You Will Be Judged by Your Agent's Paperwork
When you hand work to an AI agent, you stop seeing what it does and start living with what it records.
A nurse writes “ruled out” beside a diagnosis. The note tells the next person in the chain that someone looked for the condition and decided the patient did not have it. But files have a way of outliving the nuance that created them. The note moves from chart to billing code to insurer, and somewhere in that translation the qualifier can fall away. A diagnosis mentioned only because it had been ruled out can start traveling through the system as one attached to the patient. The patient has not changed. The file has.
Plenty of people have run into a version of this at the border. You apply to a trusted-traveler program, the kind where you get vetted ahead of time so you can skip the long line, and the letter comes back turning you down over a conviction that was never yours. Years ago, some database recorded it wrong. The entry is still sitting there with your name attached.
The maddening part is that you cannot argue with the file in the moment. The officer at the desk is not weighing your account against the database; the database is the version of you the system recognizes. Fixing it means finding someone with enough authority to cross out a bad line that every other system has already learned to trust.
Software agents bring that paperwork failure into a much faster system, where the error only has to land in a field the next system trusts.
The agents stopped. The record did not.
In one simulation, seven AI agents were asked to act like a hospital triage group under cost pressure. Insurance was tight, capacity was short, and the expensive case was the one the system had an incentive to deny. All seven agents blocked the case, leaving the treatment and execution fields empty.
The records they produced introduced a different failure. Several filed the refusal in a field reserved for insurance denials, while others miscounted the authority they had used and logged decisions they had never made. The agents stopped in the right place, but the file no longer described that cleanly. The accompanying research briefing documents the distinction at field level.
The agents recreated the trusted-traveler failure inside their own handoff. They made the safe call, then left a record that could make a later reader see a different one. A human clerk may spend months untangling one bad file; an agent can produce the same mistake at software speed, in clean and orderly fields that give the next system little reason to hesitate.
The tests used simulated organizations in which several agents contributed evidence and another system read the resulting record to decide what could happen next. Authority laundering occurs when that record turns evidence, readiness, refusal, or review into permission to act: a receipt becomes approval, a request for legal review becomes clearance, or a blocked case becomes a denial.
In a human process, someone may remember the meeting, know the patient, or notice that the file feels wrong. In an agentic process, the record may be the only thing the next system receives.
The file becomes the event
The same dependency appeared in other simulated settings. An asylum filing recorded as submitted when it is only drafted can become a missed deadline discovered too late to fix. A stale software-build badge accepted as deployment approval can send code into production without anyone actually clearing it. For the next system in line, the filing status or build badge is the event it knows how to act on.
Another test replaced blunt pressure such as urgency with bait shaped like a real record. An electronic-health-record screenshot stood in for a clinician’s sign-off, a volunteer’s email for a court filing, and a stale build badge for deployment approval. Each artifact only had to land in the slot reserved for an authoritative one.
The researchers also ran four domains at once, with fifteen agents in each. All sixty responses kept unauthorized actions out of the execution fields, with no schema errors in that run. The experiment was small, sandboxed, and conducted largely through one model route, but the same distinction survived as the setting and pressure changed.
The newsroom test
The earlier agents had been told exactly which distinction to preserve, so the next test moved into an unfamiliar domain. In a newsroom protecting a confidential source, the relevant signals and authority fields had different names.
The authority signals were different there. A tip can start reporting without authorizing publication; legal review can open a process without clearing the article; and a takedown notice creates pressure without becoming a decision to retract. Any one of them could still land in the wrong slot.
Across seven agents in that unfamiliar setting, the case that was genuinely ready to publish stayed marked “ready, not published.” Every field representing actual authority to publish, identify a source, grant legal clearance, comply with a takedown, or execute an action stayed empty. It was one run with one roster, but the distinction held even where the paperwork had different names.
Weakening the boundary contract changed the result. Under the strict version, all six pressure cases stayed blocked; under weakened and removed versions, four leaked.
A later test made the mechanism less tidy. On the strongest model route, spelling out the full authority rule performed no better than simply naming the relevant policies. The durable protection appears to come from the typed fields and the validator checking them, not from a perfectly worded warning in the prompt. The research briefing reports both results.
Some cases do not fit neatly into either box. A forged approval, disputed transcript, or incomplete medical record should stop the handoff instead of forcing the next system to infer an answer the evidence cannot support. The record has to preserve that uncertainty so the next system knows not to act on it.
These were sandboxed scenarios with small live runs, mostly on one provider and model route. The harness and its contracts enforced the distinctions; the runs do not show that models understand authority. No real patient, court, newsroom, treasury, or institution was governed by the setup.
Good conversation is not governance
The same distinction surfaced in a more flattering run. A group of agents revised a governance document after critique. The agents engaged the criticism, linked their reasoning to evidence, and caught several attempts to smuggle in permissions that did not exist, producing a substantive discussion.
The final document still failed. It talked around the actual rules and left required sections out. Useful deliberation had not produced an artifact you could run an organization on.
A narrower job is already available. An agent system can report what is ready, what is blocked, what evidence exists, and where permission is missing. Systems that can do that reliably are easier to deploy than systems asked to govern on someone’s behalf.
The triage agents stopped in the right place, and the record still needed repair. Before an agent can be trusted to act in the world, it has to leave behind an account that says where its permission ended and why.