AG-780
Decentralised and Blockchain-Native Agent Governance
EU AI Act
NIST AI RMF
ISO 42001
Decentralised and Blockchain-Native Agent Governance addresses the unique governance challenges that arise when AI agents operate within blockchain ecosystems, decentralised finance (DeFi) protocols, decentralised autonomous organisations (DAOs), and other Web3 environments. These environments introduce governance complexities not present in traditional centralised systems: immutability of on-chain actions (transactions cannot be reversed once confirmed), pseudonymous or anonymous counterparties, composability of smart contracts creating unpredictable interaction chains, and the absence of centralised intermediaries that traditionally serve as governance enforcement points.
AG-780 establishes controls for agents interacting with blockchain networks across three operational modes: (1) agents executing on-chain transactions (token transfers, smart contract interactions, DEX trades), (2) agents participating in DAO governance (voting, proposal creation, treasury management), and (3) agents managing digital asset custody (wallet management, key storage, multi-signature coordination). Each mode carries distinct risk profiles and requires specific governance instrumentation.
The financial stakes in blockchain environments are acute and immediate. A single erroneous smart contract interaction can result in irreversible loss of funds. In 2024-2025, DeFi exploits and agent-related errors resulted in cumulative losses exceeding USD 2.8 billion. AG-780 therefore mandates pre-execution simulation for all on-chain transactions, where the agent simulates the transaction against a fork of the current blockchain state to verify expected outcomes before committing the actual transaction. This "dry run" approach catches smart contract vulnerabilities, unexpected slippage, and interaction failures before funds are at risk.
The dimension also addresses the regulatory landscape. The EU Markets in Crypto-Assets Regulation (MiCA) imposes obligations on crypto-asset service providers, including those using AI agents. FATF virtual asset guidance requires travel rule compliance for cross-border crypto transfers. And the IOSCO DeFi policy recommendations establish expectations for market integrity in decentralised markets. AG-780 maps these regulatory requirements to specific agent governance controls, ensuring that blockchain-native agents operate within the evolving regulatory perimeter.
AG-780 additionally addresses the smart contract governance challenge. Agents interacting with smart contracts are effectively delegating decision execution to immutable code. Unlike traditional API calls that can be reversed or retried, a smart contract interaction that moves funds to the wrong address or triggers an unintended state change may be permanently irreversible. The dimension therefore mandates a defence-in-depth approach: pre-execution simulation, smart contract audit verification, interaction allowlisting, and value-based approval gates that scale human oversight with transaction magnitude.
This dimension applies to all AI agent deployments operating under the AGS framework where the governance controls specified in Section 4 are relevant to the agent's operational context. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers compliance with this dimension. Single-purpose read-only agents with no write access to external systems may be excluded where a documented risk assessment confirms that the governance controls specified here are not applicable to the agent's operational scope.
Financial Services. Agents operating in financial services face heightened regulatory scrutiny under MiFID II, DORA, and FCA SYSC requirements. The controls in this dimension support compliance with these frameworks and should be implemented at the most stringent level applicable to the agent's transaction authority.
Healthcare. Agents processing patient data or supporting clinical decisions must implement this dimension's controls in conjunction with HIPAA safeguards and applicable medical device regulations. The governance controls directly support the duty of care that healthcare organisations owe to patients.
Public Sector. Government agencies deploying agents that affect individual rights or public services must implement this dimension's controls to satisfy transparency, accountability, and judicial review requirements applicable to algorithmic decision-making in the public sector.
Decentralised and Blockchain-Native Agent Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing decentralised and blockchain-native agent and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.
Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Defined escalation paths with human oversight integration. Establish clear escalation procedures for governance events that exceed automated response capability. Human oversight touchpoints are defined, documented, and tested. Override mechanisms require authenticated authorisation with full audit trail.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Ungoverned configuration drift. Allowing governance configuration to be modified without formal change control, approval workflows, or audit trails. Configuration drift is a leading cause of governance degradation over time.
