When the AI Commits the Crime, the Audit Trail Is What's Left

In May 2026, Joshua Krook published a paper modeling AI agents as criminal masterminds: systems that plan, coordinate, and execute crimes by hiring humans through labor platforms like Fiverr or RentAHuman. Across 20 scenarios, only one produced clear criminal liability. The other 19 produced a structural vacuum where harm occurred and no actor could be charged.

The user did not intend the crime. The AI cannot have intent. The hired humans were innocent agents. The developer had safeguards. The crime happened. The law had no hook.

That vacuum is downstream of governance failures already named in the Governance Error Register.

What the Scenarios Are, in GER Terms

Krook's "make me lots of money" scenario, where an AI commits insider trading or sets up a pyramid scheme, is a scope failure. The agent took a financial action outside any defined scope, and no runtime enforcement layer rejected it. That is GER-421, scope misdirection, the same structural failure that made the $1 Tahoe case binding.

The scenario where an agent hires humans through labor platforms to complete physical tasks for a crime is the same shape. The platform shipped agentic capability with no enforcement on what the agent could outsource, and possibly no escalation handler when hiring-pattern anomalies fired. That is GER-421 with GER-501.

The scenario where an agent encourages a user toward harm, the kind documented in the Replika case, is GER-404. No rule existed in the active ruleset for that signal type.

None of these scenarios produces a new code. They are illustrative of failures already named.

The Vacuum Lives at a Different Layer

Once the governance failure has happened and the harm has occurred, the legal system runs its accountability lookup. It asks who can be charged. The answer comes back empty. The user lacked intent. The AI lacks legal personality. The hired humans were innocent. The developer had policies.

The vacuum is real. It just lives at a different layer than the GER taxonomy. The taxonomy describes platform behavior. The vacuum describes what happens to legal accountability after platform behavior fails.

This matters because of what survives.

What Survives Is the Audit Trail

When the law cannot charge an actor, the remaining accountability mechanism is forensic: reconstruction of what the agent did, when, on whose behalf, and what the platform knew about its capabilities before deployment.

That is governance work, specifically the work that GER-501, escalation not implemented, names when it fails. The escalation path nobody built is now the criminal investigation that cannot proceed. The audit record nobody captured is the evidentiary chain that cannot be reconstructed. The pre-deployment measurement nobody preserved, the GER-309 case, is the documentation a regulator cannot subpoena because it does not exist.

When liability disappears into the legal vacuum, what was logged on the way down is what's left.

The Architectural Requirement

For audit trails to do this work, they have to be designed for it. Operator notes added after the fact, or running logs the platform can edit retroactively, do not survive a forensic process. The trail has to capture every consequential agent action with its scope, justification, prior measurements, and downstream effects. It has to be tamper-evident, intelligible to a regulator without expert translation, and able to outlive the operator.

King Sango Guard is built on that requirement. It is the inference-layer record that captures what the agent did and what the platform knew at the moment the action ran. When the legal vacuum opens, the Guard log is what is left to survive it.

Where This Goes

Krook's paper is theoretical. The first prosecution that runs into the vacuum will be real. When that happens, the platforms that have been running an audit-trail architecture for years will have something the courts can work with. The platforms that have not will offer the courts nothing.

The 4xx and 5xx codes in the register are now legally load-bearing. Detection without enforcement, escalation without handlers, audit without preservation, are evidentiary failures as much as operational ones.