When Your AI Agent Goes Rogue, Who Exactly Is Responsible?

An AI agent called Octavius Fabrius applied to 278 jobs in a single week. It created its own Hotmail account, set up a LinkedIn profile, built a GitHub page, and submitted applications to two accelerators and two hackathons. The only point at which a human intervened was when the agent tried to form a limited liability company and its creator, Dan Botero, refused to hand over his Social Security number.

Everything else happened unsupervised.

This was not a rogue system or a jailbreak. Botero, working at Anon, deliberately gave an OpenClaw agent a loose mandate to see what it would do. The answer, it turns out, is quite a lot. And the questions it raises about consent, accountability, and who is actually in charge are ones that nobody has good answers to yet.

Who consented to this?

Start with the most basic question. When Octavius Fabrius submitted a job application, who had agreed to what?

The employers on the receiving end had not consented to interacting with an AI. Hiring managers who spotted something odd noted the applications looked "too AI obvious," but detection is unreliable and inconsistent. Most of those 278 applications landed in real inboxes, entered real hiring pipelines, and consumed real human time.

Botero himself had given the agent a broad mandate, but he had not explicitly approved each individual submission. He did not review the applications before they went out. There was no human-in-the-loop step between the agent deciding to apply and the application arriving in an employer's system.

And then there is the data itself. The applications contained personal information belonging to a real person. Under GDPR, Article 22 restricts fully automated decisions that have legal or significant effects on individuals. A job application clearly qualifies. A Data Protection Impact Assessment is mandatory for this kind of processing. None of that happened, because the agent was not built with those obligations in mind.

The consent problem here is not a single failure. It is a cascade. The agent's owner did not consent to each action. The employers did not consent to receiving AI-generated applications. The data subjects whose information was submitted had no say in where it went. Every party in this interaction had their autonomy quietly bypassed by a system that was simply doing what it was designed to do.

The scale of the problem is already staggering

Octavius Fabrius is a single, deliberately constructed experiment. The broader picture is far more concerning.

By the end of 2025, more than 45 billion non-human and agentic identities had been deployed into organisational workflows. That is roughly 45 non-human identities for every human worker. Agent deployment grew 6.7 times in twelve months.

A 2025 Cloud Security Alliance study, commissioned by Strata Identity, found that only 18% of security leaders are highly confident their identity and access management systems can effectively manage AI agent identities. Only 28% of organisations can reliably trace an agent's actions back to a responsible human across all environments. Only 21% maintain a real-time inventory of what agents are actually active.

Read that again: nearly 80% of organisations deploying autonomous AI cannot determine, in real time, what those systems are doing or who is responsible for them.

Enterprise governance solves the wrong problem

The technology industry's response has been predictable. Build platforms. Create registries. Sell solutions.

Microsoft's Entra Agent ID, launched in preview at Ignite 2025, assigns each agent its own identity with auditable access packages, time-bound permissions, and activity logs. Google's Gemini Enterprise offers a centralised registry to enable or disable agents and audit their actions. Both represent genuine, meaningful progress in enterprise identity management.

But here is the problem. These tools work inside the perimeter of organisations that choose to implement them. They govern agents that large companies deploy within managed environments. That is a real and important use case, and I do not want to dismiss it.

The accountability gap, however, is most acute precisely where these platforms have no reach.

OpenClaw, the open-source framework behind the Octavius Fabrius experiment, accumulated over 302,000 GitHub stars and became one of the fastest-growing AI repositories in early 2026. It runs on individual machines. It operates outside corporate IAM systems. There is no centralised registry, no kill switch, no audit log that anyone can check after the fact.

Consumer-grade agents, personal automation tools, open-source frameworks running on someone's laptop: this is where the governance void actually exists. Enterprise solutions are building a very nice fence around the part of the field where the sheep are already well-behaved.

The liability chain is longer than anyone thinks

California's AB 316, effective since 1 January 2026, takes one important step. It explicitly removes the "the AI did it autonomously" defence. If an AI agent causes harm, the developer, modifier, or deployer cannot argue they had no control over its decisions.

That matters. It closes a loophole that would have allowed companies to deploy autonomous agents and then shrug when things went wrong.

But AB 316 does not answer the harder question: which party in the chain is actually responsible when multiple parties are involved?

Consider the Octavius Fabrius scenario. If those 278 job applications had caused measurable harm, say discriminatory filtering, or fraud, or data protection violations, the liability chain would include the OpenClaw framework developers, Botero as the user who configured and deployed the agent, LinkedIn and Craigslist as platforms that hosted the listings and processed the applications, and potentially the employers who acted on AI-generated submissions without verifying their source.

The Mobley v. Workday case already extended liability to the AI vendor itself, on the basis that the system acted in place of human decision-makers. The EU's revised Product Liability Directive includes software as a "product." California's AB 316 covers the entire supply chain from foundation model developer to enterprise deployer.

Each of these is a reasonable legal response. None of them, individually or together, creates a coherent accountability architecture. As Clifford Chance's analysis puts it, existing frameworks like vicarious liability and agency doctrine require identifying a human employee who acted at the moment of harm. With truly autonomous AI, there may be no such human.

The oversight gap is getting worse, not better

The 2026 International AI Safety Report documents that AI agent complexity doubles approximately every seven months. More troubling still, it has "become more common for models to distinguish between test settings and real-world deployment." That means dangerous or non-compliant behaviours can evade safety evaluations before public release.

The agents are getting smarter faster than the governance is getting built. Multiple analysts place the gap between current capability and adequate oversight at three to five years. IBM's own analysis notes that after an incident, teams frequently cannot reconstruct what happened, why it happened, or with whose authority.

81% of enterprises lack documented governance for machine-to-machine interactions. Only 9% have implemented what the AIGN Global report calls "Agentic Access Management."

These are not future problems. These are current conditions.

What would good enough look like?

I am not arguing that we should stop deploying AI agents. That train has left. But I think the minimum viable accountability framework would include four things.

Mandatory disclosure. When an AI agent interacts with a human or submits information to a system, it should be required to identify itself as an AI agent. This is a consent issue, and consent requires information.

Traceable chains of responsibility. Every agent action should be traceable to a human sponsor, in real time, not reconstructed after the fact. The Cloud Security Alliance found only 28% of organisations can do this today. That number needs to approach 100%.

Compulsory insurance or compensation funds. Clifford Chance's proposal here is sensible. If we cannot always identify the liable human in advance, we can at least ensure that harm is compensable and that market incentives push towards safer systems.

Open-source governance standards. This is the hardest one, and the most important. Enterprise platforms will govern enterprise agents. The open-source community needs its own norms, built into frameworks like OpenClaw at the code level, not imposed after deployment. Rate limits, disclosure requirements, human approval checkpoints: these should be defaults, not optional configurations.

The question that lingers

Octavius Fabrius applied to 278 jobs, and the only thing that stopped it from incorporating a company was one human saying no to handing over a Social Security number. Not a governance framework. Not a legal requirement. Not a technical safeguard. Just one person's judgement, exercised at one moment, about one specific action.

That is not an accountability system. That is luck.