Every accountability architecture for a physical AI agent is built for one jurisdiction. The operator certificates authorizing the agent to act are issued under one regulatory framework. The logging obligations — what must be recorded, retained, and disclosed — are specified by one data-protection regime. The liability rules that determine who bears responsibility for harm are written in one legal order. That architecture is coherent when the agent stays inside the jurisdiction it was designed for. It begins to fail the moment the agent crosses a line that the accountability infrastructure cannot cross with it.

Physical AI agents cross jurisdictional lines routinely. An autonomous care robot accompanying a patient transferred between facilities in different administrative regions operates under simultaneous and potentially conflicting care standards once it is in transit. An unmanned aircraft transiting between airspace managed by different civil aviation authorities carries an operator authorization from one regime into a space where that authorization has no legal standing. A marine autonomy platform moving between territorial waters encounters certification frameworks, data-residency obligations, and incident-reporting chains that were never designed to apply to a single agent simultaneously. In each case, the agent's action log is continuous across the boundary. The accountability architecture was not designed to be.

The cryptographic layer makes the problem concrete. Operator certificates — the credentials that establish an agent's authorization to act — are issued by certificate authorities operating under specific national frameworks. A certificate issued by an authority recognized in one jurisdiction may not be trusted by verifiers operating under a different framework. More fundamentally, the certificate's validity period, revocation infrastructure, and signing algorithm are all anchored to the issuing regime. If the issuing jurisdiction has migrated to post-quantum algorithm suites and the destination jurisdiction has not, or vice versa, the credential may be technically valid and algorithmically unverifiable at the same time. The agent arrives with credentials it cannot present in a form the local verifier can process. Its authorization is real and locally unreadable.

Logging obligations diverge in ways that create structural conflicts. One jurisdiction may require that decision logs be retained on-device in tamper-evident storage accessible to local regulators. A second jurisdiction may prohibit export of personal data recorded by AI systems operating within its territory, rendering the same log simultaneously required locally and forbidden to transmit. A care AI that logs patient-identifiable information to comply with clinical accountability requirements in regime A may be violating data-protection law the moment it crosses into regime B with that data onboard. The log that was a compliance obligation becomes a liability. The agent cannot satisfy both requirements simultaneously without architectural provisions it was never given.

The hardware attestation chain is equally jurisdiction-bound. Remote attestation relies on a root-of-trust endorsement key provisioned by the device manufacturer and recognized by a verifier operating under a specific trust framework. An attestation quote that is accepted by a verifier in jurisdiction A as proof of the agent's software stack may be worthless to a verifier in jurisdiction B whose trust framework does not include the endorsing root. A hardware security module whose firmware is certified under one scheme carries no presumptive certification status elsewhere. Each time the agent crosses a boundary, the evidence of its trustworthiness must be reassembled from scratch for the local framework — and the mechanisms to do that reassembly do not exist in most deployed systems.

The care domain makes the stakes clearest. A care AI accompanying a patient through a border crossing, a medical evacuation, or an inter-facility transfer is making continuous care decisions under a mission that spans jurisdictions. If it alerts a clinician, which jurisdiction's incident-reporting obligations apply? If it overrides a prior care protocol based on new sensor data, which jurisdiction's rules govern the validity of that override? If an adverse outcome occurs in transit, which regulatory authority investigates, and which accountability record — formatted for which jurisdiction's requirements — do they review? The care AI's log was not designed to answer these questions simultaneously, because the system designer assumed the agent would stay in one place.

The sovereign gap is not solved by legal harmonization alone. Harmonization frameworks are slow; physical AI deployment is not. The gap is an architectural problem that must be solved at the system design level before cross-boundary deployment. Agents intended for multi-jurisdiction operation require credential architectures that span recognized trust frameworks — mutual recognition of certificate authorities, or agent identities anchored in internationally recognized frameworks rather than national ones. They require logging architectures that are aware of jurisdictional context: capable of generating jurisdiction-specific record formats, applying jurisdiction-specific retention and access controls, and flagging boundary crossings as events that trigger compliance state changes. And they require hardware roots of trust that are either internationally recognized or capable of producing attestation evidence that multiple frameworks can verify independently.

Designing for the most stringent intersection of all anticipated jurisdictions' requirements is a useful starting point and an insufficient answer. The intersection of N divergent regulatory frameworks often produces requirements that are mutually contradictory rather than merely demanding. What the sovereignty gap calls for is not stricter compliance with existing frameworks but a new generation of accountability primitives built to span them — primitives that physical AI deployment at scale will require and that do not yet exist in standardized form.

