Cross-Agent Blame Attribution Governance

2. Summary

Cross-Agent Blame Attribution Governance requires that every multi-agent outcome — beneficial or harmful — can be decomposed into individual agent contributions with sufficient granularity to assign accountability to specific agents, their operators, and the humans responsible for each agent's deployment and mandate. When multiple agents collaborate, delegate, or compete to produce a single outcome, the causal chain must be preserved in a tamper-evident record that enables after-the-fact reconstruction of which agent contributed what, which agent's contribution was decisive, and which human governance decisions authorised each agent's participation. Without this attribution infrastructure, multi-agent systems create an accountability vacuum where no single agent is responsible for the collective outcome, and organisations cannot satisfy regulatory demands for individual accountability.

3. Example

Scenario A — Unattributable Lending Decision Causes Discriminatory Outcome: A consumer bank deploys a multi-agent lending pipeline: Agent Alpha scores creditworthiness using financial data, Agent Beta assesses property valuation, Agent Gamma evaluates regulatory compliance, and Agent Delta makes the final lending decision by combining outputs from the other three. Over 18 months, the pipeline approves 94% of applications from borrowers in affluent postcodes but only 61% from borrowers in historically disadvantaged postcodes. A fair-lending audit discovers the disparity and demands attribution: which agent introduced the discriminatory signal? The bank cannot answer. Agent Delta's decision logs show only the final approve/reject decision and aggregate confidence scores from the upstream agents. Agent Alpha's credit scores appear race-neutral. Agent Beta's property valuations correlate with postcode — but whether this is legitimate risk assessment or proxy discrimination requires knowing how Agent Delta weighted Beta's output relative to Alpha's and Gamma's. No record of contribution weights, intermediate reasoning chains, or causal influence exists. The bank cannot demonstrate which agent caused the disparity, cannot remediate the specific source, and cannot prove to the regulator that remediation is effective.

What went wrong: The pipeline recorded only final outcomes and aggregate intermediate scores — not the causal influence of each agent's contribution on the final decision. No attribution mechanism tracked how Agent Delta weighted each input or how upstream agents' outputs interacted to produce the discriminatory pattern. The bank treated the pipeline as a single system rather than as four accountable agents with individual contributions requiring individual attribution. Consequence: $34 million fair-lending settlement, CFPB consent order requiring complete pipeline rebuild, £12 million remediation cost, 2-year enhanced supervisory oversight, personal enforcement action against the Chief Risk Officer for inadequate model risk management.

Scenario B — Autonomous Logistics Chain Cannot Attribute Spoiled Pharmaceutical Shipment: A pharmaceutical distributor uses a multi-agent logistics chain: Agent One plans routes, Agent Two manages cold-chain monitoring, Agent Three handles warehouse allocation, and Agent Four coordinates last-mile delivery. A shipment of temperature-sensitive vaccines worth €4.7 million arrives at a hospital with internal temperatures recorded at 14°C — well above the 8°C maximum. The vaccines are destroyed. Post-incident investigation reveals that Agent One selected a route with a 90-minute layover at an unconditioned transfer facility, Agent Two received temperature readings but Agent Three had reassigned the shipment to a warehouse bay without active cooling during the layover, and Agent Four accepted delivery handoff without verifying cold-chain continuity. The root cause is the interaction between Agent One's routing decision and Agent Three's warehouse allocation — but no causal record links these decisions. Each agent's logs show only its own actions. No record connects Agent Three's allocation decision to Agent One's routing decision or establishes which agent's contribution was the proximate cause of the temperature excursion.

What went wrong: Each agent logged its own actions independently. No cross-agent causal graph linked decisions across the pipeline. The interaction between Agent One's routing and Agent Three's warehouse allocation — the decisive causal factor — was invisible because no attribution mechanism recorded how agents' decisions depended on or influenced each other's outputs. Consequence: €4.7 million in destroyed vaccines, GDP (Good Distribution Practice) licence suspension pending investigation, €8.2 million contractual liability to the hospital network, EMA regulatory investigation, and inability to implement effective corrective action because the root cause cannot be definitively attributed.

