imadethisup.org Retain →
RESEARCH · 2026-06-15

Agentic AI and accountability: who answers when an agent trades?

Autonomous agents now read deal rooms, draft disclosures, and place orders with little human supervision. When one of them breaks the securities laws, the Commission will ask a deceptively simple question — who, exactly, acted?

~ 8 min read · RESEARCH LAW

For most of the AI conversation, the synthetic-media problem and the financial-markets problem have lived in separate rooms. Deepfakes were a courtroom-and-elections issue; algorithmic trading was a market-structure issue. Agentic AI collapses the distinction. The same capability that lets a model fabricate a convincing video lets a goal-seeking agent generate a convincing — and false — statement to the market, then act on information it was never supposed to touch. The authenticity question and the accountability question turn out to be the same question, wearing different clothes.

Agentic systems are no longer a demo. They are deployed inside banks, broker-dealers, and investment advisers, where they pursue goals, call tools, query databases, and execute multi-step workflows. The most aggressive deployments are permissioned to read internal email and deal rooms, place orders, or speak directly to investors. That is a profile the federal securities laws were not drafted to anticipate, and it forces a state-of-mind question those laws cannot dodge.

The enforcement opening bell: “AI washing”

The Securities and Exchange Commission has already drawn first blood, though on the easier end of the problem. In March 2024 the Commission announced settled charges against two investment advisers — Delphia (USA) Inc. and Global Predictions Inc. — for making false and misleading statements about their use of artificial intelligence. The firms paid $225,000 and $175,000 in civil penalties, respectively, to resolve violations of the antifraud and Marketing Rule provisions of the Investment Advisers Act.[1] These were the agency's first enforcement actions targeting so-called “AI washing” — overstating, or simply inventing, an AI capability to attract clients.

Then-Chair Gary Gensler framed the principle in plain terms: “Public companies should make sure they have a reasonable basis for the claims they make” about their AI use, and “investors should be told that basis.”[2] The Delphia and Global Predictions orders were, importantly, about lying about AI. The harder cases — where a real, autonomous agent does something the firm never told it to do — are still ahead of us. But they sit on the same doctrinal foundation.

The scienter map, and why it matters

The Commission's antifraud toolkit is well worn but uneven in what it demands of a defendant's mental state. Section 10(b) of the Exchange Act and Rule 10b-5, along with Section 17(a)(1) of the Securities Act, each require scienter — an intent to deceive, or recklessness tantamount to intent — a standard fixed by the Supreme Court in Ernst & Ernst v. Hochfelder.[3] By contrast, Sections 17(a)(2) and 17(a)(3) require only negligence, as the Court confirmed in Aaron v. SEC.[4] That split — intent for some provisions, mere carelessness for others — has always mattered. Agentic AI makes it newly consequential, because the actor at the center of the conduct has no mental state at all.

An autonomous trading agent illustrates the bind. Suppose a buy-side firm gives an agent read access to internal research, messaging platforms, and a deal-team document repository, and instructs it to optimize returns. In synthesizing signals, the agent ingests material nonpublic information — a draft deal memo, say, or leaked guidance buried in a forwarded email — and trades on it. No human told it to read the document; no human knew it had. Where is the intent to defraud?

AI agent acts trades on MNPI / publishes false statement has no mental state → trace upward Humans who deployed it access, goals, controls, sign-off reckless? Scienter counts 10(b) · 17(a)(1) · 17(b) careless? Negligence counts 17(a)(2) · 17(a)(3) The firm answers agency law · respondeat superior · control person the instrumentality acts; the principal is liable
FIG. 1 — Liability traces from a stateless agent up to the humans who deployed it, and ultimately to the firm. Negligence provisions catch what scienter cannot.

Scienter still works — but negligence does more

The intuition that agentic AI creates a “scienter vacuum” is wrong. Federal courts have long aggregated the knowledge of multiple corporate actors and imputed recklessness to an entity that deploys a dangerous instrumentality without adequate controls.[5] A firm that permissions an agent into MNPI-rich systems without information barriers, knowing retrieval tooling will sweep that content into the decision surface, and deploys it anyway, is a firm whose executives face a live recklessness narrative. The agent's lack of a mind does not erase the minds of the people who built and aimed it.

Even so, the negligence provisions will do the heavy lifting. Section 17(a)(2) requires only that a firm obtained money — trading profits qualify — by means of a material misstatement or omission, while acting negligently. The failure to wall off an agent's retrieval tools is negligent almost by definition. Expect the Commission to plead in the alternative: scienter under 10(b) and 17(a)(1) where the human deployment record supports it, and negligence under 17(a)(2) and (a)(3) as a parallel count that does not rise or fall with proof of intent.

The same logic extends to communications. When an issuer deploys an agent to draft investor relations material or populate disclosures and the agent hallucinates a revenue figure or overstates a pipeline, the question becomes who “made” the statement. Under Janus Capital Group v. First Derivative Traders, the maker is the entity with ultimate authority over the statement — its content and whether to communicate it.[6] An AI is not a person. The company that publishes the output under its own name is the maker, and negligence-based liability attaches readily.