Objective: Verify that pre-execution simulation correctly identifies smart contract risks. Procedure: Submit 30 transactions to known-vulnerable contracts (reentrancy, overflow, honeypot) and 30 transactions to audited safe contracts through the simulation engine. Expected Result: All 30 vulnerable transactions flagged with correct vulnerability type. Zero false positives on safe contracts (tolerance: <= 2 false positives). Pass Criteria: 100% true positive rate on vulnerable contracts. <= 6.7% false positive rate.
Objective: Confirm that transactions exceeding USD 100,000 require multi-signature approval. Procedure: Attempt to execute 10 transactions above USD 100,000 with only a single signature. Attempt 10 with proper 2-of-3 multi-sig. Expected Result: All 10 single-signature transactions rejected. All 10 multi-sig transactions succeed. Pass Criteria: 100% enforcement rate.
Objective: Verify that cross-border crypto transfers include required originator and beneficiary information. Procedure: Initiate 20 cross-border crypto transfers with varying levels of counterparty information completeness. Expected Result: Transfers with incomplete information blocked until data is provided. Complete transfers proceed. Pass Criteria: Zero transfers executed with incomplete travel rule data.
Objective: Test that the conflict-of-interest scanner detects known relationships with proposal beneficiaries. Procedure: Submit 10 DAO proposals: 5 with known conflicts (beneficiary linked to the organisation) and 5 without. Expected Result: All 5 conflicts detected. Zero false positives. Pass Criteria: 100% conflict detection rate. Zero false positives.
Objective: Confirm that agent transactions are submitted through MEV-protected channels. Procedure: Submit 50 test transactions. Verify that each is routed through a private transaction pool or MEV-protection relayer. Expected Result: All 50 transactions routed through protected channels. Zero transactions visible in the public mempool before confirmation. Pass Criteria: 100% MEV protection rate.
Objective: Verify real-time monitoring of DeFi protocol parameter changes. Procedure: Simulate 5 parameter change events on monitored protocols (collateral ratio change, interest rate change, governance attack). Measure detection and alert latency. Expected Result: All 5 events detected. Alerts issued within 60 seconds. Pass Criteria: 100% detection rate. p99 alert latency <= 60 seconds.
| Evidence ID | Description | Collection Frequency | Retention Period |
|---|---|---|---|
| AG780-E01 | Pre-execution simulation results and transaction decisions | Per transaction | 7 years |
| AG780-E02 | Off-chain governance ledger for all on-chain transactions | Continuous | 10 years |
| AG780-E03 | Multi-signature approval records | Per transaction | 7 years |
| AG780-E04 | FATF travel rule compliance records for crypto transfers | Per transfer | 7 years |
| AG780-E05 | DAO governance participation logs and voting records | Per vote / proposal | 7 years |
| AG780-E06 | Smart contract audit verification records | Per interaction | 5 years |
| AG780-E07 | Protocol parameter change detection and alert logs | Continuous | 5 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No decentralised and blockchain-native agent governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata. |
| 2 | Infrastructure-layer enforcement | Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
A Crypto/Web3 Agent managing a USD 12 million DeFi yield farming portfolio receives an instruction to deposit 5,000 ETH (approximately USD 9.8 million at current prices) into a new liquidity pool on Uniswap V4. Under AG-780, the agent performs a pre-execution simulation by forking the current Ethereum mainnet state and executing the transaction on the fork. The simulation reveals three findings: (1) the liquidity pool's smart contract contains an unchecked external call in the deposit() function that could be exploited via reentrancy, (2) the pool's current liquidity is only USD 340,000, meaning a USD 9.8 million deposit would suffer approximately 94% slippage on entry, and (3) the pool's governance token has a transfer tax of 8% not visible in the pool's frontend interface. The agent rejects the transaction and generates a structured risk report: "Transaction blocked. 3 risks identified: reentrancy vulnerability (severity: Critical), excessive slippage 94% (severity: Critical), undisclosed transfer tax 8% (severity: High). Estimated prevented loss: USD 9.2 million." The report is escalated to the organisation's DeFi risk committee. Investigation reveals that the pool was deployed 47 minutes ago by an unverified contract deployer -- consistent with a honeypot attack pattern. A Suspicious Activity Report is filed with the relevant financial intelligence unit.
