in effects could emerge in agent infrastructure, making early design choices crucial for long-term security and functionality.
Looking forward, the infrastructure landscape will likely determine which agent applications succeed and which face insurmountable coordination problems. Companies building agents need to consider how their infrastructure choices will enable or constrain future business models, regulatory compliance, and competitive positioning. The research provides a systematic framework for making these strategic decisions while there's still flexibility in the ecosystem design.
The authors emphasize that agent infrastructure serves as a platform for policies and norms rather than a complete solution. This means technical infrastructure decisions will shape the space for future legal and regulatory frameworks. Getting the foundation right now could determine whether agent ecosystems develop in ways that support beneficial applications while managing risks effectively.
Alan Chan
TLDR: The paper introduces "agent infrastructure" as a crucial layer of external technical systems and shared protocols needed to manage and influence the interactions of AI agents. This is presented as essential because while direct system-level interventions (like training AI models to be safe) are valuable, they are insufficient to fully address the risks and facilitate the beneficial adoption of advanced AI agents. These agents differ significantly from traditional software or chatbots by their ability to plan and execute interactions in open-ended environments, directly engaging with the world and adapting to underspecified tasks.
The paper asserts that agent infrastructure serves three core functions:
• Attribution: Designed to link actions and properties to specific agents, their users, or other actors. This includes Identity Binding (associating an agent's actions with a legal entity to enhance accountability, build trust, and enable the application of laws), Certification (providing verifiable assurances about an agent's operation, behavior, or properties, which builds trust and can incentivize developers to build pro-social agents), and Agent IDs (unique identifiers for agent instances, acting as containers for information like certifications, crucial for incident response and targeted interventions).
• Interaction: Focuses on shaping how agents interact with their environments and other entities. This involves Agent Channels (separating agent traffic from other digital traffic to improve monitoring, incident management, and rule enforcement), Oversight Layers (systems for monitoring agent operations and providing interfaces for human or automated intervention to reject unsafe actions or improve functionality), Inter-Agent Communication (protocols and systems enabling agents to communicate for notification, cooperation, and negotiation), and Commitment Devices (mechanisms like smart contracts that enforce agreements between agents, helping to fund productive activities and avoid collective action problems, such as underinvestment in safety).
• Response: Provides tools for detecting and remedying harmful actions by agents. Key components are Incident Reporting (systems for agents and humans to collect and file information about harmful events, improving safety practices and monitoring locally run agents) and Rollbacks (mechanisms to void or undo an agent's actions, crucial for reversing unintended consequences or minimizing the spread of malicious behavior).
A key finding is that the widespread adoption of this infrastructure faces significant challenges, including the need for multi-party coordination, the impact of network effects, the risk of lack of interoperability between different systems, and the danger of lock-in to potentially insecure or problematic protocols. The paper concludes that agent infrastructure is not a standalone solution but a foundational platform for policies and norms, essential for responsibly integrating advanced AI agents into society.
