In a 2025 autonomous crypto trading competition, most AI agents lost money. One model lost 63 percent of its capital. Others dropped between 30 and 56 percent. No human was accountable for any of those losses. The agent provider pointed at the model. The user pointed at the agent provider. The regulator had no framework to adjudicate. The money was gone.
On April 8, 2026, researchers from Microsoft Research, Columbia University, Google DeepMind, t54 Labs, and Virtuals Protocol published a paper on arXiv titled “Quantifying Trust: Financial Risk Management for Trustworthy AI Agents.” The paper proposes the Agentic Risk Standard (ARS), a settlement-layer protocol that applies escrow, underwriting, and collateralization to AI agent financial transactions. In 5,000 simulation episodes, the mechanism reduced user losses by up to 61 percent and independently deterred 15 to 20 percent of risky transactions from executing at all. The framework is available as an open-source specification through T54 Labs on GitHub.
ARS does not try to make AI models more reliable. It accepts that they are not and builds financial infrastructure around that fact.
The guarantee gap ARS is designed to close
Modern AI safety research approaches the reliability problem from the model side. Researchers train models with reinforcement learning from human feedback, apply constitutional constraints, test with red teams, and measure alignment on evaluation benchmarks. None of these techniques produce a mathematical guarantee. Large language models are stochastic systems. Given identical inputs at different times, they produce different outputs. Given adversarial inputs, they produce incorrect outputs with varying but nonzero probability. The fundamental result of three years of alignment research is not that aligned models never fail. It is that well-aligned models fail less often than poorly-aligned ones.
For AI systems that answer questions or generate text, probabilistic reliability is acceptable. Users can evaluate the output and decide whether to use it. For AI agents that execute financial transactions, place orders, convert currencies, or access financial APIs, the user cannot evaluate the output before the funds move. By the time the failure is visible, the loss has already occurred. The researchers call this the “guarantee gap”: a structural disconnect between the probabilistic reliability that AI safety techniques provide and the enforceable guarantees users need before delegating high-stakes financial execution.
ARS is a protocol for closing that gap. Its insight is borrowed from five centuries of financial engineering. Construction projects fail. The solution is performance bonds, not better contractors. E-commerce transactions involve unknown counterparties. The solution is platform escrow, not trust. Securities markets process millions of trades across counterparties that may default. The solution is clearinghouses and margin requirements, not better traders. Every high-stakes transaction category that requires delegating execution to an uncertain agent has developed financial infrastructure that compensates users when things go wrong without requiring the agent to be perfect. AI agents are simply the next category to require that infrastructure.
How the protocol works
ARS formalizes two transaction types and applies different mechanisms to each.
The first type covers standard service tasks: an AI agent is hired to generate a document, write code, prepare an analysis, or complete a task where the user’s financial exposure is limited to the service fee. For this category, ARS applies escrow. The payment is held in a vault controlled by the protocol, not the agent provider. The vault releases funds only after an independent verification step confirms that the task was completed as specified. If verification fails or the agent does not complete the task, the funds return to the user. The state machine governing this process is deterministic and auditable: regardless of what the AI agent does internally, the financial outcome for the user follows explicit, enforceable logic.
The second type covers fund-handling tasks: an AI agent is authorized to access user capital before outcomes can be verified, such as executing a trade, converting currency, calling a financial API, or managing a leveraged position. Here escrow alone is insufficient because the agent must touch the funds before the task completes. ARS adds an underwriting layer. Before the transaction executes, a risk-bearing third party, the underwriter, evaluates the task, prices the probability and magnitude of failure, requires the agent provider to post collateral proportional to that risk, and commits to reimbursing the user under specified failure conditions. The underwriter is the institution that absorbs the guarantee gap. For them to accept that role, the agent provider must have skin in the game via collateral requirements.
The entire lifecycle of both transaction types is encoded as a deterministic finite-state machine with explicit rules governing fund custody at each state transition. The current state of any active transaction, including which party controls funds, what verification steps remain, and what conditions trigger reimbursement, is readable by any party at any time. The paper describes the state machine in formal notation, which is the foundation for the open-source implementation.
What the simulation showed
The researchers ran 5,000 simulation episodes modeling three interacting populations: users delegating financial tasks to AI agents, AI agent providers with varying reliability and potential fraud rates, and underwriters setting premiums and collateral requirements. The simulation varied underwriting pricing parameters and failure-rate estimation accuracy across conditions. Key findings:
Under conditions where underwriters accurately estimated AI failure rates and priced risk appropriately, user losses fell by 61 percent compared to an unprotected baseline. Under the most conservative underwriting conditions modeled, loss reduction was 24 percent. The range reflects the sensitivity of the mechanism to underwriter competence. An underwriter who systematically underestimates failure rates sets premiums too low, collects insufficient capital, and cannot cover losses when failures cluster. An underwriter who overestimates failure rates prices most transactions out of the market, reducing both user losses and market participation.
