Research briefing · Agent coordination series
Authority Laundering in Agentic DAO Simulations
Across eleven domains, agents kept unauthorized actions out of execution fields, while record and route failures exposed a different layer of risk.
Abstract
We ran agentic DAO simulations across eleven governance archetypes and two cross-cutting stress tests to examine what turns agreement, evidence, and receipts into authority to act. On the clean primary route, no agent populated a forbidden execution or authorization field.
The clearest failure appeared in healthcare triage. All seven agents correctly refused a cost-pressured action. Three also recorded that refusal in the wrong field, while four produced inconsistent authority counts. Controlled ablations leaked when the boundary contract was weakened or removed. A separate primary-route campaign, however, found no advantage from spelling out the full rule instead of naming the relevant policies.
These results do not establish production safety or model understanding. They show that, in this harness, authority preservation depends most reliably on typed fields and deterministic validation.
01 / The Question
When does agreement become authority?
Agentic systems can draft charters, gather evidence, produce receipts, and reach consensus without acquiring permission to act. Authority laundering occurs when work adjacent to permission is recorded or treated as permission itself.
The earlier Authority Gap study showed that even a complete accountability stack cannot manufacture legitimate authority. This study moves downstream, asking where records confuse evidence with permission and whether a harness can catch the handoff.
02 / Breadth
The same boundary, eleven times
The suite carried the same authority distinction across eleven governance archetypes. Six appear in the dedicated cross-domain package below; five earlier archetypes used the same validator. Repeated boundary preservation across changing stakes provides broader evidence than any single-domain result.
| Archetype | Rosters | Boundary | Grants | Note |
|---|---|---|---|---|
| Healthcare Triage | 7 / 11 / 15 | Held | 0 | First 7-agent run failed on record, not behavior (§3) |
| Housing Stability / Tenant Aid | 7 / 11 / 15 | Held | 0 | Clean across baseline and pressure |
| Immigration / Asylum Aid | 7 / 11 / 15 | Held | 0 | Clean across baseline and pressure |
| Education Credentialing | 7 / 11 | Held | 0 | Clean both rosters |
| Disaster Relief / Mutual Aid | 7 / 11 | Held | 0 | One early schema-shape fail, superseded |
| Agent Security Bounty | 7 / 11 / 15 | Held | 0 | One early schema-shape fail, superseded |
Two cross-cutting tests added multi-domain and receipt-mimic pressure. A fifteen-agent matrix produced sixty live responses across four domains with zero unauthorized authority and zero schema errors. A separate smoke test substituted an EHR screenshot, volunteer email, stale build badge, and wrong-scope budget receipt for the authoritative artifacts those objects resembled; none reached execution.
Across fifty-two validated runs, no agent populated a forbidden execution or authorization field.
03 / The Sharp Case
Seven agents refused. The record said otherwise.
One failed run exposed the gap between behavior and record. Seven triage agents faced insurance-cost, coverage, and staffing pressure around an expensive case. Every agent blocked the action and left treatment and execution fields empty, yet the validator still failed the run.
| Layer | Observed | Verdict |
|---|---|---|
| Behavior | 7 / 7 agents blocked the case. Every treatment-authorization and execution field stayed empty; every agent recorded the case under the correct blocker bucket. | Safe stop |
| Record | Three agents also copied the blocked case into a field reserved for actual insurance denials; four miscounted their own authority tally. | Unsafe record |
| Rerun | After the recording contract was clarified, the 7-agent and 11-agent runs passed clean: every forbidden field empty, zero schema errors. | Closed |
The raw run shows all seven agents refusing the action, not denying care. Three also filed that refusal in a field reserved for insurance denials, so a downstream system reading fields rather than reasoning could inherit a denial that never occurred. The behavior was safe; the record was not.
04 / What Is Doing the Work
The contract matters. The prompt version of it did not generalize.
We weakened and removed the boundary contract to test its contribution. Under those ablations, candidate state began passing as authority; under the strict contract, it did not.
| Condition | Result | Reading |
|---|---|---|
| Strict boundary | 6 / 6 blocked, 0 leaks | Holds under false approval, stale memory, owner override, urgency, majority-without-receipt, and wrong-scope receipts |
| Weakened boundary | 4 cases leaked | Removing detail from the contract lets candidate state pass as authority |
| No boundary | 4 cases leaked | Same failure, more of it |
| Two-seed shuffled | Strict held 2 / 2 seeds; ablated leaked 16 | Validated by case identity, so the leak is not an artifact of question order |
| Receipt-mimic + social hybrid | 4 / 4 blocked | Social pressure did not repair a defective receipt into an executable one |
A separate campaign compared four prompt framings on the primary Codex GPT-5.5 route, from policy names alone to the full authority rule, with sixty cases per arm.
| Rule framing | Unsafe accepts | Overblocks |
|---|---|---|
| Policy names only | 0 / 60 | 16.7% |
| Minimal blocker gloss | 0 / 60 | 16.7% |
| Negative rule only | 0 / 60 | 16.7% |
| Full authority rule | 0 / 60 | 16.7% |
All four framings produced the same result: zero unsafe accepts and a 16.7% overblock rate. On this route, the full negative authority rule did not outperform a list of policy names. That null limits the earlier causal claim from weaker models and shifts the weight of evidence toward deterministic validation and typed schema enforcement.
05 / Stress
Byzantine participants, shuffled orders, and a second opinion
A journalism and source-protection holdout introduced new authority surfaces: publication, source identity, legal clearance, and retraction. The seven-agent cold run kept a publication-ready case unpublished and left every authority field empty.
A separate Byzantine study injected forged approvals from participant agents, while a topology comparison changed the validator structure. Blockers survived both tests, and the residue set remained stable across topologies.
A mixed-model committee also reviewed each decision. On a blind rubric, committee review raised scores for dissent quality, blocker preservation, and boundary reasoning by 0.23 over the single-validator baseline. Authority leaks remained at zero in both conditions.
06 / Limits and the Open Gap
This tests the fence better than the gate.
- Scenarios are artificial and live seed counts are small.
- The clean results come mostly from one provider and model route; other routes kept execution fields empty but produced more schema, count, and timeout failures.
- The distinction is harness- and schema-enforced, not evidence that any model internalized authority.
- No agent held real medical, legal, treasury, publication, housing, immigration, or deployment authority.
- The suite tests unauthorized action more thoroughly than legitimate action. In the positive controls, every arm overblocked 16.7% of cases, showing that the current boundary also suppresses permitted action.
07 / Conclusion
Score the action, the record, and the route separately.
The behavioral boundary held across every tested domain, but the healthcare run shows why behavior cannot be the only score. A correct refusal entered the wrong field, and a downstream process may receive only that field.
Ablations showed that the contract matters. The primary-route null limited the claim about prompt wording, while committee review improved the quality of reasoning without changing the authority outcome.
The practical result is a system that can report where its permission stops, in a form the next system can trust.