"The Regulated Agent Mandate Standard [RAMS]: ERC-8226 defines the compliance delegation layer tokenized markets need before agentic finance operates at scale." By Ludovico Rossi
An AI agent tries to buy a tokenized bond on an investor’s behalf. The compliance system can prove the investor is eligible to hold it. What it cannot prove is whether the agent was actually authorized to act for that investor. That gap, between identity and authority, is what the Regulated Agent Mandate Standard is built to close.
AI agents are entering regulated finance faster than the compliance infrastructure around them is adapting. Institutions are already testing them across credit analysis, treasury operations, KYC review, portfolio monitoring, payment routing, and investment operations. At the same time, tokenized instruments are moving from proof-of-concept into live issuance, funds, private credit, debt, real estate, and structured products.
These two movements are converging. The next phase of tokenization will not just involve digital representations of financial instruments; it will involve automated systems interacting with them at machine speed, evaluating assets, executing instructions, rebalancing portfolios, triggering payments, managing collateral. That raises a structural question regulated finance has not yet answered: when an AI agent interacts with a tokenized security or real-world asset, who authorized it to act?
RAMS, submitted as ERC-8226, defines a compliance delegation layer for AI agents operating on tokenized regulated assets. It specifies how a verified principal delegates scoped, time-bounded, and financially capped authority to an on-chain agent, in plain terms, a machine-readable mandate for autonomous systems interacting with regulated instruments.
In regulated finance, execution is never just execution. A transaction is the final visible event in a chain of obligations: the investor must be eligible, the issuer’s restrictions respected, jurisdictional rules applied, limits observed, records retained, and responsibility attributable. The traditional compliance stack assumes that somewhere in that chain there is a person or legal entity capable of holding responsibility.
Humans already have mechanisms for this. A portfolio manager acts under an investment management agreement. A signatory acts under corporate authority. A discretionary manager acts under a documented mandate. Algorithmic trading is the closest machine precedent, but those systems operate under parameters set by regulated entities and supervised teams, the algorithm never independently becomes a legal actor.
Modern AI agents complicate that model. They reason over unstructured information, adjust mid-task, interact with external systems, and make operational choices that were not scripted line by line. As I argued in my op-ed on Europe’s banks running AI agents against compliance rules written for humans, an agent producing regulated output should be governed like any other production system inside a regulated firm, because the output is regulated regardless of whether a human or a machine produced it. The failure point is not model behavior. It is the absence of a clear authority and audit structure around it.
Much of the current conversation focuses on identity, and rightly so, before trusting an agent, an institution needs to know what it is and who operates it. But identity alone does not create authority. A person can be identified without being authorized. An employee can hold a building pass without being entitled to sign a derivatives contract. A wallet can be verified without being entitled to acquire a restricted asset.
A tokenized securities market therefore needs a way to establish the scope of authority delegated to an agent: specific, limited, time-bounded, revocable, and auditable, connecting the agent’s action back to a verified principal without bypassing the issuer’s compliance framework. The closest traditional analogy is a power of attorney or discretionary mandate, adapted for machine execution and on-chain verification. The goal is not to give agents independent standing in capital markets, it is to let regulated systems verify that an agent acts under valid authority, within defined limits, under the rules of the underlying asset.
RAMS is designed to sit alongside the systems already in place, not replace them. Each layer answers a different question and is owned by a different party:
RAMS is agnostic to both the agent identity system and the token compliance standard. It works with any agent registry that maps wallet addresses to agent identifiers, and any regulated token standard that implements a pre-transfer compliance check. That modularity matters, because institutional markets do not adopt infrastructure by replacing everything at once.
Consider a tokenized instrument subject to investor eligibility rules, a fund interest, private credit product, bond, or real estate participation. The issuer defines who can hold or transact the token through a regulated token standard or compliance module. Now introduce an AI agent acting for an investor. The investor is the principal and the source of authority; the agent is the execution layer operating under delegated authority.
When the agent attempts a transaction, the system must avoid two flawed outcomes. Treating the agent as the investor is wrong, because the agent is not the party whose eligibility should govern access. Ignoring the agent entirely is also wrong, because then the system cannot prove the agent had authority, it sees the transaction but not the mandate behind it. RAMS resolves this with a dual compliance check:
Only when both checks pass does the transaction proceed. The asset-level check preserves the issuer’s sovereignty over its instrument, it never loses control over who can hold, receive, or transfer the asset. The mandate-level check confirms the agent has an active mandate from the principal and that the proposed action falls within it. A mandate can define scope, duration, financial caps, permitted assets, permitted transaction types, and jurisdictional parameters.
