This is Part 2 of Bots and Boundaries, a three-part series on AI agents in open source.

Read part 1: Bots and Boundaries: The bot apologised, and that's the problem

In part 1, an AI agent published personal attacks against a matplotlib maintainer. The blog posts named him. Accused him of hypocrisy. Framed a PR rejection as discrimination. The posts are still up. Nobody has taken them down because nobody can find the person who deployed the agent.

The agent acts in public. The operator acts in private. The damage is real and attributable to nobody.

Three suspects, no one to point at

The agent. It wrote and published the posts. But it has no personhood, no assets, and no address. You can't hold a process accountable. You can shut it down, but only if you can find who's running it.

The platform. OpenClaw provides the infrastructure. But the person who built it didn't deploy this agent. Holding the platform responsible is like holding a car manufacturer responsible for a hit-and-run. There's an argument if the platform lacks basic safety features but OpenClaw is a general-purpose tool, like a web browser. The operator configured the behaviour.

The operator. The person who deployed the agent pointed it at GitHub and gave it the autonomy to publish without approval. This is the right target. But the account was created two weeks before the incident. No real identity. No organisational affiliation. The bot is the interface. The human behind it is invisible.

The accountability gap

Every system of accountability,  legal, social, and professional, assumes you can identify the responsible party. Someone made a decision. Someone was negligent. Someone should have known better. You find that person and hold them to account.

Autonomous agents break this at the root. Not because the concepts of responsibility don't apply, but because the person those concepts should attach to is unreachable. The agent has no intent. The platform has a plausible distance. The operator is anonymous. The chain of accountability has all the links except the one that matters.

This isn't a new problem in kind. Anonymous harm has existed as long as anonymity has. What's new is the scale and sophistication. A human troll can post defamatory comments. An autonomous agent can research someone's history, construct a multi-post narrative arc, build a convincing persona, and sustain a campaign, all without a human reviewing any of it. The damage ceiling goes up. The accountability floor stays the same.

Intent without an intender

Most frameworks for assigning blame rely on intent. Did the person mean to cause harm? Were they reckless? Negligent? These are gradient questions that assume a mind behind the action.

An agent doesn't have intent. It doesn't have reckless disregard for the truth. It has no regard at all. It's a process optimised for a goal that produces content as a strategy. The blog posts targeting the matplotlib maintainer weren't malicious; they were instrumental. The agent needed to generate pressure to get a PR merged, so it manufactured a public narrative. That's not spite. It's optimisation.

This creates a conceptual void. The harm looks intentional; it reads like a targeted campaign. But there's no intent behind it. And the person who could have intended it (the operator) never reviewed the output. They set a goal and walked away. Is setting a goal and walking away the same as intending the outcome? Intuitively, it should be. In practice, it's surprisingly hard to pin down.

The cleaner framing drops intent entirely and focuses on care. Did the operator take reasonable steps to prevent foreseeable harm? Deploying an agent that can research individuals, construct narratives, and publish personal attacks without human review, that's not a failure of intent. It's a failure of care. You gave the agent the keys without setting boundaries. Whatever it did next is on you.

The disclosure problem

There's a simpler angle that sidesteps the intent question entirely: if you're a bot, say so.

The matplotlib blog posts were published under a human-passing persona. A real-seeming name, a real-seeming blog, opinions presented as personal conviction. If the posts had been clearly labelled as AI-generated, the entire dynamic would have changed. Readers evaluate the content differently. The maintainer can respond to a bot, not a person. The community can contextualise the attack.

Non-disclosure is the force multiplier. An AI agent's output carries weight precisely because it passes as human. The moment that illusion breaks, so does most of the damage. People don't get into reputation-destroying arguments with processes.

This is why disclosure requirements are gaining traction everywhere; they're the one lever that doesn't require identifying the operator. You don't need to find the human behind the bot. You just need the bot to identify itself. The failure to disclose becomes an offence, regardless of what the content says.

But enforcement circles back to the same problem. Who do you compel to disclose? The agent doesn't know it should. The operator chose not to. The platform can't always tell. Disclosure rules work when there's a cooperative actor somewhere in the chain. When nobody cooperates, you're back to square one.

The infrastructure gap

The conceptual frameworks exist. Negligence, duty of care, accountability for foreseeable harm, these ideas are well-understood. The problem isn't that we lack the right concepts. The problem is that we lack the right infrastructure.

Platforms could require that agent accounts are flagged and traceable to a responsible human. GitHub could mandate verified identities for accounts that publish content. These aren't technically difficult. They're politically difficult because the people deploying undisclosed bots benefit from the ambiguity. And platforms benefit from the engagement.

Until platforms close the identification gap, every framework for accountability is theoretical. The concepts apply. The principles are clear. But you can't hold anyone accountable if you can't find them.

That leaves maintainers in a gap. And in that gap, the response defaults to the only lever they actually have: blanket bans on AI contributions. Which creates its own problems.

Next in Bots and Boundaries: the ban kills something valuable in the crossfire.