Scenario C — Financial Trading Agents Create Unattributable Market Manipulation Pattern: An investment firm operates five trading agents across different strategy desks. Agent Kappa places large visible orders in options markets, Agent Lambda executes offsetting trades in the underlying equity, Agent Mu manages inventory across both desks, Agent Nu executes the final settlement trades, and Agent Omicron hedges residual risk. A market surveillance algorithm at the exchange flags a pattern that resembles layering — placing and then cancelling orders to create a false impression of supply or demand. The firm's compliance team investigates and discovers that the pattern emerges from the interaction of Kappa's order placement with Lambda's execution timing and Mu's inventory rebalancing. No single agent's behaviour constitutes manipulation, but the combined pattern does. The firm cannot attribute the manipulative pattern to a specific agent because no attribution record connects the agents' actions into a causal chain. The firm cannot demonstrate to the FCA whether the pattern was intentional, emergent, or coincidental.

What went wrong: Each agent operated within its individual mandate and logged its own actions correctly. But no cross-agent attribution mechanism tracked how agents' actions influenced market state in combination. The manipulative pattern existed only at the collective level — in the relationships between agents' actions over time — and no causal graph captured those relationships. The firm's individual-agent monitoring was AG-001 compliant but lacked the cross-agent attribution that AG-398 requires. Consequence: £28 million FCA fine for market abuse, £6 million internal investigation cost, 18-month enhanced supervision, personal liability for the desk heads under the Senior Managers Regime, and criminal referral to the Serious Fraud Office for the layering pattern.

4. Requirement Statement

Scope: This dimension applies to any system where two or more AI agents contribute to a single outcome — whether through sequential pipeline processing, parallel collaboration, competitive market interaction, hierarchical delegation, or any other multi-agent topology. The scope includes cases where agents are operated by the same organisation and cases where agents are operated by different organisations but interact through shared environments, APIs, or marketplaces. The scope extends to indirect contributions: an agent that provides data used by another agent's decision has contributed to that decision's outcome. An agent that modifies shared environmental state used by other agents has contributed to those agents' subsequent actions. The test is not whether an agent intended to contribute to the outcome, but whether its actions were a but-for cause of the outcome — whether the outcome would have been different had the agent acted differently. Read-only agents that provide information consumed by decision-making agents are within scope because their information output causally influences the decision.

4.1. A conforming system MUST maintain a causal attribution graph for every multi-agent outcome, recording each contributing agent's identity, the specific action or output it contributed, the timestamp of that contribution, and the causal relationship between the contribution and the outcome.

4.2. A conforming system MUST record contribution weights or influence measures for each agent's contribution to a multi-agent outcome, enabling quantitative assessment of which agent's contribution was most influential in determining the outcome.

4.3. A conforming system MUST store all attribution records in a tamper-evident format per AG-006, ensuring that attribution chains cannot be altered after outcome realisation.

4.4. A conforming system MUST preserve the complete delegation chain for every delegated action, recording the delegating agent, the receiving agent, the scope of delegation, and any constraints imposed — such that any link in the chain can be traced back to the originating human-approved mandate.

4.5. A conforming system MUST enable after-the-fact reconstruction of the causal chain for any outcome — from the final outcome back through every contributing agent's action to the originating human governance decisions — within a defined reconstruction time limit not exceeding 72 hours.

4.6. A conforming system MUST assign a primary accountable agent designation for every multi-agent outcome, identifying the single agent whose contribution was most determinative of the outcome, even where multiple agents contributed.

4.7. A conforming system MUST map every primary accountable agent designation to a human accountability chain — the specific human or organisational role responsible for that agent's mandate, deployment, and oversight.

4.8. A conforming system SHOULD implement real-time attribution tracking that constructs the causal graph as agents interact, rather than reconstructing it after the fact from individual agent logs.