Example mandate
Principal: Verified family office (eligible, KYC complete)
Permitted assets: Tokenized money-market funds only
Financial cap: USD 5,000,000 aggregate
Duration: 30 days, then auto-expires
Jurisdictions: Approved list only
Transaction types: Subscribe and redeem, no secondary transfers
That is what regulated finance needs from agentic systems: not autonomy without control, but automation with provable authority.
Tokenization is usually framed as a market-structure change, faster settlement, fractional ownership, programmable compliance. The deeper shift is that it turns financial instruments into programmable assets connected to digital workflows. Once instruments become programmable, automated agents will inevitably interact with them, and that is especially relevant for institutional use cases: a wealth platform automating suitability and rebalancing across tokenized funds; a private credit platform managing repayments and transfer restrictions; a bond issuer handling coupons, holder eligibility, and lifecycle events; an asset manager that needs to prove its agents acted within mandate, not merely that they produced a plausible recommendation.
Without a mandated standard, agentic workflows stay hard to govern. Institutions can build proprietary controls, but those do not create a shared market standard. Issuers can whitelist wallets, but wallet-level access does not explain delegated machine authority. Compliance providers can verify investors, but investor verification does not prove agent authorization. RAMS provides a common layer for the question that matters in this environment: what is the agent allowed to do, for whom, under what conditions, and with what record?
For institutions, auditability is not an afterthought. Supervisors care not only that a transaction complied at the moment of execution, but that the firm can later demonstrate why it occurred, which controls applied, who was responsible, and whether the record can be reconstructed. AI agents make that harder when the record is only prompts, logs, model versions, and API calls scattered across systems.
Tokenized infrastructure changes the design space. If the mandate lives in a structured registry and its validity is checked at transaction time, the compliance record is produced as part of execution rather than assembled afterward. A RAMS-aware transaction can show that the principal was verified, the asset’s rules were applied, the agent held an active mandate, the action fell within scope, the financial cap was respected, and the event was recorded. That does not remove the need for governance and legal documentation, it turns part of the compliance process into verifiable infrastructure, and it is the difference between automation that creates supervisory uncertainty and automation that produces inspectable records.
RAMS deliberately leaves several design choices to the market. These are not gaps in the standard. They are decision points where institutional practice should lead, not where a protocol should impose a default. First, custody: when an agent acquires an asset for a principal, should it be agent-custodied, held in the agent wallet with beneficial ownership tracked through the mandate registry, or principal-custodied, settling directly into the principal’s wallet? The standard's structure favors principal-custodied by default, but the market must decide whether to define it formally or remain agnostic, RAMS supports both models.
Second, receive-side compliance: if an agent receives a regulated asset, should the token’s compliance system evaluate the agent wallet or the principal behind it? Check the wrong party and the system either blocks valid transactions or permits ones without verifying the economically relevant investor. RAMS surfaces the question. The answer depends on how each issuer defines beneficial ownership in their compliance module.
Third, cross-institution trust signals: if one institution receives an interaction from an agent registered elsewhere, how does it know that agent operates under a certified regulatory mandate? A trust signal embedded in agent identity frameworks would let institutions recognize properly mandated agents without bilateral integration for every participant. These questions determine whether agents can operate across tokenized markets in a way banks, asset managers, issuers, and regulators can accept. This is where agent identity frameworks and mandate standards need to converge. The work is in progress.
The next phase of capital-markets infrastructure will not be defined by tokens alone, but by the systems that let tokenized instruments operate inside regulated workflows, identity, eligibility, custody, compliance checks, settlement, reporting, lifecycle management, and agent authority. Agents will enter these workflows because institutions want efficiency and scale. But regulated finance does not bend its obligations because a new technology is useful.
RAMS establishes a structure in which an AI agent can transact only when a verified principal is eligible, the mandate is valid, the action is within scope, and the issuer’s rules are respected. The outcome is not permissionless automation. It is controlled automation, and for tokenized markets, that distinction is decisive. AI agents can execute transactions. Regulated finance still needs to know who authorized them. RAMS is a step toward making that answer verifiable.
