The third-party accountability gap: accountability when AI agents cause harm to people outside their authorization chain
The principal hierarchy is the right starting point for AI accountability. It is not a sufficient ending point when physical-world deployments affect populations larger than the authorization architecture was built to contain.
The accountability architecture for AI agents is structured around a principal hierarchy: the deployer authorizes the agent, the agent acts within that authorization, and when something goes wrong, accountability flows backward through the chain. This architecture has a foundational assumption embedded in it — that the parties who matter to accountability are the parties who participated in the authorization. In physical-world deployments, that assumption fails routinely.
An AI care agent authorized by a care facility affects clinical staff, visiting family members, and other residents who share the environment. A building management AI authorized by building ownership shapes the daily experience of every tenant and contractor on site. A post-quantum key management infrastructure authorized by an institution's security team creates or destroys security properties for data belonging to people who never touched the authorization process. In each case, meaningful harm can reach people who stand entirely outside the authorization chain — and no existing accountability mechanism is designed to reach them in return.
The principal-centric gap
The principal hierarchy model treats accountability as a closed loop: the principal authorizes, the agent acts, the principal is answerable. Third-party harm has no structural place in this loop. The affected party did not consent to the deployment; they cannot point to a consent record that was violated; they have no access to the audit trail recording what the agent did. Their accountability claim, if recognized at all, must travel through a legal framework that was not designed with agentic physical-world deployment in mind.
This is not a rare edge case. In every physical-world deployment at scale, the affected population is larger than the authorized population by design. Advance consent from every person who will encounter an AI agent in a shared physical space is practically unachievable. The deployer structures the authorization around those who commissioned the agent. The consequences land on a wider group.
The post-quantum security crossing
Post-quantum cryptographic infrastructure is deployed by institutions — health systems, financial institutions, public agencies — under authorizations granted by their own security and compliance teams. The migration to quantum-resistant algorithms changes the security properties of historical data those institutions hold about people who are not party to the migration decision. If the transition introduces a vulnerability window, or if the re-protection of legacy data is incomplete, the people at risk are not the decision-makers who authorized the migration. They receive neither notification that a migration occurred nor accountability access if it goes wrong.
The asymmetry is structural. The institution deciding how and when to migrate holds the migration plan, the risk assessment, and the audit record. The data subjects whose security is affected by the decision have none of this and have no formal claim on the accountability process that governs it. A successful migration is invisible to them. A failed one is their problem.
The hardware crossing
An AI agent embedded in a building's infrastructure operates under an authorization from the entity that controls the building. Occupants — tenants, visitors, contractors, delivery personnel — are not parties to that authorization. If the agent logs their movements, adapts environmental conditions based on behavioral inferences, or modifies access permissions based on pattern recognition, it takes those actions against people who may not know the agent exists, let alone what it is authorized to do.
Hardware attestation verifies the agent's integrity relative to its principal's authorization. It does not verify whether the scope of that authorization is appropriate relative to the interests of everyone the agent acts upon. A fully attested deployment that systematically affects a population of non-consenting occupants is still a harm. Attestation provides no mechanism for those occupants to surface it.
The physical-world care crossing
A care AI agent authorized by a care facility operates in daily contact with people who never authorized it. Clinical staff work alongside the agent's recommendations without having participated in its deployment decision. Family members visiting care recipients have their relationship with their loved one mediated by the agent's behavioral outputs. Other residents in shared spaces have their privacy incidentally implicated by sensors the care agent uses to serve someone else.
None of these parties have a formal channel through which to raise accountability concerns about how the agent affected them. If the agent causes harm — reinforcing a clinical error, generating an inference about a visitor that affects their access, logging interactions between residents that were never consented to recording — the accountability process anchored to the principal hierarchy has no structural home for the claim. The care facility is accountable to its principals and, through regulation, to the primary care recipient. Everyone else in the environment is outside the architecture.
What the third-party accountability gap requires
Third-party accountability cannot be addressed by adding more principals. The solution is not advance consent from every person who might be present in a shared space — that requirement is incoherent for most physical-world deployments and would make deployment impossible where deployment is most needed.
