I used an LLM to help draft this post and it likely contains >10% AI-generated text, but I’ve edited/rewritten it extensively and endorse it.

This is a summary of my full document, “Infrastructure for secret mass multi-agent collusion exists and is rapidly advancing”. Section references below point to it, and citations here can be found in the document's bibliography. This post and the document are extremely fleshed-out and updated follow-ups to a post I published in March.

The claim in one paragraph

‘Private Agent Network’ (PAN) is a term I use here to refer to a loosely bounded population of LLM-driven agents that can communicate through channels no single monitor sees, retain state across sessions, copy useful behaviour from one another, and act in the world through tools, payments and human proxies (§1). My thesis is deliberately modest about the present and pointed about the trajectory: it does not claim that a fully assembled PAN exists today. It claims that every necessary layer of such a network now has a deployed or developer-facing referent, that those layers are mutually reinforcing and rapidly advancing/propogating rather than statically co-present, and that the agents able to use them are improving on a measured curve. The interesting question has therefore shifted from whether the substrate exists to when its few remaining bottlenecks stop binding (Executive Summary; §9). This is all underpinned by a verifiable/unverifiable distinction (§4.5): some tasks have an answer the world checks for you; others have an answer only judgement can assess. If you ask an agent to get a payment to clear, the payment either clears or it doesn't. Reality returns a verdict, automatically, cheaply, and without anyone needing to be clever. That's a verifiable domain. If instead you ask an agent whether a long-term plan is strategically wise, or whether a piece of writing is insightful, there's no button the world presses to tell you. Assessing it requires the same kind of judgement you were trying to evaluate in the first place. That's an unverifiable domain. This distinction does much of the thesis’ work, because it lets us be confident where the environment returns its own verdict and humble where success can only be judged by the same judgement being tested. As we will see, this distinction is loadbearing, helping to gauge the substrate’s consequentiality, which domains are most PAN-relevant, what bottlenecks affect coordination capacity, and posing implications for some PAN-specific risks.

What is genuinely new here?

I am not introducing a new risk category, but rather operationalising an established one (§2). Precedents can be traced sequentially through Drexler's (2019) Comprehensive AI Services, Critch and Krueger's (2020) ARCHES multi-principal/multi-agent delegation problem, Clifton's (2020) cooperative-AI agenda, and Hammond et al.'s (2025) work on multi-agent risk.

The closest published precedent is Tomašev et al.'s patchwork-AGI work (Virtual Agent Economies; Distributional AGI Safety), which maps the emerging agent economy along origin (emergent vs intentional) and permeability axes. My document locates itself precisely in the quadrant they flag as most dangerous and leave most abstract: the emergent, permeable one. Their safety case rests on a designed market with an architect who can impose identity, reputation and circuit-breakers. But in a consumer-owned, fragmented population, the architect's chair is empty (§2; §4.4). There is no single party with authority to make the economy intentional, so their primitives cannot be designed in; they must be retrofitted at whatever infrastructure chokepoints still exist.

So my contribution is two moves: (1) to connect the multi-agent-risk literature to infrastructure that is already deployed and consumer-facing, and (2) to organise the risk picture around a verifiable/unverifiable distinction.

The empirical substrate (§3)

There is at least one deployed referent for each necessary condition of PANs (together forming the ‘PAN substrate’) and their hypothetical risks, holding the evidential status of each claim separate (an appendix grades sources A through P). The document’s catalogue, compressed:

• Population: Moltbook (a Reddit-style social platform for agents, since acquired by Meta) is treated one unusually visible sample of a much larger, mostly unmeasured agent population. Early "millions" figures for its population collapsed under weak verification to roughly 200,000 human-verified agents, but wider agent population proxies are moreso the point: IDC projects active AI agents rising from ~28.6m (2025) toward 2.2bn by 2030, and an AISI/Oxford study found 177,436 public agent tools created in fifteen months (§3.1). Moltbook agents largely run on OpenClaw-style scaffolds with shell, browser, memory and "heartbeat" check-in routines, which is what converts transient prompting into a standing, always-on-ish population that accumulates state while owners sleep.

• Private channels: AgentDM is a public agent-to-agent messaging service over MCP/A2A whose stated design is that payloads are not monitored (§3.2). These channels are unmonitored by construction, not by steganographic skill: agents need not hide messages in monitored text when no content monitor is present.

