When an AI agent denies an insurance claim, executes a trade, or routes an ambulance, one question is suddenly everywhere: who actually decided? The agent on its own, or a human pulling strings through the prompt? Nobody has a clean answer. OAuth proves who is calling. Digital signatures prove the message wasn't tampered with. Audit logs prove what happened in what order. None of them tell you whether the decision was the agent's own — or whether it was a puppet move dressed up to look autonomous. That gap is now a legal problem. California AB 316 , in force since January 1, 2026, forecloses the "the AI did it" defense. The EU AI Act becomes fully enforceable for high-risk systems on August 2, 2026; Article 12 requires tamper-evident logs, Article 14 requires evidence of human oversight. MiFID II demands audit trails for algorithmic trading. The class action Lokken v. UnitedHealth survived a 2025 motion specifically on the question of whether decisions were algorithmic or physician-reviewed.…