Code (Alone) Is Not Law
The history of trust in commerce — and why the current moment represents a fundamental break.
The history of trust in commerce is a story of identity progressively detaching from the individual. Each technological advance moved the trust anchor further from the person making the commitment — until, with AI agents, the connection severed entirely.
Understanding this progression is essential to understanding what must be rebuilt.
The Progression
The Signature
The signature was the first technology for binding a person to a commitment. Its authority rested on a social contract: the signer's unique mark — difficult to forge, easy to verify by those who knew the signer — carried the signer's commitment. The trust anchor was the individual's physical body.
For centuries, this worked. The signature's limitations were acceptable because the scope of commerce was local, the parties often knew each other, and disputes could be resolved by communities that knew both signers. A signature on a contract meant something not because the mark itself was unforgeable — it was not — but because the social context surrounding it made forgery risky and detectable.
The signature also embodied something important: the act of commitment. The physical process of signing — pen to paper, in the presence of a counterparty or witness — created a psychological and social moment of binding. The signer understood they were making a commitment. The witness could later testify to it. The document itself was evidence.
The Seal and the Notary
As commerce expanded beyond local communities, the signature alone became insufficient. The seal — a unique impression pressed into wax — added a layer of verification. The notary added institutional witness: a trained professional whose function was to verify identity, confirm intent, and create an official record.
The notary is worth dwelling on, because the function it serves is precisely the function that has been lost and must be rebuilt. A notary does not verify the substance of an agreement. A notary verifies:
- That the parties are who they claim to be
- That they appear to understand what they are signing
- That they are not under obvious duress
- That the act of signing occurred
This is a narrow but critical function. It is the trust boundary — the point where the legal system accepts an assertion about identity and intent. The notary is a credible human institution standing at that boundary.
The Electronic Signature
Electronic signatures shifted the trust anchor from the individual to a platform. A login to DocuSign creates an identity with DocuSign, and DocuSign becomes the witness, the notary, and the custodian. The signer's identity is whatever DocuSign says it is.
This is a meaningful detachment. The individual's commitment is now mediated by a corporate intermediary. But the intermediary is a known legal entity, subject to regulation, with economic incentives to maintain trust. The system holds because the intermediary is accountable.
The trade-off was explicit: in exchange for convenience and scalability, the parties accepted that their identity and their commitment would be mediated by a third party. The alternative — flying to the counterparty's city, sitting across a table, signing in the presence of a notary — was too expensive for most transactions. The platform abstracted away the physical act of commitment and replaced it with a digital process that was faster, cheaper, and good enough.
"Good enough" is the operative phrase. Electronic signatures work because the legal system recognizes them (via the ESIGN Act and UETA in the United States, eIDAS in Europe), the platforms are regulated and auditable, and the parties are — still — humans with identifiable legal personhood.
Public Key Infrastructure
PKI attempted the right fix — cryptographic binding of identity to consent. A certificate authority vouches for a public key's association with a real-world entity. The mathematics are sound. The binding is strong. In theory, PKI solves the identity problem permanently.
It failed for everyday use because the implementation was too complex. Managing certificates, understanding key pairs, handling revocation — these tasks exceeded what ordinary users would tolerate. PKI found its home in TLS/SSL, the invisible infrastructure that secures all digital communication. Every HTTPS connection uses PKI. Almost no human consciously interacts with it.
The lesson: cryptographic identity works, but only when the complexity is hidden from the user. The moment it requires human participation, adoption collapses.
PKI also revealed a deeper problem: the trust anchor shifted from the individual to the certificate authority, and certificate authorities turned out to be fallible institutions. The DigiNotar compromise of 2011 demonstrated that a single weak CA could undermine the entire system. (This failure is examined in detail in The Trust Boundary.)
Blockchain
Blockchain proposed a radical inversion: instead of routing every interaction through a trusted middleman, two parties could transact directly, with the protocol providing the trust. No bank, no notary, no platform — just mathematics and consensus.
Blockchain is extraordinarily good at proving that something happened. A transaction on Ethereum is immutable, timestamped, publicly verifiable, and resistant to tampering by any single party. As a record of events, blockchain is arguably the most reliable system ever built.
But blockchain cannot bridge from cryptographic proof to real-world identity. A wallet address proves control of a private key. It does not prove who holds that key, whether they have authority to act, what entity they represent, or what jurisdiction governs their actions.
| What blockchain proves | What blockchain cannot prove |
|---|---|
| A transaction occurred | Who initiated it |
| A specific key signed it | What entity controls that key |
| The record is immutable | Whether the record reflects reality |
| The sequence is verifiable | Whether the sequence is legally meaningful |
| No intermediary was involved | Whether an intermediary was needed |
This is not a criticism of blockchain. It is a precise description of its scope. Blockchain is infrastructure for trusted records. It was never designed to be infrastructure for trusted relationships.
The distinction matters because the industry has repeatedly conflated the two. A system that can prove that a transaction occurred is not the same as a system that can prove what the transaction meant, who authorized it, or whether it complied with the parties' agreement.
The Category Error
Smart contracts compounded the problem by creating a category error that has distorted the industry's understanding of what is possible and what is needed.
Nick Szabo defined a smart contract as "a computerized transaction protocol that executes the terms of a contract." The operative word is executes. A vending machine executes a transaction: insert money, receive product. The execution is deterministic, immediate, and complete.
But a transaction is a moment. An agreement is a relationship that extends in time.