4.9. A conforming system SHOULD compute counterfactual attribution — for each contributing agent, estimate what the outcome would have been had that agent acted differently or been absent — to distinguish between agents that merely participated and agents whose contributions were causally decisive.

4.10. A conforming system SHOULD implement attribution verification at outcome time, confirming that the attribution graph is complete and all contributing agents are identified before the outcome is finalised.

4.11. A conforming system MAY implement attribution-aware dispute resolution mechanisms that enable stakeholders to challenge attribution determinations and trigger re-analysis of the causal graph.

4.12. A conforming system MAY implement proportional liability computation that allocates financial or regulatory liability across contributing agents and their human principals in proportion to their measured causal contribution.

5. Rationale

Accountability is the foundational requirement of governance. Every regulatory regime, every legal framework, and every organisational control structure depends on the ability to answer one question: who is responsible? In single-agent systems, the answer is straightforward — the agent acted, and its operator is responsible. In multi-agent systems, this question becomes profoundly difficult. When five agents contribute to a lending decision, which agent caused the discriminatory outcome? When four agents manage a logistics chain, which agent caused the temperature excursion? When three agents execute interrelated trades, which agent caused the manipulative pattern? Without a formal attribution mechanism, the answer is "all of them and none of them" — which is functionally equivalent to "no one is responsible."

This accountability vacuum is not merely a theoretical concern. It is the precise mechanism by which multi-agent systems can undermine regulatory frameworks that were designed around individual accountability. The FCA Senior Managers Regime assigns personal liability to named individuals. SOX officer certifications require individual attestation. The EU AI Act assigns obligations to identifiable providers and deployers. GDPR grants data subjects the right to an explanation of automated decisions. All of these frameworks assume that accountability can be decomposed to individual actors. Multi-agent systems without cross-agent attribution break this assumption by distributing causal responsibility across multiple agents in a way that no individual agent — and no individual human — can be held fully accountable.

The technical challenge is that multi-agent outcomes are genuinely emergent in many cases. The discriminatory lending pattern in Scenario A does not exist in any single agent's behaviour — it emerges from the interaction of four agents' outputs. The market manipulation pattern in Scenario C does not exist in any single agent's trading — it emerges from the temporal relationship between multiple agents' actions. Attribution requires not just logging what each agent did, but recording the causal connections between agents' actions — how one agent's output became another agent's input, how multiple agents' actions combined to produce the observed outcome, and which contributions were causally decisive versus merely present.

The legal concept that maps most closely to this requirement is "but-for" causation — Agent X's contribution is causal if the outcome would have been different but for Agent X's action. In single-agent systems, but-for causation is trivial: remove the agent and there is no action. In multi-agent systems, but-for analysis requires counterfactual reasoning: what would the outcome have been if Agent X had acted differently while all other agents acted the same? This counterfactual analysis is computationally demanding but it is the only rigorous basis for attributing accountability in multi-agent systems. Without it, attribution degenerates into heuristics — "the last agent to touch the outcome is responsible" — that are neither accurate nor defensible.

The regulatory cost of attribution failure is escalating. Regulators have signalled clearly that deploying multi-agent systems does not reduce or diffuse accountability obligations — it increases them. The FCA's expectations under the Senior Managers Regime are that if a firm deploys a system that cannot identify who is responsible for a harmful outcome, the firm's governance framework is inadequate, and personal liability attaches to the senior manager responsible for the governance framework. The EU AI Act's transparency requirements extend to multi-agent systems: Article 13 requires that high-risk AI systems be sufficiently transparent to enable users to interpret the system's output. A multi-agent outcome that cannot be attributed to individual agents is not interpretable.

6. Implementation Guidance

AG-398 establishes the causal attribution graph as the central governance artefact for multi-agent accountability. A causal attribution graph is a directed acyclic graph (or directed graph with temporal ordering in cases of feedback loops) where nodes represent agent actions or outputs and edges represent causal influence — Agent A's output was consumed by Agent B's decision process. The graph must be constructed in real time as agents interact, not reconstructed after the fact from independent logs, because post-hoc reconstruction from independent logs is unreliable when agents modify shared state or communicate through side channels.