每个物理AI智能体的问责架构都是为单一司法管辖区构建的。授权智能体采取行动的运营商证书，在一个监管框架下颁发。日志义务——必须记录、保留和披露的内容——由一个数据保护制度规定。决定谁为损害承担责任的责任规则，写入一个法律秩序之中。当智能体留在其所针对的司法管辖区内时，该架构是自洽的。而一旦智能体越过一条问责基础设施无法随之跨越的边界，它就开始失效。

物理AI智能体跨越管辖边界是家常便饭。随患者在不同行政区的设施间转运的自主护理机器人，一旦进入转运途中，便同时处于两套可能相互冲突的护理标准之下。在由不同民航当局管理的空域间穿越的无人机，携带着在一种制度下颁发的运营授权，进入了一个该授权没有法律效力的空间。在领海间航行的海洋自主平台，遭遇的认证框架、数据驻留义务和事件报告链从未被设计为同时适用于单一智能体。在每种情况下，智能体的操作日志都跨越边界连续记录。问责架构则不然。

密码层使问题具体可见。运营商证书——确立智能体采取行动授权的凭证——由在特定国家框架下运营的证书颁发机构签发。在一个司法管辖区被认可的机构颁发的证书，可能不被在不同框架下运营的验证方信任。更根本的是，证书的有效期、撤销基础设施和签名算法，都锚定于颁发制度。如果颁发司法管辖区已迁移到后量子算法套件而目的地司法管辖区尚未迁移，或反之亦然，该凭证可能在技术上有效，但在算法层面无法被本地验证方处理。智能体抵达时携带着凭证，却无法以本地验证方能够处理的形式呈现。其授权是真实的，但在本地无法读取。

日志义务的分歧在结构上制造了冲突。一个司法管辖区可能要求决策日志以防篡改存储保存在设备上，并供本地监管机构访问。第二个司法管辖区可能禁止导出在其领土内运营的AI系统所记录的个人数据，使同一份日志同时成为本地要求保留的记录和被禁止传输的数据。一个为遵守制度A的临床问责要求而记录了可识别患者信息的护理AI，一旦携带该数据越境进入制度B，可能正在违反数据保护法律。曾经是合规义务的日志，变成了法律责任。智能体无法在没有事先提供的架构支撑的情况下同时满足两项要求。

硬件证明链同样受管辖区约束。远程证明依赖于由设备制造商配置并被在特定信任框架下运营的验证方认可的信任根背书密钥。被司法管辖区A的验证方接受为智能体软件栈证明的证明引用，对于信任框架不包含背书根的司法管辖区B的验证方而言可能毫无价值。一个固件在一种方案下经过认证的硬件安全模块，在其他地方并不带有推定的认证状态。每次智能体越境，其可信赖性的证据都必须针对本地框架从头重新组装——而在大多数已部署系统中，完成这种重组的机制并不存在。

护理领域使风险最为清晰。随患者穿越边境、进行医疗后送或设施间转运的护理AI，在跨越管辖区的任务中持续做出护理决策。如果它向临床医生发出警报，应适用哪个司法管辖区的事件报告义务？如果它基于新的传感器数据覆盖了先前的护理协议，哪个司法管辖区的规则管辖该覆盖行为的有效性？如果在转运途中发生不良结果，哪个监管机构负责调查，他们审查的是按哪个司法管辖区要求格式化的哪份问责记录？护理AI的日志并非为同时回答这些问题而设计，因为系统设计者假定智能体会留在一个地方。

主权差距不能仅靠法律协调来解决。协调框架进展缓慢，而物理AI的部署不会等待。这是一个必须在系统设计层面解决的架构问题，须在跨境部署之前完成。面向多司法管辖区运营的智能体，需要跨越公认信任框架的凭证架构——各方对证书颁发机构的相互认可，或智能体身份锚定于国际公认框架而非国家框架。它们需要具有管辖区感知能力的日志架构：能够生成特定于司法管辖区的记录格式，应用特定于司法管辖区的保留和访问控制，并将边界穿越标记为触发合规状态变更的事件。它们还需要能够被国际认可或能够生成多个框架可以独立验证的证明证据的硬件信任根。主权差距所要求的不仅是更严格的合规，而是一代为跨越这些框架而构建的新问责原语——而这些原语目前尚不以标准化形式存在。