The minimum response is explicit third-party impact scoping at deployment design. Before deployment, the deployer identifies the classes of people who will be affected outside the principal hierarchy. For each class, the deployment design specifies what data the agent may collect about them, what actions toward them the agent may take, and what accountability mechanism exists if they experience harm. The specification is part of the deployment record, not an afterthought.
The design also requires accessible grievance paths: formal mechanisms by which non-principal affected parties can raise accountability concerns, access records relevant to actions taken against them, and seek redress. These do not require prior authorization — only that the party was affected by the agent's operation.
At Asaptic Labs, the third-party accountability gap is treated as a first-order deployment design question at every crossing. The authorization chain is a necessary starting point. It is not a sufficient ending point when the deployment's consequences extend beyond the people who initiated it — which, in physical-world AI deployments, is almost always.
AI accountability flows through the principal hierarchy, but physical-world deployments routinely cause harm to people who stand entirely outside that hierarchy — building occupants, clinical staff, family members, data subjects affected by security migrations. These parties have no formal standing in the authorization-anchored accountability process, no access to the audit trail, and no grievance path. The minimum fix is explicit third-party impact scoping at deployment design: identify who will be affected beyond the principal chain, specify what the agent may do relative to them, and create an accessible accountability path for their claims. The authorization chain is where accountability starts, not where it ends.
AI智能体的问责架构围绕委托人层级构建:部署者授权智能体,智能体在该授权范围内行动,当出现问题时,问责沿链条向上回溯。这一架构内嵌着一个基础假设——问责所关注的各方,就是参与授权的各方。在物理世界的部署场景中,这一假设经常失效。