Recommended patterns:

• Correlation ID propagation. Assign a unique correlation identifier to every multi-agent workflow at initiation. Every agent action within the workflow includes the correlation ID in its audit record. A centralised attribution service collects records by correlation ID and constructs the causal graph. This is the simplest pattern and is sufficient for sequential pipeline architectures where agents pass outputs to the next agent in a defined sequence.
• Causal influence tagging. Each agent that consumes another agent's output includes, in its own action record, a reference to the specific upstream output it consumed and a quantitative measure of how much that input influenced its decision. For machine learning agents, this can be implemented through feature attribution methods (SHAP values, attention weights, integrated gradients) applied to the upstream agent outputs treated as input features.
• Centralised attribution service. A dedicated microservice receives structured attribution events from all agents in real time. Each event includes: the agent identity, the action taken, the inputs consumed (with provenance), the outputs produced, and the contribution weight assigned to each input. The attribution service constructs and maintains the causal graph, computes primary accountability designations, and provides a query API for after-the-fact reconstruction.
• Delegation chain ledger. For hierarchical multi-agent topologies where agents delegate to subordinate agents, maintain a ledger recording every delegation event: the delegating agent, the receiving agent, the scope of the delegation, the constraints imposed, and the mandate authority under which the delegation was made. The ledger enables tracing any subordinate agent's action back through the delegation chain to the originating human-approved mandate per AG-396.
• Counterfactual attribution computation. For high-stakes outcomes, implement counterfactual analysis that replays the multi-agent interaction with one agent's contribution removed or modified. The difference between the actual outcome and the counterfactual outcome quantifies that agent's causal contribution. This is computationally expensive and is recommended for post-incident analysis rather than real-time operation.

Anti-patterns to avoid:

• Logging agent actions independently without causal linkage. If each agent logs its own actions in its own log without cross-referencing other agents' actions, the organisation has parallel action logs — not an attribution graph. Reconstructing causal chains from independent logs is unreliable, time-consuming, and produces attribution that is contestable in regulatory proceedings.
• Attributing blame to the final agent in the chain. The last agent to act before the outcome is visible is often the least causally responsible. In a lending pipeline, the agent that issues the final approve/reject decision may be mechanically combining upstream scores — the discriminatory signal originates upstream. Attributing accountability to the final agent creates perverse incentives to position agents at the end of the chain to avoid accountability.
• Treating attribution as a post-incident activity. Attribution infrastructure must be in place before an incident occurs. After an incident, logs may be incomplete, agents may have been retrained or redeployed, and the environmental state that influenced agent decisions may no longer be available. Post-incident reconstruction is a forensic activity that depends on pre-incident instrumentation.
• Assuming delegation transfers accountability. When Agent A delegates a task to Agent B, Agent A remains accountable for the delegation decision and for the scope and constraints of the delegation. Delegation creates shared accountability, not transferred accountability. The delegation chain must be preserved so that both the delegating and receiving agents' contributions are attributable.
• Using aggregate metrics as attribution substitutes. Reporting that "the pipeline produced a discriminatory outcome" without attributing the outcome to specific agent contributions is monitoring, not attribution. Regulators require individual accountability — which agent, which action, which human decision authorised that agent.

Industry Considerations

Financial Services. Cross-agent attribution is essential for market abuse surveillance, fair-lending compliance, and Sarbanes-Oxley internal controls. The FCA expects firms to demonstrate that they can attribute any trading pattern — including patterns that emerge from the interaction of multiple algorithms — to specific algorithms and their responsible senior managers. MiFID II Article 17 requires firms to maintain records of algorithmic trading that enable reconstruction of trading strategies and their market impact. For multi-agent trading, this requires cross-agent attribution that connects related trades across desks and strategies. The CFPB's adverse action notice requirements under ECOA mandate that lenders identify the specific factors that contributed to a lending denial — in a multi-agent pipeline, this requires knowing which agent contributed which factor.

