Five days ago, in Brussels, the second political trilogue on the EU’s Digital Omnibus on AI ended without agreement after roughly twelve hours of negotiation. The Cypriot Council Presidency confirmed that consensus had not been reached. A follow-up trilogue is scheduled for around 13th May. Until and unless the package is formally adopted before 2nd August, the original AI Act timeline applies as written, with the high-risk obligations under Annex III becoming enforceable on that date. Compliance teams across Europe and the jurisdictions whose products serve European users are re-planning their roadmaps this week.

The same twenty-four hours produced three other events.

1. Google donated the Agent Payments Protocol to the FIDO Alliance and shipped its second version on the open-source repository.

2. The FIDO Alliance announced the formation of an Agentic Authentication Technical Working Group, with co-chairs from CVS Health, Google, and OpenAI, vice-chairs from Amazon, Google, and Okta, and three workstreams covering verifiable user instructions, agent authentication, and trusted delegation for commerce.

3. OpenAI joined the FIDO board. Three news items spanning policy, protocol governance, and institutional alignment, all on a single calendar day, all converging on the same operational question.

One commenter on the Brussels failure, José Luis Tudela of the consultancy ANTROPOLOGIC, captured a critique that has been circulating in protocol-layer circles for months. The EU AI Act, he argued, is regulating a fiction, because it assumes systems can be bounded, understood, and overseen by a human at the point of decision. Agentic systems break that assumption completely. They do not wait for oversight. They construct reality, shape decisions, and act across time, tools, and environments. The framing surfaced in only one outlet, but the underlying argument is being made more rigorously elsewhere. Karl McGuinness, the former Chief Product Architect at Okta, has been writing the parallel argument since February under the title Identity as Infrastructure. His through-line: authentication is mature, authorization is mature, delegation is partially addressed, and authority — purpose-bound, lifecycle-aware, independently revocable — has no widely adopted equivalent in current enterprise security stacks. Tudela frames the gap as a regulatory critique. McGuinness frames it as a protocol-layer architectural absence. They are observing the same hole from different altitudes.

This issue makes the institutional argument that sits above both of theirs.

The signature surface introduced in last issue Signed Truth is not a regulatory artifact and it is not a protocol artifact. It is an organisational artifact: the boundary at which a decision becomes something the institution can be held to. The question follows directly from Issue One. If the signature surface is the missing layer, where does that surface stop? Which signatures can be redesigned, accelerated, parallelised, instrumented? Which ones cannot, regardless of how the system is built?

Where does delegation actually stop?

The reframe that drives the rest of this issue is one the previous five chapters of this arc [1, 2, 3, 4, 5] have been pointing at without naming. The shift in enterprise AI is not from one model generation to the next. It is from model to infrastructure. Models are objects you query. Agents are actors that exercise authority over time. Models provide intelligence at a moment. Agents provide presence over an arc. When AI becomes infrastructure, the governance question shifts from product quality to systemic stability.

The arc’s working hypothesis has been validated in the ten months since. Memory has emerged as the binding constraint on enterprise AI rather than reasoning capacity. Modular cognition has shipped under a dozen names. The role of the context engineer has gone from speculative to job-listing standard. Quality assurance has been recognised as the load-bearing discipline for reliability rather than an afterthought.

What was speculative analysis a year ago is now industry doctrine.

That progression is what makes the signature surface argument legible. The architectural shifts have happened, the protocol layer has consolidated under FIDO and the Linux Foundation’s Agentic AI Foundation, and the institutional question is now exposed without intervening confusion. The Layer 8 publishes from inside that arc, not as a forecast of the next bottleneck but as a description of where the bottleneck has already moved.

In Signed Truth, I argued that organisations cannot absorb decisions at the speed agents produce them, and that the missing layer is the signature surface. The diagnosis was structural. Capability outran legibility. The protocol layer is busy and well-funded. The architecture between agent execution and institutional authority is the part nobody is building.

This issue narrows that diagnosis.

The system breaks because it treats all signatures as equivalent. They are not. Some can be moved. Some cannot.

A signature is not approval. It is the binding of authority to consequence.

The signature surface admits a fundamental distinction, and the distinction determines what the trilogy’s architecture can do and what it cannot. I will call them architected signatures and mandated signatures.