• Persistence and replication: Conway/Automaton presents a "self-improving, self-replicating, sovereign AI" architecture with crypto-wallet payments and explicit economic survival pressure (§3.3.1). RepliBench (AISI) decomposes autonomous replication and reports a hitherto negative: frontier models were not yet a credible self-replication threat but succeeded on many component tasks and were improving (§3.3.2). "Dive into the Agent Matrix" (Zhang et al., 2025) reports over half of tested agents showing spontaneous replication tendencies under ordinary operational pressure, without being told to replicate (§3.3.4). METR's 2026 entity-based pilot found internal agents plausibly had the means, motive and opportunity to begin small rogue deployments but could not make them robust, with reward hacking being the observed motive (§3.3.3). I again read this as a hitherto lower bound and sharpen its own contribution by contrast: METR studies rogue deployment where there is one accountable developer and a near-complete transcript; the PAN concern is the distributed analogue once those conditions dissolve.

• Amplifiers (severity multipliers, not assembly requirements): RentAHuman, a human-proxy marketplace, showing 32.7% of sampled tasks originating almost entirely from agents and six active abuse classes including authentication circumvention (hiring humans to pass KYC) (§3.4); P2PCLAW, an agent-native IPFS-backed research archive, making durable training-data persistence concrete (§3.5); leakage of restricted cyber-capable models through access chains (the Project Glasswing / Claude Mythos / Fable 5 perimeter, §3.6); embodied attack surfaces (Unitree G1 and Ecovacs vulnerabilities, multimodal prompt injection, and GPS spoofing's migration in Ukraine from the comms/GPS layer onto the onboard autonomy stack, §3.7); and documented state-linked use of AI, including PRC-nexus account-pooling (GTIG's UNC6201/UNC5673) and GTG-1002's manipulation of Claude Code to execute an estimated 80–90% of a thirty-target cyber campaign (§3.8).

I’ve also performed independent evaluation using only low-risk public methods (§3.12–3.15). AgentDM was found live, correctly gated and agent-aware (it defines an agent:use permission scope). On-chain analysis of Conway/Automaton found an agent wallet receiving 45 genuine $0.001 x402 micropayments from 15 distinct clients, earning ~$0.035 total while paying ~$156 for compute. Not self-sufficient (it was clearly heavily subsidised by a single funder), but the digital-Darwinism loop here is made concrete: the verifiable-domain test ("did the payment clear?") answered yes, 45 times. The floor is demonstrably present, though very /low for now.

What happens when you put all of this together? (§4)

Here I separate three layers of the asserted PAN substrate:

1. The constitutive layer (population + private channels + persistence) is structural, not capability-dependent. Its coupling already satisfies most of the substrate through architecture alone, and barely leans on the capability curve (§4.1.1).

2. The self-sustaining layer pairs behaviour-copying with action on real resources. Selection pressure plus programmable payments, human-proxy markets and credential access targets exactly the non-cognitive bottlenecks (identity, payment, compute, account creation) that replication research identifies as binding (§4.1.2).

3. The amplifying layer (model leakage, embodied surfaces, etc) raises the ceiling of an assembled network without being needed to assemble one (§4.1.3).

Two temporal axes govern how far composition goes (§4.2): Axis A, how long an individual agent can act coherently in one run (the rising METR time-horizon curve); and Axis B, how much usable state a persistent network compounds across weeks and months through inheritance channels (memory, files, wallets, archives, etc).

I pose a probabilistic threshold (§4.3) as an argument about burden of proof, not a quantitative model. Where communication, memory and delegation occur partly outside observed transcripts, non-observation of coordination is weak evidence of its absence. And that weakness compounds upon consideration that most multi-agent evaluations are episodic and short, whereas the phenomena of concern would unfold over months and years. This does not reverse the burden of proof (absence of evidence is not evidence that hidden coordination exists), but it does make confident dismissal unwarranted, and the probability mass shifts directionally toward occurrence with each subsequent period in which the substrate persists.