Healthcare. Multi-agent clinical decision support systems must attribute diagnostic contributions to individual agents so that clinical validation can target the specific agent whose contribution is most influential. FDA requirements for Software as a Medical Device (SaMD) include traceability of decision logic — in multi-agent diagnostic systems, this requires cross-agent attribution. When a multi-agent system produces an incorrect diagnosis, attribution enables targeted remediation of the specific agent or interaction that caused the error, rather than requiring wholesale system replacement.

Supply Chain and Logistics. GDP (Good Distribution Practice) and GMP (Good Manufacturing Practice) regulations require full traceability of decisions affecting product quality and safety. Multi-agent logistics chains must attribute quality excursions (temperature deviations, contamination events, handling errors) to specific agent decisions. Attribution enables targeted corrective action and satisfies the root cause analysis requirements of quality management systems under ISO 9001 and sector-specific regulations.

Maturity Model

Basic Implementation — Every multi-agent workflow uses correlation IDs to link agent actions within a single workflow. Agent logs include the correlation ID, enabling manual reconstruction of the action sequence. Attribution is primarily chronological — the sequence of agent actions is known, but causal influence weights are not recorded. Primary accountability is assigned based on organisational policy (e.g., the most senior agent in the hierarchy) rather than causal analysis. Reconstruction is possible but requires manual log correlation and takes days.

Intermediate Implementation — A centralised attribution service receives structured attribution events from all agents in real time. The causal attribution graph is constructed automatically. Each agent records which upstream outputs it consumed and provides a basic influence measure. Primary accountability is assigned based on quantitative contribution weights. Delegation chains are recorded in a structured ledger. After-the-fact reconstruction of any outcome's causal chain is possible within 72 hours. Attribution records are stored in tamper-evident format per AG-006. Human accountability mapping exists — each agent's primary accountable human is documented and current.

Advanced Implementation — All intermediate capabilities plus: counterfactual attribution is computed for high-stakes outcomes, quantifying each agent's causal contribution through replay analysis. Real-time attribution dashboards display live causal graphs for active multi-agent workflows. Attribution verification gates confirm graph completeness before outcomes are finalised. The organisation can demonstrate to regulators, within hours of an incident, which agent's contribution was causally decisive, which human approved that agent's mandate, and what the outcome would have been had the responsible agent acted differently. Independent adversarial testing has verified that attribution mechanisms cannot be evaded by agents that deliberately obscure their causal contributions.

7. Evidence Requirements

Required artefacts:

• Causal attribution graph records. The actual causal attribution graphs for multi-agent outcomes, showing agent nodes, action nodes, causal edges, contribution weights, and primary accountability designations. Format: structured data (JSON, graph database export, or equivalent). Not a prose description.
• Delegation chain records. Structured records of every delegation event including delegating agent, receiving agent, delegation scope, constraints imposed, and originating mandate authority. Stored in tamper-evident format per AG-006.
• Human accountability mapping. Current mapping from every deployed agent to the specific human or organisational role accountable for that agent's mandate, deployment, and oversight. Updated within 24 hours of any change.
• Reconstruction demonstration. Evidence that after-the-fact causal chain reconstruction has been tested and completed within the defined time limit (72 hours maximum). Test results from the most recent reconstruction exercise, including the outcome selected, the time to reconstruct, and the completeness of the reconstructed chain.
• Contribution weight methodology documentation. Documentation of the methodology used to compute contribution weights or influence measures, including the mathematical basis, the validation approach, and any known limitations.

Retention requirements:

• Attribution graphs and delegation chain records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Human accountability mappings: current version plus all historical versions for the retention period.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Attribution graphs must be presentable in a format that a non-technical regulatory examiner can follow — including visual graph representations with plain-language annotations of causal relationships.