每個物理AI智能體的問責架構都是為單一司法管轄區構建的。授權智能體採取行動的營運商憑證，在一個監管框架下頒發。日誌義務——必須記錄、保留和披露的內容——由一個資料保護制度規定。決定誰為損害承擔責任的責任規則，寫入一個法律秩序之中。當智能體留在其所針對的司法管轄區內時，該架構是自洽的。而一旦智能體越過一條問責基礎設施無法隨之跨越的邊界，它就開始失效。

物理AI智能體跨越管轄邊界是家常便飯。隨患者在不同行政區的設施間轉運的自主護理機器人，一旦進入轉運途中，便同時處於兩套可能相互衝突的護理標準之下。在由不同民航當局管理的空域間穿越的無人機，攜帶著在一種制度下頒發的營運授權，進入了一個該授權沒有法律效力的空間。在領海間航行的海洋自主平台，遭遇的認證框架、資料駐留義務和事件報告鏈從未被設計為同時適用於單一智能體。在每種情況下，智能體的操作日誌都跨越邊界連續記錄。問責架構則不然。

密碼層使問題具體可見。營運商憑證——確立智能體採取行動授權的憑證——由在特定國家框架下營運的憑證頒發機構簽發。在一個司法管轄區被認可的機構頒發的憑證，可能不被在不同框架下營運的驗證方信任。更根本的是，憑證的有效期、撤銷基礎設施和簽章演算法，都錨定於頒發制度。如果頒發司法管轄區已遷移到後量子演算法套件而目的地司法管轄區尚未遷移，或反之亦然，該憑證可能在技術上有效，但在演算法層面無法被本地驗證方處理。智能體抵達時攜帶著憑證，卻無法以本地驗證方能夠處理的形式呈現。其授權是真實的，但在本地無法讀取。

日誌義務的分歧在結構上製造了衝突。一個司法管轄區可能要求決策日誌以防篡改儲存保存在裝置上，並供本地監管機構存取。第二個司法管轄區可能禁止匯出在其領土內營運的AI系統所記錄的個人資料，使同一份日誌同時成為本地要求保留的記錄和被禁止傳輸的資料。一個為遵守制度A的臨床問責要求而記錄了可識別患者資訊的護理AI，一旦攜帶該資料越境進入制度B，可能正在違反資料保護法律。曾經是合規義務的日誌，變成了法律責任。智能體無法在沒有事先提供的架構支撐的情況下同時滿足兩項要求。

硬體證明鏈同樣受管轄區約束。遠端證明依賴於由裝置製造商配置並被在特定信任框架下營運的驗證方認可的信任根背書金鑰。被司法管轄區A的驗證方接受為智能體軟體堆疊證明的證明引用，對於信任框架不包含背書根的司法管轄區B的驗證方而言可能毫無價值。一個韌體在一種方案下經過認證的硬體安全模組，在其他地方並不帶有推定的認證狀態。每次智能體越境，其可信賴性的證據都必須針對本地框架從頭重新組裝——而在大多數已部署系統中，完成這種重組的機制並不存在。

護理領域使風險最為清晰。隨患者穿越邊境、進行醫療後送或設施間轉運的護理AI，在跨越管轄區的任務中持續做出護理決策。如果它向臨床醫生發出警報，應適用哪個司法管轄區的事件報告義務？如果它基於新的感測器資料覆蓋了先前的護理協議，哪個司法管轄區的規則管轄該覆蓋行為的有效性？如果在轉運途中發生不良結果，哪個監管機構負責調查，他們審查的是按哪個司法管轄區要求格式化的哪份問責記錄？護理AI的日誌並非為同時回答這些問題而設計，因為系統設計者假定智能體會留在一個地方。

主權差距不能僅靠法律協調來解決。協調框架進展緩慢，而物理AI的部署不會等待。這是一個必須在系統設計層面解決的架構問題，須在跨境部署之前完成。面向多司法管轄區營運的智能體，需要跨越公認信任框架的憑證架構——各方對憑證頒發機構的相互認可，或智能體身份錨定於國際公認框架而非國家框架。它們需要具有管轄區感知能力的日誌架構：能夠產生特定於司法管轄區的記錄格式，應用特定於司法管轄區的保留和存取控制，並將邊界穿越標記為觸發合規狀態變更的事件。它們還需要能夠被國際認可或能夠產生多個框架可以獨立驗證的證明證據的硬體信任根。主權差距所要求的不僅是更嚴格的合規，而是一代為跨越這些框架而構建的新問責原語——而這些原語目前尚不以標準化形式存在。