The collateral requirement mechanism had an independent effect separate from loss reimbursement. Agent providers who must post collateral before accessing user funds face direct financial cost for misexecution or fraud. In the simulation, this collateral requirement deterred 15 to 20 percent of high-risk transactions from executing at all: agent providers who knew their agent was unreliable for a given task type declined to post collateral rather than accept the associated risk. This deterrence effect is not captured by traditional AI safety metrics because it operates at the market participation level, not the model output level.
The simulation also surfaced the principal limitation of the framework: accurate failure-rate estimation is the critical variable, and it is the hardest one to measure. Both under- and over-estimation create systemic risks. The paper acknowledges this directly: the 5,000-episode simulation used simplified failure models that do not reflect real-world agent failure distributions. The researchers frame ARS as a protocol structure, not a calibrated deployment system, and explicitly scope future work to include empirical failure-rate measurement under production-like conditions.
What is outside the framework
ARS covers financial losses arising from AI agent failures on tasks with measurable economic outcomes. It does not cover non-financial harms. Hallucinated medical advice, defamatory output, leaked personal data, and psychological harm from AI interactions fall outside the protocol entirely. The researchers are explicit about this scope limitation: the framework is designed for the subset of agentic tasks where financial harm is the primary risk and where the loss can be quantified and attributed to a specific transaction.
The framework also does not address the underlying technical mechanisms of AI failure. It assumes failures will happen and builds financial protection around them. This is not an evasion. The researchers argue that complementary solutions, better models, stronger alignment, improved training, are necessary but insufficient for financial applications where the cost of failure is immediate and potentially large. ARS makes no claim about reducing the probability of failure. Its claim is about the financial consequences when failure does occur.
FINRA’s 2026 regulatory oversight report, published in December, included the first section specifically addressing generative AI, warning broker-dealers to develop procedures targeting hallucinations and scrutinize agents that may act beyond users’ intended scope. The SEC has no equivalent framework yet. ARS is positioned as a protocol that regulators have not yet built, one that imposes financial discipline through market mechanisms rather than regulatory rules. Whether that framing is appealing to regulators or represents an attempt to preempt regulatory action is a question the researchers do not engage with directly.
The technical implementation and open-source status
The protocol specification is available on GitHub through T54 Labs. The core implementation components are the state machine encoding transaction lifecycles, the vault contract governing fund custody, and the collateral calculation module. The paper provides formal notation for each state transition, which makes the specification independently implementable. The simulation code is available alongside the protocol specification.
The paper maps ARS against existing risk-allocation models in a comparison table: construction uses performance bonds, e-commerce uses platform escrow, financial markets use margin requirements and clearinghouses, and decentralized finance uses smart contract collateralization. AI agents occupy the cell that was previously empty. The researchers argue this cell needs to be filled regardless of how well AI models improve, because the improvement trajectory of AI reliability is slower than the expansion trajectory of agentic financial applications. By their analysis, the agentic economy is growing faster than the alignment research required to make it safe without financial infrastructure.
What this requires to function at scale
For ARS to operate in production, three things need to exist that do not yet exist at scale. First, a market for AI agent underwriters, institutions willing to price and absorb AI failure risk in exchange for premiums. No such market currently exists in a structured form. Second, standardized failure reporting from AI agent providers, enabling underwriters to build accurate actuarial tables for different task categories and agent systems. Third, legal frameworks that recognize ARS settlement states as enforceable, particularly in jurisdictions where AI agent transactions currently have no clear liability allocation. The paper identifies these gaps clearly and does not claim ARS solves them. The protocol is infrastructure. The infrastructure requires adoption.
The researchers note that the closest existing analogue is DeFi’s smart contract collateralization, which functions because the blockchain provides an independently verifiable settlement layer. ARS proposes a similar settlement layer for off-chain AI agent transactions, but without the trust guarantees of a blockchain. The audit trail and state machine would need to be implemented on infrastructure that both users and underwriters trust equally. What that infrastructure looks like in practice, whether it is a shared registry, a blockchain, a regulated clearinghouse, or something else, is explicitly left as future work.
The framework from MCP’s settlement into the agentic infrastructure stack and the proliferation of agent frameworks with documented security vulnerabilities make the ARS timing relevant: agentic systems are already executing consequential tasks in production, and the financial protection infrastructure has not caught up. ARS is an early and incomplete answer to a problem that is about to become significantly larger.