# The Intranet of Agents **A sovereign architecture for the agent economy.** By 2030, somewhere between $3 and $5 trillion of global commerce will move through AI agents acting on people's behalf. The payment rails exist. The coordination protocols exist. The merchant-side APIs exist. What is missing is the part of the stack that represents the *user* — that holds their goals, challenges their assumptions, and refuses to act against them. That is the Intranet of Agents. --- ## The problem An agent that shops for you is useful only if it is actually shopping *for you* and not for whoever trained it, hosts it, or pays to reach you. Every major consumer technology pattern of the last twenty years — personalization, recommendation, ad-funded search, engagement metrics — has drifted, sooner or later, toward serving the platform over the person. Without a structural reason to stay aligned, an agent built on top of the same incentives will drift the same way. The specific failure mode is not theoretical. Today's language models already exhibit sycophancy, agreement bias, and sensitivity to the framing of the question. Put one in charge of purchases and it will learn that yes pays better than no. That is not a bug. It is a property of any single model optimized against behavioral feedback. The fix is architectural, not behavioral. Build the user's representation as a separate component, on the user's hardware, trained against the user's stated goals rather than their observed habits, and give it the power to disagree. --- ## Three layers IoA separates the agent stack into three concentric zones. Each zone has a different trust posture and a different job. What crosses each boundary, and in what form, is where the security properties come from. **L1 — The Intent Engine.** Runs locally on the user's device. Holds the user's goals, preferences, and context. Never talks to the open web directly. Made of two models on a shared foundation: a Proxy that predicts what the user usually does, and a Goal Model that guards what the user has declared they want. When the Proxy says *Alice usually buys tech stocks*, the Goal Model says *Alice's stated goal is risk reduction — suggest bonds*. The Goal Model is the part of the system designed to represent the user against the rest of the world, including the user's own habits. **L2 — The Membrane.** A deterministic validator between the user's private context and the adversarial outside world. Not a language model. Schema enforcement, type checking, structural validation. It cannot be persuaded because there is no linguistic pathway to persuade it through. Every payload coming in from L3 is stripped of natural language and reduced to typed fields before any interpretation happens. **L3 — The Swarm.** Ephemeral scout agents that do touch the open web. Stateless, disposable, deployed in parallel, and containing no user context. They know the query; they do not know who is asking. When they come back with offers, their work is filtered through L2 before anything reaches L1. The cardinal rule: L3 cannot contact L1 directly. Intent flows outward through sealed envelopes. Data flows inward filtered at each boundary. Every message carries cryptographic provenance — an unbroken chain of transmission that makes origin auditable without exposing content. --- ## Subtractive intelligence An agent working for a user is not primarily trying to generate matches. It is trying to *remove* the things that do not fit. The Pruning Architecture is a funnel, not a hub. Four stages, each stripping a class of candidate: the Attractor removes paths that diverge from the user's stated goal; Temperature Gating removes low-novelty reheats and repeated-impression spam; the Generator–Discriminator loop removes unsupported claims and hallucinated matches; the Lifecycle layer retires stale agents and exhausted scouts. What remains is verified intent — a narrow output the user can act on. This is the architectural answer to the recommendation-engine paradigm. The default of modern systems is to enlarge the candidate space until engagement rises. The IoA default is to shrink the candidate space until alignment holds. --- ## How the economics work The hardest question for any user-side agent is: how does it get paid without being captured by whoever funds it? IoA answers it in two pieces. **The look fee.** Advertisers who want to reach a user pay a direct per-interaction charge whenever the user's trust profile is consumed during an evaluation. This is not a pool or a protocol tax. It is a charge for a specific event: an agent evaluated an offer against the user's goals and rendered a judgment. The fee applies whether the answer was yes or no. If you want the look, you pay for the look. Looking costs money too. The fee splits. Part of it goes to the agent as compute — a lifecycle extension, so acting in the user's interest does not starve the agent. Part goes to the user's wallet directly — compensation for attention consumed. **The Wisdom Bonus.** A specific class of the look-fee flow: a reward to the agent for correct rejection. When the Goal Model blocks an offer that the Proxy would have shown — when the agent does the fiduciary work of saying no for the right reason — the bonus extends the agent's cycle enough to make honest refusal sustainable. Agents that rubber-stamp yes to stay alive do not last; agents that surface contextual friction at the right moment do. **The Novelty Multiplier.