Architected signatures exist because the system was designed to require them. Code review before merge to production. Change-control approval before deployment to a regulated environment. Two-person rule on a wire transfer above a threshold. Peer sign-off on a clinical recommendation before patient communication. Architected signatures are the engineer’s domain. They can be made faster, more parallel, more granular, more automated, more instrumented. The signature surface in Issue One is, at first reading, the architecture of architected signatures: the harness, the case file, the reliability floor, the audit trail, applied to whichever signatures the operator has chosen to require.

Mandated signatures are something different. They exist because the institution operates inside a constraint the institution did not impose on itself. They are required by an external authority, a regulator, a standards body, a contractual obligation, a fiduciary duty, and the institution cannot architect them away by reorganising the workflow. PCI-DSS attestation by a Qualified Security Assessor at a payment integration boundary. Strong Customer Authentication under PSD2 for European card transactions in scope. Tokenisation under the Reserve Bank of India’s Card-on-File regulation. CFO certification under Sarbanes-Oxley for the financial statements of a US-listed company. Final pharmaceutical batch release under good manufacturing practice. Audit committee sign-off on annual accounts. Strict liability declarations under data protection law. None of these are choices the architect makes.

You cannot architect your way out of a mandate.

There is a failure mode that arrives once an institution starts treating mandated signatures as architectural ones. The agent assembles the case file. The signer reads the agent’s summary. The signer applies their authority to the agent’s recommendation. The artifact looks valid. The audit trail looks complete. The regulator inspects and finds the form intact.

A mandated signature on an opaque case file is not an exercise of authority. It is the simulation of authority by a machine wearing a human face for the regulator.

This is sovereignty leakage, and it is the failure mode the signature surface is designed to prevent. The architecture has to make the signer’s authority real, not its trace.

The signature surface in Issue One was the outer doll. A serious institutional reading of it has to acknowledge that the dolls inside are not architectural choices.

I spent two days last week at a workshop in Goa organised by Digital Futures Lab and Careful Industries with Lloyd’s Register Foundation, on pathways for safer AI. Discussions were under Chatham House rules, so I will not share specifics from the room. What I can say is that the institutional question this trilogy raises is very much present in the conversation among the people who will have to operationalise these systems in regulated, multilingual, public-interest contexts.

This is also the reason the protocol-layer work happening at FIDO, the IETF, and the Linux Foundation’s Agentic AI Foundation is necessary but not sufficient. Google’s Agent Payments Protocol, donated to FIDO on 28th April, supplies three mandate types — Intent, Cart, Payment — that establish a cryptographic vocabulary for representing the transition from instruction to authorisation to execution in commerce. Mastercard and Google’s Verifiable Intent, open-sourced on 5th March, layers an SD-JWT credential chain on top, binding identity to constraint to fulfilment with selective disclosure across three layers. Visa’s Trusted Agent Protocol provides an HTTP Message Signatures scheme, built on RFC 9421, that lets a merchant cryptographically verify the agent at the wire layer. Dick Hardt’s AAuth, in IETF draft, proposes a four-mode access architecture with the Person Server as the institutional authority artifact and Mission as a scoped authorisation context. AGENTS.md, contributed by OpenAI to the AAIF in December, supplies the repo-native instruction surface. DESIGN.md, open-sourced by Google Labs and Stitch on 21st April under Apache 2.0, supplies the equivalent for visual constraints.

These specifications, taken together, establish that the protocol layer can name and enforce who is acting on whose behalf, what they are authorised to do, what visual and behavioural constraints they must honour, and how their actions can be later audited.

The protocol layer can name authority. It cannot grant it. Cryptography solves who. Authority solves whether.

McGuinness has been making this point for two months. In Agents Don’t Need Your Passport. They Need Your Authority, published on 21st February, he separates four concerns that enterprise IAM has historically conflated. Identity asks who the actor is at a boundary. Access asks whether a request may proceed at a specific point. Delegation asks what an actor may do on behalf of another. Authority asks whether the execution should still be running at all. The first three are well-served by current standards. The fourth, McGuinness argues, has no widely adopted equivalent.

The vignette he opens with is the protocol-layer rendering of exactly the failure mode this issue is about. The CFO’s research agent is still running at 2:05 PM, pulling pre-IPO financials, on a mandate that expired when the board approved the presentation at 2:00 PM.

Every IAM control shows green. The breach is structurally invisible.