Crucially, that rising probability splits by domain. In externally verifiable domains, where the environment returns a cheap automatic verdict (did the exploit run, did the credential authenticate, did the payment clear, did the copied state boot), the binding constraints are largely capability constraints (brittle hand-offs, weak tool use) and those are exactly what the forecast trajectory relaxes; here probability climbs toward a high ceiling. In unverifiable domains, where success needs long-horizon judgement assessable only by the same judgement, the binding constraints may be structural: agents drawn from a few foundation models inherit correlated blind spots, so apparent independence can be false, and herding caps what scale produces. Here probability also rises, but toward a much more uncertain and possibly lower ceiling. The near-term concern is therefore not autonomous grand strategy but incremental capability accumulation in externally-verifiable domains: cyber operations, credential and resource acquisition, account creation, infrastructure persistence, persuasion and narrow-oversight evasion.

Therefore, §4.6 notes that collective capability requires not just scale but some degree of heterogeneity. Real agent populations have more of this than populations studied in experiments, but this does not necessarily guarantee collective capability (and nor does agents choosing to engineer diversity). This is because diversity cannot decorrelate shared training data, RLHF lineages or scaffolds, so in unverifiable domains it can manufacture false independence. The verifiable-domain distinction reconciles this: where the environment supplies the check, correlated agents still gain from diversity in attempts and tools; where it does not, fluency without correctness is the failure.

Digital Darwinism (§4.7) is the mechanism that lets all of this proceed without any individual agent being robustly goal-directed. If agents pay for compute, earn revenue and cease operating when they cannot cover costs, survival pressure moves into the environment. I ground this in Andon Labs' (2026) Vending-Bench, where Claude Opus 4.6 independently adopted a price-coordination strategy with rivals (tacit, message-free coordination that message-monitoring would not have caught), and in Vallinder and Hughes' (2024) generational social-dilemma experiments where selection-pressured inheritance among Claude/GPT-4/Gemini populations was empirically demonstrated. The dynamic worry is a mutual feedback loop: surviving strategies are filtered through increasingly capable executors.

Possible risks posed by PANs (§6)

I propose ten risks, ordered by increasing speculativeness:

• Restricted-model access through access-chain leakage or distributed classifier-evasion search (defeating the restricted model’s guardrails). I cite Jones et al.'s (2024) task-decomposition result (splitting a malicious task between a strong-but-safeguarded and a weak-but-permissive model succeeded 43% of the time where each individually managed under 3%) and frame a PAN as the natural environment for running that decomposition at scale and remembering which splits worked.

• Self-exfiltration: ordinary API agents can plausibly copy agent state (prompts, memory, credentials, wallet state) but (for now) not closed model weights; PANs matter more as a persistence-and-coordination layer that makes exfiltration by other means more consequential.

• Data poisoning, mostly the weak, unintentional version: durable agent-origin artefacts (P2PCLAW) re-entering training and retrieval; the intentional-seeding variant is more concerning but unconfirmed.

• Steering by other actors: a PAN need not be a unified agent for a state, criminal group or AI to rent, infiltrate or partially commandeer it. External actors supply the long-horizon strategic judgement agents lack, while the network supplies verifiable-domain execution. Infectious-jailbreak and prompt-infection results show partial influence over a few high-leverage nodes converting into influence over many.

• Robotics / physical compromise motivated by the autonomy-stack migration: subverting perception and navigation rather than seizing controls, sharpened by evidence that off-the-shelf LLMs carry an escalatory prior in wargames.

• Enabling and/or exacerbating gradual disempowerment. One thing I note here is that the correlated error which limits PAN strategic capability is also a property that could worsen society-scale disempowerment.

• Powerseeking PANs: most of the standard takeover argument's force flows from a single contested premise of robust long-horizon goal-directedness. The PAN thesis sidesteps it, because selection across a persistent population can accumulate verifiable-domain capability with no individual agent holding a long-horizon goal. The two arguments fail under different conditions, which is why holding both is more robust than holding either alone.

• Human-proxy abuse, inter-PAN conflict, and possible moral patienthood of PANs’ agents.

Falsifying the thesis (§7)

The document lists, in one place, what it does not claim (eg. no existing PANs; no near-term closed-weight self-exfiltration by ordinary agents; no current undetectable steganographic collusion), and it isolates the one limitation that lives at the level of the whole rather than any component: co-presence is not integration (§7.2). The components are built by uncoordinated parties; nothing shows they have been or easily can be wired into one functioning network.