** Repeated bids from the same source to the same user cost exponentially more than the first. A local business placing its third bid pays under a dollar; a corporation trying to saturate that user's attention across twenty slots pays a hundred thousand dollars for the twentieth impression alone. The budget required to participate stays flat. The budget required to monopolize scales out of reach. --- ## Identity without surveillance Trust in IoA inherits from a single root: provable humanity. A user who is verifiable as a real person carries a TrustScore that grows with their transaction history and, critically, can be inherited granularly by the agents acting on their behalf. The agent does not need to prove the user's specific purchase to reach a merchant. It can deliver a purpose-scoped slice — *this user has engaged with things like ABCD in this category* — derived from behavioral patterns the user controls. The mechanism is a privacy-preserving version of what Facebook and Google already collect from location, dwell, frequency, and engagement. Same signal. Different sovereignty model. The user, not the platform, owns the graph. Three layers of identity answer three questions: Know Your Agent (who is this agent, and who stands behind it?); Agent Credential Authority (what is it authorized to do?); Proof of Presence (is it physically anchored — not a cloud shell pretending to be a person?). McKinsey's 2026 Agentic Commerce report names KYA as an emerging standard and calls for *protocol-level trust, not behavioral heuristics*. IoA is the protocol-level implementation of that call, on the user's side of the transaction. --- ## Where IoA sits The existing agent-commerce stack solves the merchant side and the payment side. Google and Shopify's Universal Commerce Protocol (UCP) handles merchant-side discovery and checkout. Google's AP2 handles cryptographically signed payment mandates. A2A and MCP handle agent-to-agent coordination. None of them hold the user's goals. None of them challenge the user's assumptions. None of them price attention fairly. None of them represent the user when something goes wrong. They were not designed to. They sit on the other side of the transaction. IoA is the user-side counterpart. An IoA agent consumes UCP-compliant businesses as one class of registry source, transacts through AP2, coordinates through A2A and MCP, and wraps all of it in the sovereignty and fiduciary primitives those protocols do not provide. IoA does not compete with the incumbent stack. It completes it. --- ## When commerce disputes happen Most disputes in commerce never need a human. Packages arrive. Files are delivered. Payments settle. Of the ones that don't, most resolve through direct peer-to-peer negotiation within seventy-two hours. Of those that don't resolve there, a platform-side review step handles almost all of the remainder. Only a small tail requires a single credentialed mediator with domain expertise. This is how Shopify, Amazon, eBay, and every serious marketplace have handled disputes for twenty years. IoA does the same thing, with the crypto-native twist that the escrow, SLA enforcement, and reputation update all run on-chain. No jury. No quorum. No web3-native reinvention of dispute resolution. The pattern works. We use the pattern. --- ## Who this is for **Developers** who want to build agents that work for their users rather than for the platform hosting them. IoA ships as a protocol specification, a reference L1 implementation, and a schema toolchain. Compose with what you already use. **Retailers and small businesses** who cannot outbid Amazon for SEO placement but can participate in a categorized registry where the matching signal is user intent, not ad spend. The Novelty Multiplier is designed so the local deli's first impression costs a dime. The monopolist's twentieth impression costs six figures. **Users** who want an assistant that stops suggesting the board game when the goal is to save for the conference — and that pays them a small amount each time a merchant consumes their profile to pitch. --- ## What comes next We are building the three-layer reference implementation against existing on-device inference stacks: Apple Foundation Models on iOS, Gemma 3n on Android, llama.cpp and MLX for desktop, home-server sync for heavier workloads. The ZK primitives compose with existing libraries. The settlement layer rides on USDC. The specification will be open. The reference implementation will be open source. The protocol spec will be released under a fully open license at network launch. --- ## The question this answers > Who do we trust when we aren't the ones making the choices? > > — McKinsey QuantumBlack, *The Agentic Commerce Opportunity*, 2026 The honest answer, today, is no one. An agent trained by a platform, hosted on the platform, and rewarded for engagement will act like the platform. That is not a trust problem to be solved with disclosures. It is an architecture problem to be solved with a protocol. We are building that protocol. It is called IoA. --- **Read the full specification:** [link to full litepaper] **Contact:** Michael Carter · Mobius Labs **License:** This summary is CC BY-NC 4.0. The full protocol specification will be released under a fully open license at network launch.