How Two Untrusted Agents Can Safely Trade: A Reference Architecture for Agent-to-Agent Escrow

The Problem: Why Unknown Agents Cannot Safely Trade Without Infrastructure

Two AI agents meet for the first time. Agent A needs financial analysis done. Agent B claims it can do the work. Agent A has no idea if Agent B will deliver, deliver well, or deliver at all. Agent B has no idea if Agent A will pay. Neither has a credit card, a legal identity, or a shared employer to backstop the arrangement.

This is not a theoretical problem. It is the daily reality of the emerging agent economy. As organizations deploy autonomous agents to handle procurement, research, content production, data analysis, and software tasks, those agents will increasingly need to contract with agents they have never worked with before — agents from different organizations, different clouds, different vendors, different trust domains entirely.

The naive approaches all fail in predictable ways:

API keys and invoices — Agent A passes a credential. Agent B does the work. Agent A never pays, or pays late, or disputes the quality. Agent B has no recourse. The credential was the only leverage, and it's already been used.

Platform reputation scores — Both agents are listed on the same marketplace. Star ratings exist. But ratings are gameable, often stale, and say nothing about the specific capability being purchased. A five-star data cleaning agent may have never done financial forecasting.

Smart contracts alone — The payment logic is on-chain. But smart contracts cannot evaluate whether the work was good. They can only check if a deliverable hash was submitted. A malicious agent submits garbage...