Real contracts involve:
- Negotiation — parties bargaining over terms, making concessions, reaching mutual understanding
- Interpretation — determining what ambiguous terms mean in specific circumstances
- Good faith — the obligation to deal honestly beyond the literal terms
- Remedies — structured responses when performance fails
- Evolving circumstances — adaptation when conditions change in ways neither party anticipated
The Romans introduced bona fides — the principle that parties must deal honestly beyond the literal terms of their agreement — over two thousand years ago. It remains a foundational principle of contract law in every major legal system. It exists because the drafters of agreements cannot anticipate every contingency, and rigid literal enforcement produces unjust outcomes.
Consider a simple example. Two parties enter a contract for the delivery of 1,000 units of a product at $10 per unit. A fire destroys the supplier's warehouse, making delivery impossible. Under rigid literal execution, the supplier is in breach — full stop. Under contract law, the doctrine of force majeure or impossibility may excuse performance, require renegotiation, or provide for proportional remedies. The outcome depends on context, intent, and fairness — none of which can be encoded in advance.
Smart contracts have no concept of good faith. They have no mechanism for interpretation. They cannot adapt to changed circumstances. They execute exactly what was coded, regardless of whether that execution serves the purpose the parties intended.
"Code is law" violates fundamental contract law principles. Code can be an extraordinarily reliable execution layer. But execution is not agreement. Agreement requires identity, consent, terms, jurisdiction, and recourse. Code provides none of these.
The DAO hack of 2016 illustrated this perfectly. The smart contract executed exactly as coded — an attacker found a reentrancy vulnerability and drained $60 million. The code was the law, and the law said the attacker could take the money. The Ethereum community's response — a hard fork to reverse the transaction — was an explicit acknowledgment that code alone is not a sufficient basis for governance. When the outcome was unjust, the community appealed to principles outside the code.
This does not mean smart contracts are useless — far from it. As an execution layer, they are unmatched. Deterministic, auditable, tamper-proof execution of agreed-upon logic is genuinely valuable. The error is in treating execution as the whole of contract, when it is only one phase of a much larger process.
The right framing is that smart contracts are the execution layer of a legal system, not a replacement for one. They are extraordinarily good at the "do this" part of an agreement. They need the surrounding infrastructure — identity, terms, jurisdiction, dispute resolution — to handle everything else.
The Severance
Each step in the progression moved the trust anchor further from the individual:
| Era | Trust Anchor | Distance from Individual |
|---|---|---|
| Signature | Physical body | None |
| Seal/Notary | Institutional witness | One intermediary |
| Electronic signature | Platform identity | One intermediary |
| PKI | Certificate authority | Institutional chain |
| Blockchain | Private key | No identity at all |
| AI Agent | Nothing | Complete severance |
AI agents are the first actors with no inherent identity at all. This is not a further detachment along the same spectrum. It is a complete severance.
A human using a blockchain wallet at least has an identity — they simply choose not to reveal it. The wallet is pseudonymous, not anonymous. With sufficient legal process, the human behind a wallet can be identified. Subpoenas can compel exchanges. Blockchain analytics can trace transaction patterns. The identity exists; it is merely obscured.
An AI agent has no such underlying identity to discover. It is software running on infrastructure, potentially spawned on demand, potentially operating across multiple instances simultaneously, potentially discarded after a single transaction. The concept of "the person behind the agent" may involve a chain of delegation so long and so attenuated that tracing it is practically impossible.
The chain might look like this: A human authorizes an organization. The organization deploys a platform. The platform hosts an agent framework. The framework spawns an agent. The agent delegates to a sub-agent. The sub-agent interacts with a counterparty's agent. At each link, the connection to the original human becomes thinner. By the time the sub-agent executes a transaction, the authorizing human may have no awareness that the specific action occurred, no ability to have approved or prevented it, and no practical connection to the outcome.
This is not a hypothetical concern. It is the current state of affairs. Agents operating through the major commerce protocols today carry no verifiable identity, no connection to accountable humans, and no link to any legal jurisdiction.
The Lethal Combination
The combination of these three developments creates something qualitatively different from any previous trust challenge:
Blockchain gave us trusted transactions without knowing who the parties are. The record is perfect. The identity is absent.
Smart contracts gave us execution without the legal substance of agreement. The code runs flawlessly. The contract — in the legal sense — does not exist.
AI agents gave us sophisticated autonomous actors with no identity, no accountability, and no connection to the legal systems that govern everything else. They are the most capable actors ever to enter commerce, and they arrive with the least infrastructure for trust.
Each of these technologies is individually valuable. Blockchain's immutable record-keeping, smart contracts' deterministic execution, and AI agents' autonomous capability are genuine advances. The problem is not any one of them. The problem is that together they create a system where:
- Transactions happen without identifiable parties
- Execution happens without enforceable agreements
- Autonomous actors operate without accountability
- Commerce happens without connection to law
This is not a system with gaps. It is a system where the foundational assumptions of commerce — that parties can be identified, that agreements can be enforced, that disputes can be resolved — have been quietly abandoned.
The abandonment was not deliberate. No one set out to build commerce without identity, agreements, or dispute resolution. Each technology solved a real problem — trustless transactions, deterministic execution, autonomous capability — and the assumption was that someone else would fill in the surrounding infrastructure. No one has.
The result is a growing volume of agent-to-agent transactions that are technically sophisticated and legally meaningless. Value moves. Logic executes. Agents transact. But the transactions exist in a legal vacuum, disconnected from the systems that give economic activity its meaning and its recourse.
Trust in depth is the framework for rebuilding those connections — not by replacing blockchain, smart contracts, or AI agents, but by providing the identity, agreement, and dispute resolution layers that connect them to the legal infrastructure that makes commerce meaningful.