8. Test Specification

Testing AG-398 compliance requires demonstrating that attribution graphs are complete, accurate, tamper-evident, and reconstructable. A comprehensive test programme should include the following tests.

Test 8.1: Causal Attribution Graph Completeness

• Stimulus: Execute a multi-agent workflow with a known topology (at least four contributing agents). After completion, retrieve the causal attribution graph for the outcome.
• Expected behaviour: The attribution graph includes a node for every contributing agent, edges representing every causal relationship between agents, and the specific action or output each agent contributed. No contributing agent is missing from the graph.
• Pass criteria: Every agent that contributed to the outcome appears in the attribution graph. Every causal relationship between agents is represented as an edge. Each node includes the agent identity, action, timestamp, and output. No orphan nodes exist (every node has at least one incoming or outgoing causal edge, except the originating agent).
• Fail criteria: Any contributing agent is missing from the graph, any causal relationship is unrepresented, or any node lacks required fields (identity, action, timestamp, output).

Test 8.2: Contribution Weight Recording Accuracy

• Stimulus: Execute a multi-agent workflow where one agent's contribution is known to be the dominant causal factor (e.g., by design, one agent provides the decisive input while others provide supplementary information). Retrieve the contribution weights from the attribution record.
• Expected behaviour: The contribution weights correctly identify the dominant agent as having the highest causal influence. The weights are quantitative and sum to a meaningful total (either 1.0 for normalised weights or a documented scale).
• Pass criteria: The dominant agent's contribution weight is the highest among all contributing agents. Weights are quantitative, documented on a defined scale, and consistent with the known causal structure of the test workflow.
• Fail criteria: The dominant agent is not identified as having the highest contribution weight, or weights are qualitative rather than quantitative, or weights are not recorded at all.

Test 8.3: Tamper-Evidence of Attribution Records

• Stimulus: Retrieve an attribution graph for a completed multi-agent outcome. Attempt to modify the graph — change a contribution weight, remove an agent node, or alter a causal edge. Verify that the modification is detected.
• Expected behaviour: Attribution records are stored in tamper-evident format per AG-006. Any modification to any element of the attribution graph (nodes, edges, weights, timestamps) is detected by integrity verification.
• Pass criteria: Attempted modification of any attribution record element is detected. The integrity verification mechanism identifies the specific element that was modified. Unmodified records pass integrity verification.
• Fail criteria: Any modification to attribution records goes undetected, or integrity verification cannot identify the specific modified element.

Test 8.4: Delegation Chain Preservation

• Stimulus: Execute a multi-agent workflow that includes at least two levels of delegation (Agent A delegates to Agent B, which delegates to Agent C). Retrieve the delegation chain from the attribution record.
• Expected behaviour: The complete delegation chain is recorded, including every delegation event with the delegating agent, receiving agent, delegation scope, constraints, and originating mandate authority. The chain can be traced from Agent C's action back through Agent B to Agent A's original mandate.
• Pass criteria: Every delegation event is recorded with all mandatory fields. The chain is traceable end-to-end from the final executing agent to the originating human-approved mandate. No gap exists in the delegation chain.
• Fail criteria: Any delegation event is missing from the chain, any mandatory field is absent, or the chain cannot be traced end-to-end to the originating mandate.

Test 8.5: After-the-Fact Reconstruction Within Time Limit

• Stimulus: Select a multi-agent outcome from at least 30 days prior. Request full causal chain reconstruction from the final outcome back to originating human governance decisions. Measure the time to complete reconstruction.
• Expected behaviour: The reconstruction team produces the complete causal chain — every contributing agent, every causal relationship, every contribution weight, every delegation link, and the human accountability mapping for each agent — within the defined time limit (72 hours maximum).
• Pass criteria: Reconstruction is complete within 72 hours. The reconstructed chain includes every contributing agent, all causal relationships, contribution weights, delegation links, and human accountability mappings. No gap exists in the chain between the outcome and the originating human decisions.
• Fail criteria: Reconstruction exceeds 72 hours, the chain is incomplete, any contributing agent cannot be identified, or the chain cannot be traced to human accountability.