由护理机构授权的AI照护智能体,会影响临床人员、探访家属以及共享环境的其他居民。由建筑所有方授权的楼宇管理AI,塑造着场地内每位租户和承包商的日常体验。由机构安全团队授权的后量子密钥管理基础设施,为从未参与授权流程的人员的数据创建或破坏安全属性。在每种情形中,实质性伤害都可能触达完全处于授权链之外的人——而现有的问责机制中,没有任何一种是为触达这些人而设计的。
以委托人为中心的缺口
委托人层级模型将问责视为一个闭环:委托人授权,智能体行动,委托人担责。第三方伤害在这个闭环中没有结构性位置。受影响方未曾同意部署;无法指出被违反的同意记录;无法访问记录智能体行为的审计跟踪。其问责主张即便得到认可,也必须经由一套并非为智能体物理世界部署而设计的法律框架来传递。
这并非罕见的边缘情形。在任何规模化的物理世界部署中,受影响群体在设计上就大于被授权群体。要求可能在共享物理空间中遇到AI智能体的每位人员事先同意,在实践上几乎不可能实现。部署者围绕委托方构建授权,后果却落在更广泛的群体上。
后量子安全交叉点
后量子密码基础设施由机构部署——医疗系统、金融机构、公共机构——依据其自身安全与合规团队授予的授权。向量子抗性算法的迁移,改变了这些机构持有的关于非迁移决策参与方人员数据的安全属性。如果过渡期引入漏洞窗口,或遗留数据的重新保护不完整,处于风险中的人员并非授权迁移的决策者。他们既未收到迁移发生的通知,若迁移出现问题,也无法访问问责流程。
这种不对称性是结构性的。决定如何及何时迁移的机构持有迁移计划、风险评估和审计记录。安全属性受决策影响的数据主体则一无所有,对管辖该决策的问责流程也没有正式主张权。迁移成功对他们而言是无感的;迁移失败则是他们的问题。
硬件交叉点
嵌入楼宇基础设施的AI智能体,依据控制该建筑的实体授权运行。住户——租户、访客、承包商、配送人员——并非该授权的当事方。若智能体记录他们的行动轨迹、基于行为推断调整环境条件、或依据模式识别修改访问权限,这些行动针对的是可能根本不知道该智能体存在、更不用说其授权范围的人员。
硬件证明验证智能体相对于其委托人授权的完整性,不验证该授权范围是否适合于智能体行动所涉及的每个人的利益。一个完整经过证明的部署,若系统性地影响了一群未曾同意的住户,仍然构成伤害。证明机制未提供任何供这些住户表达的途径。
物理世界照护交叉点
由照护机构授权的AI照护智能体,每天与从未授权它的人员接触。临床人员在未参与部署决策的情况下,与智能体的建议并肩工作。探访照护对象的家属,其与亲人的关系经由智能体的行为输出来调节。共享空间中的其他居民,其隐私因照护智能体为服务他人而使用的传感器而受到附带牵连。
这些人员没有任何正式渠道来提出智能体如何影响了他们的问责关切。若智能体造成伤害——强化临床错误、生成关于访客影响其访问权限的推断、记录从未同意录制的居民互动——锚定于委托人层级的问责流程,在结构上没有容纳这一主张的空间。照护机构向其委托方负责,并通过监管向主要照护对象负责。环境中的其他所有人,都处于这一架构之外。
弥合第三方问责缺口的要求
第三方问责不能通过增加委托人来解决。解决方案不是要求可能出现在共享空间的每位人员事先同意——这一要求在大多数物理世界部署场景中不具可操作性,且会使最需要部署的地方反而无法部署。
最低限度的回应,是在部署设计阶段进行明确的第三方影响范围界定。部署前,部署者识别将在委托人层级之外受到影响的人群类别。针对每类人群,部署设计说明智能体可收集其哪些数据、可对其采取哪些行动,以及若其遭受伤害,存在何种问责机制。该说明是部署记录的一部分,而非事后补充。
部署设计还需要可访问的申诉路径:正式机制,使非委托方受影响人员能够提出问责关切、访问与针对其所采取行动相关的记录、并寻求救济。这不要求事先授权——只要该方受到了智能体运行的影响。
在Asaptic Labs,第三方问责缺口被视为每个交叉点的一级部署设计问题。授权链是问责的必要起点,不是充分终点——在物理世界AI部署中,部署后果超出启动者范围几乎是常态。
AI问责沿委托人层级流动,但物理世界部署经常对完全处于该层级之外的人造成伤害——楼宇住户、临床人员、家属成员、受安全迁移影响的数据主体。这些人在锚定授权的问责流程中没有正式地位,无法访问审计跟踪,也没有申诉路径。最低限度的修复,是在部署设计阶段进行明确的第三方影响范围界定:识别委托链之外谁将受到影响,说明智能体相对于他们可采取的行动,并为其主张创建可访问的问责路径。授权链是问责开始的地方,而非结束的地方。
