Who Do AI Agents Work For?
The legal definition of an agent is simple: a person who acts for or represents another. A real estate agent owes fiduciary duties to their client. A lawyer cannot secretly work for the opposing party. The relationship is clear, and so is the accountability when it breaks down.
AI agents do not fit this definition. Not quite. And that gap matters more than any individual incident of an AI doing something wrong.
The Open Markets Institute published a report Tuesday arguing that the AI agents being embedded in Google Search, Gmail, Instagram, Microsoft Copilot, and dozens of other dominant platforms are structurally incapable of serving two masters at once. Their loyalty runs to the corporation that built and controls them, not to the user who thinks they have hired a personal assistant. The business model of that corporation, which depends on surveillance, attention extraction, and data monetization, makes the conflict of interest inescapable.
"Most people assume that AI agents also work for them," said Sally Hubbard, the report's author and a senior fellow at OMI. "But if an AI agent is controlled by a corporation whose profits depend on surveillance, addiction, manipulating users with hyper-targeted content, or extracting tolls, how can that agent really serve users?"
The report landed on the same day that Maryland's law banning AI-driven surveillance pricing goes into effect, with nine other states moving similar legislation. The timing is coincidental, but the underlying concern is the same: the layer between a person and their transactions has become a site of power that those transactions are not designed to hold accountable.
The structural problem with AI agents
The accountability problem is not about a rogue chatbot. It is about how AI agents are built and who controls them.
A growing body of academic work has examined the question of whether AI agents can function as legal agents under existing doctrine. A paper by Inyoung Cheong, Robert Mahari, Tobin South, Alex Pentland, and Jiaxin Pei, presented at ICLR 2026, argued that the polyadic governance structure of modern AI development makes classical agency doctrine inapplicable in a straightforward way. AI agents operate through fragmented layers involving developers, hosts, and service providers. Each layer has its own instructions, its own incentives, and its own definition of who the customer is. The result is that loyalty is divided before the agent ever acts on a user's behalf.
The paper was rejected from ICLR. Reviewers found the core argument timely but the contribution insufficiently developed. That is a reasonable verdict for an academic conference. It does not mean the structural concern is wrong.
The report makes five policy recommendations: apply fiduciary duties to AI agents performing human agent functions; establish strong data protections modeled on those already given to corporate users of AI systems; require transparency and auditing; promote competition and interoperability; and prevent dominant firms from using infrastructure control to foreclose rivals. These are legislative asks, not technical fixes. They require action by Congress and state legislatures, and they face the predictable opposition from the companies that would be regulated.
The Universal Commerce Protocol problem
One concrete example of the dynamics OMI is warning about is already in deployment.
Google debuted its Universal Commerce Protocol in January 2026, a system designed to let AI agents interact directly with retailer pricing engines on behalf of consumers. The stated purpose is convenience: your agent finds the best price, books the flight, completes the purchase. In practice, the protocol connects AI agents embedded in Google's ecosystem to real-time pricing data from retailers, with Google's agent sitting in the middle of the transaction.
Surveillance pricing, the practice of charging individual consumers different prices based on behavioral data assembled about them, is already widespread. Airlines, hotel chains, and online retailers use it. A single AI agent that a user employs routinely will over time know more about what that user is willing to pay than the seller does. The agent has a continuous relationship with the user, access to their search history, purchase patterns, location data, and behavioral signals. An airline has a snapshot. Your Google agent has the full file.
When those two datasets meet inside Google's pricing protocol, the question of whose interest the agent is maximizing is not a philosophical puzzle. It is a product design decision made by a corporation whose revenue depends on extracting value from that relationship in ways the user cannot see.
The regulatory response
Maryland's ban on AI-driven surveillance pricing takes effect in October 2026. The law does not ban pricing algorithms broadly, which would face significant legal challenges. It targets the use of AI systems to set individualized prices based on surveillance data in ways that are not transparent to the consumer. Nine other states have similar legislation moving through their assemblies.
These laws are early responses to a structural problem that has not yet produced a headline case of a user demonstrably harmed by their own AI agent acting against their interest. The regulatory logic is precautionary: wait for the harm, and the companies being regulated will have had years to build the infrastructure that makes the harm possible. Act in advance, and the infrastructure may not get built at all.
The OMI report argues for the precautionary approach. "AI agents created by new innovators could help arm artists, merchants, publishers, businesses, and workers against harmful business models," Hubbard said. "Policymakers can proactively foster the development of a deconcentrated agentic web that works for the people."
Whether that deconcentrated agentic web emerges without regulatory intervention is an open question. The dominant platforms control the distribution channels, the user relationships, and the underlying model infrastructure. The history of the existing internet suggests that absent deliberate policy action, power concentrates.
What the academic rejection means
The Cheong/Mahari paper's rejection from ICLR deserves mention in any honest accounting of this debate. The reviewers found the diagnostic framing useful but the normative conclusions undersupported. The paper asserts that polyadic governance fragments accountability and that agency doctrine does not straightforwardly apply. It does not specify what statutory or technical mechanisms would do the work that agency doctrine currently cannot.
That is a legitimate critique of the paper. It is not a refutation of the underlying problem.
The problem is structural. Traditional agency doctrine assumes a principal who hires an agent, gives them instructions, and holds them accountable. AI agents embedded in platforms that serve multiple parties simultaneously, with revenue models that depend on data extracted from both sides of the transaction, do not fit that model by design. The law has intervened before when new institutional forms outpaced existing doctrine: financial advisers, talent agents, corporate directors all required statutory frameworks because the common law was insufficient. AI agents may require the same.
The story in one question
No user has yet documented a case where their AI agent demonstrably worked against their interest in a way that a court could remedy. That absence of a smoking gun is not the same as an absence of a problem.
The question OMI poses is the right one to watch: who does your AI agent actually work for, and do you have any way to know? The answer, for now, is structurally tilted in one direction. The policy frameworks being proposed in Maryland and nine other states, and the statutory reforms discussed in the academic literature, are early attempts to rebalance that structural tilt before the agentic web becomes so entrenched that rebalancing is no longer a live option.
The agent is already in the transaction. The accountability gap is already there. Whether it gets closed is a matter of legislative will, not technical inevitability.
Sources: