Executive Summary

Key Figures

Source: White House EO, Kiteworks

Four numbers compress the tension in this story: the order's historic position, and the state in which companies actually hold the action logs that would decide accountability. The last three matter most. The law demands "contemporaneous, complete, and immutable" records, and most organizations do not yet meet that demand.

On June 2, 2026, the White House signed an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security." It rests on three pillars — strengthening cyber defense, voluntary safety frameworks, and criminal enforcement — and the pillar Pebblous readers should watch is the third one, Section 4. That section directs the Attorney General to prioritize existing criminal enforcement against unauthorized AI-driven computer intrusion.

The laws Section 4 names are not new. 18 U.S.C. § 1028 (identity fraud), § 1030 (unauthorized computer access — the so-called CFAA), and § 1343 (wire fraud) have been federal criminal statutes for decades. The order simply pins them down: apply these same laws, and prioritize them, when "AI is used as the tool." The text describes the targets this way.

The wording is restrained, but its symbolism is not small. Until now, "the accountability of AI agents" was a topic of academic and industry debate. This order lifts that debate into a criminal enforcement priority in a presidentially signed document. It deliberately leaves out regulatory machinery like mandatory licensing or pre-clearance, choosing voluntary frameworks instead — yet on criminal enforcement, it speaks in plain language. This is the moment AI agents first entered the field of vision of federal criminal law.

As long as the law sees AI as a tool, accountability runs to whoever wields it. If someone tells a generative AI to "write code to break into this system" and uses it to commit a crime, the analysis is simple. As one legal commentary (Just Security) notes, "if a user is aided by AI in committing a crime, the legal analysis of that user's liability is not fundamentally changed by the fact that AI was involved." AI is just a hammer; the person swinging it is liable.

The hard case is the autonomous agent. Suppose a person gives only a broad goal — "audit the client's systems for vulnerabilities" — and the agent plans on its own and reaches into systems it had no authority to touch. Who is "the person using AI" then? Accountability could land in several places.

• • Developer — how were the agent's behavioral boundaries designed?
• • Deployer — what permissions and tools were handed over before releasing it into the world?
• • Operator — were supervision and kill-switch controls in place during execution?
• • End user — what goal was entered, and was the risk foreseeable?

The center of gravity in criminal liability is intent (mens rea). Because an agent's output is hard to predict, proving someone "knew" can look difficult. But the law has a standard called willful blindness. If you were warned of a risk and still put no safeguard in place, "I didn't know" is no defense. The law firm Perkins Coie identifies the core of CFAA risk as documenting which access an agent was authorized for, vetting scraping and browsing behavior in advance, and engineering liability terms into client agreements — all devices to prove that "we did not look away from a foreseeable risk."

Once agents start calling other agents, the picture blurs further. If agent A's decision triggers agent B's intrusion, the cause spreads across multiple parties and the answer to "who used it" drifts ever further away. Accountability blurring does not mean accountability disappears; it means the responsible party has to be identified after the fact. And the raw material for that judgment is, in the end, the record.

If accountability must be sorted out after the fact, everything hinges on whether there is a record to sort it with. Reality is closer to the opposite. According to one governance survey, only 33% of organizations keep audit trails of courtroom-evidence quality, and 61% rely on fragmented logs that can't even reconstruct the causal chain of a single agent interaction. Just 37% can enforce that an agent stays within its assigned purpose. When something goes wrong, the record that would explain "what happened" simply isn't there.

Don't misread that 33%. It doesn't mean only that many organizations keep logs at all. Most teams accumulate operational logs in some form. They just aren't of a quality a court would accept as evidence — a form that can prove, without tampering, who did what and when. Operational logs and evidentiary logs are different things, and the difference stays invisible in normal times, surfacing only after an incident. By then it is already too late.

To serve as a legal defense, a log has to meet conditions: an agent identity tied to a human's authorization, task-level access control, and above all a record that is contemporaneous, complete, and immutable. The crux is "contemporaneous" and "immutable." A log stitched together after an incident is not defense evidence but the very object of a forensic investigation. Only a record left automatically at the moment of the act, in a form that can't be touched later, becomes the foundation for a defense.

That is why the conversation moves beyond plain logs to the idea of an "Action Provenance Graph" — a record that structures and links the chain from prompt to plan to tool call to intermediate reasoning state to final result. By restoring the causal path of what called what, it lets you trace, after the fact, "whose decision did this action originate from." This is where data provenance becomes the foundation of accountability tracing.

The executive order is not a law-review article; it is a notice to operators. What a team that designs, deploys, and runs agents needs to check now is not complicated. Did you write down the scope of authorization? Are you enforcing that the agent can't stray from its purpose? Is a record left at the moment of action? These three questions reappear, unchanged, at the very table where accountability gets decided after an incident.

First, document the authorization. If you specify which systems and data an agent was permitted to access, then when an out-of-bounds action occurs you can draw the line: "this was outside the designed boundary." Next, enforce purpose limits. It's the thing 63% still can't do, but a control that stops an agent from spilling beyond its assigned task is what lets you sidestep a charge of "willful blindness." And finally, the immutable log. Because after-the-fact reconstruction becomes an object of investigation, the record has to be left contemporaneously and in an unalterable form from the start.

This is not a uniquely American current. In January 2026 Singapore released the world's first national governance framework dedicated to agentic AI, pinning down that organizations bear legal responsibility for their agents' actions. The EU AI Act's Article 12 mandates event logging for high-risk AI systems, with application due in August 2026. NIST's AI Risk Management Framework 1.1 points the same way. The jurisdictions differ, but the demands converge into one: you must be able to explain what your agent did.

Official Documents

• 1.White House. (2026, June 2). Executive Order 14409: Promoting Advanced Artificial Intelligence Innovation and Security. whitehouse.gov
• 2.White House. (2026, June 2). Fact Sheet: President Donald J. Trump Promotes Advanced Artificial Intelligence Innovation and Security. whitehouse.gov

Legal Analysis

• 3.Just Security. (2026). Artificial Guilt? A Practitioner's Guide to Criminal Liability in the Age of GenAI. justsecurity.org
• 4.Perkins Coie. (2026). White House Issues Executive Order Promoting Advanced AI Innovation and Security. perkinscoie.com

Industry Analysis

• 5.Kiteworks. (2026). AI Agents Are Now Federal Legal Actors. Are You Ready? kiteworks.com
• 6.TRM Labs. (2026). Autonomous AI Agents and Financial Crime: Risk, Responsibility, and Accountability. trmlabs.com