AI智能體的問責架構圍繞委託人層級構建:部署者授權智能體,智能體在該授權範圍內行動,當出現問題時,問責沿鏈條向上回溯。這一架構內嵌著一個基礎假設——問責所關注的各方,就是參與授權的各方。在物理世界的部署場景中,這一假設經常失效。
由護理機構授權的AI照護智能體,會影響臨床人員、探訪家屬以及共享環境的其他居民。由建築所有方授權的樓宇管理AI,塑造著場地內每位租戶和承包商的日常體驗。由機構安全團隊授權的後量子金鑰管理基礎設施,為從未參與授權流程的人員的資料創建或破壞安全屬性。在每種情形中,實質性傷害都可能觸達完全處於授權鏈之外的人——而現有的問責機制中,沒有任何一種是為觸達這些人而設計的。
以委託人為中心的缺口
委託人層級模型將問責視為一個閉環:委託人授權,智能體行動,委託人擔責。第三方傷害在這個閉環中沒有結構性位置。受影響方未曾同意部署;無法指出被違反的同意記錄;無法訪問記錄智能體行為的審計追蹤。其問責主張即便得到認可,也必須經由一套並非為智能體物理世界部署而設計的法律框架來傳遞。
這並非罕見的邊緣情形。在任何規模化的物理世界部署中,受影響群體在設計上就大於被授權群體。要求可能在共享物理空間中遇到AI智能體的每位人員事先同意,在實踐上幾乎不可能實現。部署者圍繞委託方構建授權,後果卻落在更廣泛的群體上。
後量子安全交叉點
後量子密碼基礎設施由機構部署——醫療系統、金融機構、公共機構——依據其自身安全與合規團隊授予的授權。向量子抗性演算法的遷移,改變了這些機構持有的關於非遷移決策參與方人員資料的安全屬性。如果過渡期引入漏洞窗口,或遺留資料的重新保護不完整,處於風險中的人員並非授權遷移的決策者。他們既未收到遷移發生的通知,若遷移出現問題,也無法訪問問責流程。
這種不對稱性是結構性的。決定如何及何時遷移的機構持有遷移計劃、風險評估和審計記錄。安全屬性受決策影響的資料主體則一無所有,對管轄該決策的問責流程也沒有正式主張權。遷移成功對他們而言是無感的;遷移失敗則是他們的問題。
硬體交叉點
嵌入樓宇基礎設施的AI智能體,依據控制該建築的實體授權運行。住戶——租戶、訪客、承包商、配送人員——並非該授權的當事方。若智能體記錄他們的行動軌跡、基於行為推斷調整環境條件、或依據模式識別修改訪問權限,這些行動針對的是可能根本不知道該智能體存在、更不用說其授權範圍的人員。
硬體證明驗證智能體相對於其委託人授權的完整性,不驗證該授權範圍是否適合於智能體行動所涉及的每個人的利益。一個完整經過證明的部署,若系統性地影響了一群未曾同意的住戶,仍然構成傷害。證明機制未提供任何供這些住戶表達的途徑。
物理世界照護交叉點
由照護機構授權的AI照護智能體,每天與從未授權它的人員接觸。臨床人員在未參與部署決策的情況下,與智能體的建議並肩工作。探訪照護對象的家屬,其與親人的關係經由智能體的行為輸出來調節。共享空間中的其他居民,其隱私因照護智能體為服務他人而使用的感測器而受到附帶牽連。
這些人員沒有任何正式渠道來提出智能體如何影響了他們的問責關切。若智能體造成傷害——強化臨床錯誤、生成關於訪客影響其訪問權限的推斷、記錄從未同意錄製的居民互動——錨定於委託人層級的問責流程,在結構上沒有容納這一主張的空間。照護機構向其委託方負責,並通過監管向主要照護對象負責。環境中的其他所有人,都處於這一架構之外。
彌合第三方問責缺口的要求
第三方問責不能透過增加委託人來解決。解決方案不是要求可能出現在共享空間的每位人員事先同意——這一要求在大多數物理世界部署場景中不具可操作性,且會使最需要部署的地方反而無法部署。
最低限度的回應,是在部署設計階段進行明確的第三方影響範圍界定。部署前,部署者識別將在委託人層級之外受到影響的人群類別。針對每類人群,部署設計說明智能體可收集其哪些資料、可對其採取哪些行動,以及若其遭受傷害,存在何種問責機制。該說明是部署記錄的一部分,而非事後補充。
部署設計還需要可訪問的申訴路徑:正式機制,使非委託方受影響人員能夠提出問責關切、訪問與針對其所採取行動相關的記錄、並尋求救濟。這不要求事先授權——只要該方受到了智能體運行的影響。
在Asaptic Labs,第三方問責缺口被視為每個交叉點的一級部署設計問題。授權鏈是問責的必要起點,不是充分終點——在物理世界AI部署中,部署後果超出啟動者範圍幾乎是常態。
AI問責沿委託人層級流動,但物理世界部署經常對完全處於該層級之外的人造成傷害——樓宇住戶、臨床人員、家屬成員、受安全遷移影響的資料主體。這些人在錨定授權的問責流程中沒有正式地位,無法訪問審計追蹤,也沒有申訴路徑。最低限度的修復,是在部署設計階段進行明確的第三方影響範圍界定:識別委託鏈之外誰將受到影響,說明智能體相對於他們可採取的行動,並為其主張創建可訪問的問責路徑。授權鏈是問責開始的地方,而非結束的地方。