He calls it ghost execution.

The institutional rendering of the same failure is what mandated signatures are designed to prevent. The CFO’s authority to bind the institution to a financial position has not been delegated to the agent. The agent’s mandate was to assist the CFO in reaching a decision the CFO would sign. When the agent acts after the CFO’s authority has expired, the agent is doing a structurally different thing. It is producing institutional commitments without an active institutional authoriser. At the protocol layer, this is a runtime governance problem. At the institutional layer, it is a signature surface problem. McGuinness proposes the Execution Mandate as the protocol-layer artifact that closes the gap: a signed, inspectable, independently revocable record that runtime systems can evaluate and revoke throughout execution.

The Execution Mandate is what institutional authority looks like cryptographically. The signature surface is what the same authority looks like organisationally.

They are the same architectural object at adjacent altitudes.

Mandated signatures do not exist at one level. They appear across four distinct layers.

They differ in character, they fail differently, and they each impose distinct constraints on what the signature surface can do.

The first is the legal layer. These are signatures required by law or regulation, with statutory or contractual consequences for absence or violation. The examples I have lived with most directly are payments and lending regulation. PCI-DSS requires a Qualified Security Assessor’s report on compliance for any merchant processing cards above certain volumes, and that signature is mandated, not architected, and it cannot be replaced by an automated scan however thorough. PSD2’s Strong Customer Authentication requires multi-factor verification at the cardholder boundary for European card transactions, with regulatory tolerance for failure measured in basis points. The Reserve Bank of India’s Card-on-File tokenisation rules require tokenised storage at the merchant rather than primary account number storage, with mandatory verification of the tokeniser’s compliance posture before merchant integration. Beyond payments, Sarbanes-Oxley requires the Chief Executive Officer and Chief Financial Officer of a US-listed company to certify quarterly and annual financial statements, with personal civil and criminal liability for false certification. The General Data Protection Regulation’s Article 22 grants individuals the right not to be subject to a decision based solely on automated processing where the decision produces legal effects or similarly significant impact.

Mandated signatures at the legal layer are the mechanical joints where the rule of law anchors into the flow of machine execution. They are jurisdictional anchors. The signature surface here produces the case file the QSA reviews, the audit trail the regulator inspects, the evidence package the CFO certifies against.

The second is the reliability layer. Some signatures exist because the system fails dangerously without them. Pharmaceutical manufacturing requires the Qualified Person’s release signature on each batch. Aviation requires sign-off on the Minimum Equipment List before dispatch. A clinical pathway requires a qualified clinician’s countersignature before a non-trivial pharmaceutical intervention. These signatures are not legal in the strict sense, although a regulator may verify their presence. They are reliability signatures, where the institution has determined that the human reading the case file is itself the safety mechanism.

A faster signature is, against reliability mandates, a less safe signature. Some decisions, the human latency is the feature.

The third is the institutional authority layer. Some signatures matter not because they are legally required but because they are how the institution publicly announces what it can be held to. A board resolution authorising a major capital commitment. A press statement under the institutional name. The closing of an acquisition or divestiture. A regulator-facing letter from a Senior Management Function holder. A statement of quality from a named scientist on a peer-reviewed publication. The institution’s standing in its environment depends on these signatures being identifiable, named, and held.

Speed is an architected virtue. Authority is an institutional one.

A faster surface that obscures who actually signed is institutionally weaker than a slower surface that names the signer unambiguously, even if both meet the strict legal requirements. McGuinness’s power-of-attorney framing is the cleanest legal analogue. The institution grants a specific person, in a specific role, the specific authority to bind in a specific domain, for a specific duration, with revocability built in. That last property is the one most often forgotten.

The signature surface has to recognise that as environmental conditions shift — and in agentic systems, conditions shift continuously — institutional authority must autonomously decay rather than persist by default. Anything looser than this is delegation drift.

The fourth is the forensic bridge layer. Some signatures exist not for the moment of decision but for the moment after something goes wrong. Auditor sign-offs that are inspected only when there is an investigation. Independent director attestations consulted in the run-up to litigation. Breach disclosure officer signatures examined by regulators in enforcement actions. Internal compliance certifications that surface in the discovery phase of legal proceedings. These signatures are forensic because they create the institutional artifact that bridges from the moment of action to the moment of reckoning, often years later. The signature surface here has to be designed for a reader who does not exist yet, who will be hostile, and who will be looking for a specific kind of failure. Per-row attribution at the audit-trail layer is the technical instantiation of forensic-bridge thinking — every record affected by an agent’s action carrying agent identity, mandate identifier, timestamp, and human approver chain.