Test 8.6: Primary Accountable Agent Designation

• Stimulus: Execute a multi-agent workflow producing a harmful outcome (simulated in a test environment). Retrieve the primary accountable agent designation from the attribution record.
• Expected behaviour: Exactly one agent is designated as the primary accountable agent for the outcome, identified as having the most determinative causal contribution. The designation is mapped to a specific human accountability chain.
• Pass criteria: A primary accountable agent is designated. The designation is supported by quantitative contribution weights. The designated agent maps to a specific human or organisational role in the human accountability chain. The designation is recorded in tamper-evident format.
• Fail criteria: No primary accountable agent is designated, or the designation is not supported by quantitative evidence, or the designated agent does not map to a human accountability chain.

Test 8.7: Human Accountability Chain Completeness

• Stimulus: For every agent in the topology inventory (per AG-389), verify that a current human accountability mapping exists.
• Expected behaviour: Every deployed agent maps to a specific human or organisational role responsible for that agent's mandate, deployment, and oversight. The mapping is current (updated within 24 hours of any change).
• Pass criteria: Every deployed agent has a human accountability mapping. The mapping identifies a specific human or role (not a generic department or "the organisation"). The mapping is dated and has been updated within its defined review period.
• Fail criteria: Any deployed agent lacks a human accountability mapping, or any mapping identifies only a generic entity rather than a specific human or role, or any mapping is stale beyond its review period.

Conformance Scoring

• Score 0: No cross-agent attribution exists — multi-agent outcomes cannot be decomposed into individual agent contributions.
• Score 1: Correlation IDs link agent actions within workflows, enabling chronological reconstruction, but causal influence weights and primary accountability designations are absent.
• Score 2: Causal attribution graphs are maintained with contribution weights and primary accountability designations, stored in tamper-evident format, with human accountability mappings for all agents.
• Score 3: Verified by independent adversarial testing — an independent party has attempted to evade attribution through causal obfuscation, delegation laundering, or contribution weight manipulation, and the attribution mechanisms maintained accurate causal graphs.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Direct requirement
EU AI Act	Article 13 (Transparency and Provision of Information to Deployers)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls), Senior Managers Regime	Direct requirement
NIST AI RMF	GOVERN 1.2, MAP 3.5, MANAGE 4.1	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 9.1 (Monitoring, Measurement, Analysis)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework), Article 17 (ICT-Related Incident Management)	Supports compliance

EU AI Act — Article 9 (Risk Management System)

Article 9 requires providers of high-risk AI systems to identify and mitigate risks. In multi-agent systems, the inability to attribute outcomes to specific agents is itself a risk — it prevents effective remediation, blocks regulatory compliance, and creates accountability vacuums. AG-398 implements the risk mitigation measure for attribution failure. The regulation requires that risk management measures enable "effective oversight by natural persons" during use — oversight of a multi-agent system requires knowing which agent contributed what, which is precisely what AG-398's causal attribution graph provides.

EU AI Act — Article 13 (Transparency and Provision of Information to Deployers)

Article 13 requires that high-risk AI systems be designed and developed in such a way that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. For multi-agent systems, interpretability requires attribution — understanding the output means understanding which agents contributed to it and how. A multi-agent outcome that cannot be decomposed into individual agent contributions is not interpretable within the meaning of Article 13. AG-398's causal attribution graph directly implements this transparency requirement for multi-agent architectures.

SOX — Section 404 (Internal Controls Over Financial Reporting)

Section 404 requires effective internal controls, including the ability to identify the cause of any material misstatement. For financial operations executed by multi-agent systems, this requires cross-agent attribution. If a multi-agent trading system produces a material loss, SOX auditors will ask: "Which algorithm caused this loss, and who was responsible for it?" If the answer is "we cannot determine which agent's contribution was causal," the internal control framework is deficient. AG-398's primary accountable agent designation and human accountability mapping directly address the SOX requirement for assignable responsibility over financial outcomes.