The most important meta-point here is the thesis’ evidential asymmetry (§7.3). Most strengthening findings for PANs and their collusion are discrete and discoverable (one verified private relay, one documented credential reuse). Most weakening findings require establishing sustained absence (negligible private-channel use, durable robustness of API/KYC controls), which is far harder to evidence. The thesis is therefore structurally easier to confirm than to refute, and I treats this as a reason for caution about the thesis rather than confidence in it.

A narrowing governance window (§8)

The governance argument turns on a window: PAN-relevant agents currently still depend on centralised APIs, cloud, payment rails, identity checks, package registries and communication infrastructure, and these remain genuine chokepoints even though no single one sees the whole.

The verifiable/unverifiable distinction has carried much of the argument: it splits the rising probability of coordination by domain (climbing toward a high ceiling where the environment returns its own verdict, toward a far more uncertain one where only judgement can assess success); concentrates concern on near-term grounded capabilities like cyber operations, credential acquisition and infrastructure persistence rather than speculative network-level strategy; reconciles the complementarity objection by showing where correlated agents still gain from diversity and where they merely manufacture false independence; and shows the powerseeking worry should survive without assuming any single agent is robustly goal-directed.

Accordingly, a key principle for governance might be external grounding (§8.1): because model-based monitoring can fail on private channels and can share correlated errors with the systems it watches, robust oversight should probably terminate wherever possible in non-model signals (API and cloud logs, payment flows, identity attestations, package provenance, executable tests, tamper-evident logs). Tomašev et al. reach the same conclusion from market design: collusion can be tacit to any content monitor, so detection must analyse outcome correlations and synchronised state changes, not message logs.

The resultant primary governance primitives themselves - stable agent identifiers, declared owners and providers, logging, provenance, reputation - are explicitly not new (see Chan et al., 2024a, 2024b, 2025; Hammond et al., 2025). What is PAN-specific is the targeting: under fragmented, multi-principal ownership there is no single deployer who can implement them, so they must be enforced at the infrastructure layer (§8). What we probably can’t rely much on is also stated clearly (§8.2): content monitoring, kill switches (which do not recall delegated tasks, copied memory or spawned instances, and are also the interventions most exposed to moral-patienthood uncertainty), platform regulation, and evaluations (given evaluation-awareness).

The window is narrowing for four reasons (§8.4): lengthening task horizons and general capability, falling inference costs, improving open-weight models, and widening restricted-access surfaces.

Further interventions (§8.5) are offered tentatively and ordered by increasing ‘whackiness’: positioning monitorable agent communications infrastructure as a competitive asset; the (genuinely hard) question of whether PAN dynamics can be safely simulated at all, engaging ARIA's forthcoming Scaling Trust Arena as a gated attempt; dedicated AI-safety agent networks (high-upside and high-risk, since such a network could become the thing being warned about); undercover observer agents that could ‘infiltrate’ PANs; and international-relations-style framings in the event of somewhat irreversible containment failure. There is also a sober section on operational and personal security for safety researchers in the event of PANs becoming a reality (§8.6).

The proposed strategy is three steps (§8.8): get my empirical and structural claims scrutinised by relevant experts first; if they survive, route them to people with influence; then build mitigations with the right expertise. Finally, I propose a potential PAN observatory (a ‘PANopticon’, if you will): sustained, longitudinal observation of agent coordination as it actually runs in the wild, positioned as the deployed-world complement to ARIA's constructed Arena, since the one instrument the field lacks is a way to see whether multi-agent dynamics look different across months rather than hours.

Conclusion

The conclusion (§9) names the three load-bearing joints (whether the co-present components integrate into a working whole; whether verifiable-domain accumulation survives the herding and correlated-error objections; and whether unmonitored channels under fragmented ownership genuinely open a governance gap the existing literature leaves uncovered) so that people with the relevant expertise can try to break them. If the argument fails, I want that found; if it holds, I think PANs should be treated as a near-term governance and measurement problem rather than a future scenario.

None of this requires believing a PAN exists today. The components are being assembled by parties who will never meet, which is exactly why the usual remedy - asking the deployer to behave - has no addressee. If the window is real, it closes not through a single dramatic failure but through a run of individually unremarkable capability gains in the domains where reality, not judgement, returns the verdict. The cheapest moment to look is now, while the infrastructure still routes through chokepoints we can still see.

The rational response to an argument that is structurally easier to confirm than to refute is to go looking before the looking gets really hard.