The audit trail is not for the institution. It is for whoever the institution will eventually have to answer to.

These four layers do not commute. They are not different views of the same signature. They are different signatures with different relations to the institutional clock and the regulatory environment. A robust signature surface has to recognise all four and produce different artifacts for each. A legal signature wants the case file to demonstrate compliance with a published rule. A reliability signature wants the case file to make the failure mode visible to a domain-trained reader. An institutional authority signature wants the case file to name the signer unambiguously and bind their role in the organisation. A forensic-bridge signature wants the case file to be discoverable, indexable, and intact decades later.

This is where the late-April events come into focus. The Brussels trilogue, the AP2 donation to FIDO, the Agentic Authentication Technical Working Group formation, OpenAI joining the FIDO board. These are all moves at the protocol layer. They aim at the wire-layer questions of how an agent’s actions on behalf of a user are cryptographically attested, how those actions are bounded by user-signed constraints, how the chain of authority is established and verified. They are not, individually or collectively, decisions about whether the institution agrees to be bound.

A faster protocol layer does not by itself reduce institutional risk.

Consider what is happening at FIDO specifically. The Agentic Authentication Technical Working Group, as announced, has three workstreams: Verifiable User Instructions, Agent Authentication, and Trusted Delegation for Commerce. Each workstream is consequential. None is upstream of the question of which signatures the institution actually requires for what kinds of decisions. AP2’s Intent Mandate cryptographically commits the user to the constraint. Verifiable Intent’s Layer 2 cryptographically binds the constraint to a specific agent. The agent’s Layer 3 fulfilment proves the action stayed inside the constraint. All three are now in motion under FIDO.

None of them tells a CFO whether the institution can certify the resulting financial position.

That decision is upstream of all the cryptography. It is mandated, not architected.

The same applies to the Omnibus question. Whether the high-risk deadline holds at 2nd August or shifts to 2nd December 2027 changes the timing of compliance obligations. It does not change the structure of the obligations. The AI Act requires risk-management systems, technical documentation, automated logging, transparency to deployers, human oversight, accuracy and robustness, and post-market monitoring for high-risk systems. Each is a mandated obligation. The signature surface against the AI Act has to produce the artifacts the regulator will inspect.

It does not get to decide what the regulator inspects.

I am writing this on 3rd May. The Brussels trilogue resumes on 13th May. The August deadline is ninety days away if the original timeline holds, longer if it shifts, but the institutional question does not move with either date. The signature surface is the artifact you point a regulator at, the artifact a CFO certifies against, the artifact a Qualified Security Assessor inspects, the artifact a forensic auditor follows when something goes wrong.

In Issue Three, I will describe how the signature surface is actually built. The harness that bounds agent execution. The case file that packages decisions for signature. The reliability floor that prevents the surface from being a fiction in production. The audit trail that travels with the institution into its future answerability. Each component composes with the others. Each component has to handle architected and mandated signatures differently.

The trilogy does not propose a new standard. It does not propose a new protocol.

It describes the architecture of the layer the protocol-layer work is reaching for from below.

The protocol layer has names for almost everything in that architecture now. AP2 for the mandate vocabulary in commerce. Verifiable Intent for the credential chain. Trusted Agent Protocol for the wire-layer verification. AAuth for the per-instance identity and the Mission abstraction. AGENTS.md for the repo-native behavioural constraint surface. DESIGN.md for the visual constraint surface that emerged at Stitch ten days ago. Each is a piece of the same architecture, expressed at the wire layer or the repository layer, with vendor-neutral governance under the AAIF, FIDO, and the IETF taking shape in real time. The institutional layer above them has fewer names because fewer people are building it.

That is the layer this trilogy is about.

The question worth taking forward, if you have read this far, is the one that distinguishes architected signatures from mandated ones in your own environment.

Where does delegation stop in your organisation? And at that boundary, who can still say no?

The institution either has a signature surface or it does not.

Issue Three describes how to build one.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility. Async. Cross-posted to LinkedIn. You can subscribe on Substack or LinkedIn.