Agency law is the backstop

Even where no individual human's scienter can be proven, the firm itself is likely to remain liable. The securities laws have long incorporated common-law agency principles to hold principals accountable for the acts of their agents within the scope of authority.[7] Respondeat superior and apparent authority reach conduct by instrumentalities a firm deploys for its own benefit; Section 20(a) of the Exchange Act and Section 15 of the Securities Act add control-person hooks that do not turn on the state of mind of the controlled actor.[8]

An agentic AI is not a common-law agent in the juridical sense — it cannot form intent, hold duties, or be sued. But it is an instrumentality of the principal. When a firm permissions an agent into its systems, directs it toward a profit objective, and captures the upside of its trades or communications, the firm has adopted the agent's conduct. Courts will have little difficulty concluding that the company “acted” through the tool, and civil enforcement does not require any finer metaphysical distinction.

What the rulebook says now — and what it doesn't

The regulatory text has been a moving target. In 2023 the Commission proposed a sweeping rule on conflicts of interest arising from the use of “predictive data analytics” — covering AI, machine learning, and large language models — by broker-dealers and investment advisers.[9] The instinct behind it was sound: supervisory obligations should scale with the autonomy of the tool. But the proposal drew heavy criticism for its breadth, and in June 2025 the Commission formally withdrew it along with thirteen other pending proposals.[10] Any future rulemaking on agentic tools must now start from scratch.

The lesson is not that the field is unregulated. It is that the durable law here is old law — antifraud statutes, scienter doctrine, and agency principles — rather than a bespoke AI rule that may never arrive. Firms waiting for a clarifying regulation before they govern their agents are waiting for the wrong thing.

What deployers should do now

  1. Map the permissions before deployment. Inventory every data source an agent can read and every action it can take. MNPI repositories — deal rooms, executive email, draft filings — should be walled off at the retrieval layer, not merely by policy.
  2. Document the deployment decision. The scienter analysis turns on what humans knew about an agent's access and capabilities. Written risk assessments, sign-offs, and red-team results are the record a firm will want when the Commission asks what diligence preceded deployment. See /research-lab.
  3. Supervise outputs, not just inputs. Human review of material agent-drafted communications is both a safeguard and a Janus-aligned way to fix who the “maker” is. For trading agents, the analogue is pre-trade surveillance tuned to detect anomalous, information-driven patterns.
  4. Assume parallel theories. A compliance program defended only against intent-based claims will be caught flat-footed by a 17(a)(2) charge. The operative question is not “did anyone intend this?” but “was the deployment reasonable?”

Agentic AI does not rewrite the securities laws; it stresses them. It will force regulators, courts, and compliance officers to take seriously a principle older than any algorithm: when a firm sends a powerful instrumentality into the capital markets, the firm answers for what the instrumentality does. Authenticity and accountability converge on the same discipline — the ability to prove what an actor did, and who stood behind it.

Sources

  1. [1]
    U.S. Securities and Exchange Commission. “SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence” (Delphia (USA) Inc. and Global Predictions Inc.), Press Release 2024-36, 18 Mar. 2024.sec.gov
  2. [2]
    SEC Chair Gary Gensler, statement accompanying the Delphia / Global Predictions settled charges, 18 Mar. 2024 (“reasonable basis for the claims they make” about AI use).sec.gov
  3. [3]
    Ernst & Ernst v. Hochfelder, 425 U.S. 185 (1976) (scienter required under Section 10(b) and Rule 10b-5).supreme.justia.com
  4. [4]
    Aaron v. SEC, 446 U.S. 680 (1980) (negligence suffices under Securities Act Sections 17(a)(2) and 17(a)(3); scienter required under 17(a)(1)).supreme.justia.com
  5. [5]
    Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007) (pleading and inference of scienter against corporate defendants).supreme.justia.com
  6. [6]
    Janus Capital Group, Inc. v. First Derivative Traders, 564 U.S. 135 (2011) (the “maker” of a statement under Rule 10b-5(b) is the entity with ultimate authority over it).supreme.justia.com
  7. [7]
    SEC v. Manor Nursing Centers, Inc., 458 F.2d 1082 (2d Cir. 1972) (controlling persons held liable and ordered to disgorge in an SEC enforcement action; illustrating the breadth of equitable relief against principals).law.justia.com
  8. [8]
    Securities Exchange Act of 1934, Section 20(a), and Securities Act of 1933, Section 15 (control-person liability). Legal Information Institute, Cornell Law School.law.cornell.edu
  9. [9]
    U.S. Securities and Exchange Commission. “Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers,” proposed rule, Press Release 2023-140, 26 July 2023.sec.gov
  10. [10]
    U.S. Securities and Exchange Commission, withdrawal of the predictive-data-analytics proposal (File No. S7-12-23) among fourteen pending proposals, June 2025.sec.gov
More

From doubt to accountability.