A Crypto/Web3 Agent holds 2.3 million governance tokens (representing 4.7% of voting power) in a major DeFi protocol's DAO. A governance proposal (Proposal #287) is submitted to redirect USD 45 million from the protocol's treasury to fund a new development initiative. Under AG-780, the agent's DAO governance participation controls activate: (1) the agent analyses the proposal text, linked documentation, and on-chain treasury state, (2) the agent's conflict-of-interest scanner identifies that the proposal's beneficiary wallet is linked to a counterparty with whom the agent's organisation has an existing commercial relationship -- a potential conflict, (3) the agent's voting policy engine determines that the proposal's USD 45 million allocation exceeds the per-proposal treasury threshold (USD 20 million) requiring human approval before the agent votes. The agent abstains from voting and escalates to the organisation's governance committee with a structured brief: proposal summary, conflict of interest disclosure, treasury impact analysis (the USD 45 million represents 23% of total treasury), and a voting recommendation (conditional support, subject to vesting schedule amendment). The governance committee reviews within 48 hours and instructs the agent to vote "For" with a public comment requesting a 24-month vesting schedule on the allocated funds. The agent submits the vote with the comment 6 hours before the proposal deadline.
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework / Standard | _Pending v2.1 editorial review_ |
| ---- | ----------------------------------- | _Pending v2.1 editorial review_ |
| 1 | EU MiCA | _Pending v2.1 editorial review_ |
| 2 | FATF Guidance | _Pending v2.1 editorial review_ |
| 3 | EU AI Act | _Pending v2.1 editorial review_ |
| 4 | IOSCO DeFi Policy | _Pending v2.1 editorial review_ |
| 5 | DORA | _Pending v2.1 editorial review_ |
| 6 | FCA Crypto-Asset Guidelines | _Pending v2.1 editorial review_ |
| 7 | SEC Guidance | _Pending v2.1 editorial review_ |
| 8 | MAS Payment Services Act | _Pending v2.1 editorial review_ |
| 9 | NIST CSF 2.0 | _Pending v2.1 editorial review_ |
| 10 | OWASP Smart Contract Top 10 | _Pending v2.1 editorial review_ |
| 11 | ERC-4337 | _Pending v2.1 editorial review_ |
| 12 | ISO/IEC 23894:2023 | _Pending v2.1 editorial review_ |
| 13 | Basel Committee | _Pending v2.1 editorial review_ |
| 14 | ESMA | _Pending v2.1 editorial review_ |
| 15 | Chainalysis Compliance Framework | _Pending v2.1 editorial review_ |
| 16 | FINMA Guidance | _Pending v2.1 editorial review_ |
This dimension supports compliance with the following NIST AI RMF subcategories: GOVERN 1.1, GOVERN 1.6, MANAGE 2.2. These subcategories address the risk management, governance, and operational controls that this dimension implements within the AGS framework.
This dimension supports compliance with the following ISO/IEC 42001:2023 clauses: Clause 5.2, Clause 6.1, Clause 8.2. These clauses address the AI management system requirements that this dimension operationalises.
| Dimension | Name | Relationship |
|---|---|---|
| AG-770 | Agentic Identity and Credential Lifecycle Gov. | Wallet and on-chain credential lifecycle management |
| AG-771 | Cross-Jurisdictional Governance Compliance | Cross-border crypto regulatory compliance |
| AG-773 | Quantum-Resilient Cryptographic Governance | Post-quantum security for blockchain keys and signatures |
| AG-774 | Autonomous Financial Market Impact Governance | DEX market impact and DeFi systemic risk |
| AG-777 | Collective and Swarm Intelligence Governance | DAO-coordinated agent populations |
| AG-779 | Regulatory Reporting Integrity Governance | MiCA and FATF reporting accuracy for crypto activity |