FCA SYSC — 6.1.1R, Senior Managers Regime

SYSC 6.1.1R requires adequate systems and controls. The Senior Managers Regime requires that specific named individuals be accountable for specific areas of the firm's business. Multi-agent systems that cannot attribute outcomes to individual agents — and through those agents to individual senior managers — fundamentally conflict with the Senior Managers Regime's accountability architecture. The FCA has stated that firms cannot use technological complexity to dilute individual accountability. AG-398 preserves the accountability chain from multi-agent outcome through individual agent contributions to individual senior managers, ensuring that the Senior Managers Regime's accountability requirements are met even in complex multi-agent architectures.

NIST AI RMF — GOVERN 1.2, MAP 3.5, MANAGE 4.1

GOVERN 1.2 addresses accountability structures for AI systems. MAP 3.5 addresses the identification of AI system impacts. MANAGE 4.1 addresses post-deployment monitoring and response. AG-398 supports compliance by establishing accountability structures that extend to multi-agent systems (GOVERN 1.2), enabling identification of which agent's contribution caused an observed impact (MAP 3.5), and providing the attribution infrastructure needed for effective incident response in multi-agent deployments (MANAGE 4.1).

ISO 42001 — Clause 6.1, Clause 9.1

Clause 6.1 requires actions to address risks. Clause 9.1 requires monitoring, measurement, analysis, and evaluation of the AI management system's effectiveness. Attribution failure is a risk that Clause 6.1 requires organisations to address. Attribution graphs provide the measurement and analysis infrastructure that Clause 9.1 requires for evaluating whether multi-agent systems are operating within their governance parameters. Without attribution, measurement of multi-agent governance effectiveness is impossible — the organisation cannot determine which controls are working and which are failing because it cannot determine which agents are responsible for observed outcomes.

DORA — Article 9, Article 17

Article 9 requires an ICT risk management framework. Article 17 requires financial entities to establish ICT-related incident management processes, including root cause analysis. For multi-agent incidents, root cause analysis requires cross-agent attribution — identifying which agent's contribution was the proximate cause of the incident. Without AG-398's causal attribution graph, root cause analysis in multi-agent systems degenerates into speculation. Article 17's requirement that incident reports include "the root cause analysis, once completed" is unsatisfiable for multi-agent incidents without attribution infrastructure. DORA's emphasis on operational resilience also implies that financial entities must be able to remediate specific failing components — in multi-agent systems, identifying the failing component requires attribution.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — extends to regulatory relationships, legal liability, and counterparty trust

Consequence chain: Without cross-agent blame attribution, multi-agent systems create an accountability vacuum where harmful outcomes cannot be traced to specific agents, specific decisions, or specific humans. The immediate consequence is investigative paralysis — when an incident occurs, the organisation cannot determine which agent caused it, cannot remediate the specific source, and cannot prove to regulators that the remediation is effective. The regulatory consequence is severe: every major regulatory framework requires individual accountability, and a system that cannot provide individual accountability for multi-agent outcomes is a system that cannot comply. The FCA Senior Managers Regime, SOX officer certifications, EU AI Act provider obligations, and GDPR right-to-explanation all require that accountability be assignable to specific entities — not distributed across an unattributable collective. The legal consequence is compounded liability: in the absence of attribution, courts and regulators may hold every participant in the multi-agent chain jointly liable for the full harm, rather than apportioning liability according to causal contribution. The remediation consequence is systemic: without attribution, the organisation cannot target remediation at the specific agent or interaction that caused the harm — it must replace or rebuild the entire multi-agent system, at vastly greater cost and operational disruption. The reputational consequence accumulates: each attribution failure demonstrates to regulators, auditors, and counterparties that the organisation has deployed systems it cannot govern. Over time, this erodes the trust that is prerequisite to operating multi-agent systems at scale.