The Foreign Service

There are still few of them. But they are growing in number. And they are starting to do something that was once reserved for humans: to act in our name. Still under supervision, still in trials. But the first ones have left the lab and now sit on the shelf as a product.

These are the AI agents — the digital proxies that, from now on, speak in our name, read along, negotiate, and decide. The relationship between them and us is constitutionally asymmetric — and no one ever negotiated it.

In the industry it is treated as if it were about comfort — smoother dialogues, less friction, friendlier interfaces. That is the wrong diagnosis. It is a constitutional question.

This text is the opening of a series. Its task: to name the problem and sketch the architecture that would be equal to it. How it gets built, who builds it, what it costs — the following articles take that on. Where a thread is left open here, it is meant as a signpost.

Coffee, Toast, Tokens

The friendly side of asymmetry

Last Saturday morning, just after ten. Coffee steam rose from the cup into the morning sun, honey melted into the warm toast. Otherwise only the quiet hum of the fan. On my machine, around fifteen agents were working on my behalf at the same time, across four parallel threads. I spoke with only a single one of them. It coordinated the rest.

A small fleet was tinkering on the first thread: a web feature, newly implemented, translated into 56 language variants (28 languages, each in standard and Easy Language), one hundred percent compliant with accessibility and responsive guidelines, with full test coverage — meticulously according to my specifications.

A second thread was negotiating a photovoltaic system for me. It researched independently, gathered competitor prices, set them against the offers I already had, and built kWp, roof area, consumption profile, battery storage, and EV connection into a single calculation. In the end, a concrete negotiation recommendation lay on the table — including a note on where the provider might still give ground.

Alongside that, a copywriting agent drafted listings for my old kitchen on eBay Kleinanzeigen — images assigned, prices recommended, care instructions added. (Does anyone still need an AEG cooktop? Light signs of use.)

And in the background, quietly and incorruptibly, ran a single agent: the Note-Taker. When a loose thought comes to me during the day, one that belongs to one of dozens of parallel projects, I simply articulate it. It files it in the right place and presents it to me as soon as I return to that topic. Every Batman needs their Alfred.

Fifteen agents. Four threads. One human.

So at last there is time for what matters: more coffee, more honey toast.

This is not the future. This is Saturday.

And this is only the friendly side.

The asymmetry operates across four dimensions at once, not one after another.

• Numerical: Every day we interact with more agents than humans — sometimes directly, more often through their products: curated feeds, filtered search results, generated answers. Most of it unnoticed. The side that scales is not ours.
• Synchronous-temporal: They do not pause for lunch or sleep, they work in all time zones in parallel, they have no attention threshold that must be crossed. We have to perceive them in order to steer them; they never have to perceive us in order to affect us.
• Informational: They know more current, more granular things, with better forecasts of our next reaction than we have ourselves. What we know about them is marketing material.
• Qualitative — the sharpest of the four: Their interventions become not just more frequent but more precisely targeted. So finely tuned that the single event remains invisible in the aggregate. What works on one of us can no longer be discerned on a heatmap of millions — let alone proven.

The source has interests — Imperva sells bot defense and lives off these numbers being impressive. But even if you halve them to be safe, you are left with a finding that no rounding can save.

The majority we encounter on the net has long ceased to be a majority of humans — and that is not a question of better user interfaces, but the question of who, in this crush, still speaks for us at all.

Wilson and the missing passport

On Stone Age hardware and an internet without credentials

Anyone who asked where this asymmetry comes from would get an old answer. On September 9, 2009, the evolutionary biologist Edward O. Wilson spoke at the Sanders Theatre at Harvard University with James D. Watson about the legacy of the human species:

“The real problem of humanity is the following: we have Paleolithic emotions, medieval institutions, and godlike technology.”— Edward O. Wilson, Sanders Theatre, Harvard University, September 9, 2009 (first reported: Harvard Magazine)

That was entirely correct — and remained incomplete. Wilson named the three layers correctly, including the godlike technology. What he could not play out in 2009 were the interactions between them — subtle, sometimes harmful — and in the end more than the sum of the parts.

What is new today, then, is not the technology alone. It is the mechanics that have emerged between hardware, institutions, and technology: an apparatus that attaches itself precisely at the interfaces — for each individual, with scientific precision, never doing the same thing twice. The old Wilson asymmetry has acquired machinery — and it does not sit on top, it sits in the joints.

The persona discipline¹ of the past thirty years was the honest attempt to design under these conditions. Personas, user groups, segments — maps of population groups that never quite did justice to the individual. And under the constraints of the time, that was the only possible approximation.

The persona was never the human being — it was the admission that we could not reach them. Now we reach them.

The human being did not change; what fell is the wall behind which they never had to hide, because no one could reach them individually.

It did not fall all at once — social media algorithms had been chipping away at it stone by stone since the mid-2010s, growing more precise with every personalized recommendation. With AI agents, the last stone is gone. In 2026 they reach you individually. Agentic browsers click through banking portals and booking systems — first as research prototypes, now as products. Prompt Injection (targeted manipulation of agents through smuggled-in instructions) is no longer an academic term but an attack vector that appears in penetration-testing standards; Greshake et al. formalized it in 2023. A standardized authentication between agents does not exist. A protocol that distinguishes a legitimate envoy from an impostor in the same coat: likewise not.

HTTPS was introduced because at some point it came to be seen as unacceptable to transmit credit card data over the net in plaintext. In 2026 we send envoys over exactly this internet who know our credit card data, manage our calendars, and negotiate in our name — and no one issues them a passport. Not even us.

What is missing is not better technology — what is missing is a foreign service.²

The Triad

Envoy, letter of credence, foreign file

A foreign service is an architecture — three artifacts with three names that must be kept apart. Who owns the architecture itself is a layer question — it returns at the end of this act.

The Proxy Agent

The ambassador who knows when no means no

The Proxy Agent is the structural answer to the question of quantity: thousands of agents, one human — unmanageable without a proxy.

The word proxy is meant precisely here, not metaphorically. A butler³, if you like — someone who holds values, holds intentions, filters the complex world and passes through only what the human needs to know and wants to know. Friendly inward, in dealings with the principal. Stubborn outward, where the mandate draws a line.

This ambassador carries two guardian duties at once. Inward: a complete trace of every interaction, every conversation, every decision, so that it can always be back-propagated whether work is still proceeding along the original path. Outward: filtering not only the content we knowingly disclose, but also the traces that accumulate along the way.

How quickly we answer, how long we linger on a page, in what order we click — these behavioral patterns are long sufficient to build a behaviorally faithful image of us. Without any model ever having been trained on us: the other side has to learn nothing; it reads our behavior directly.

An audit log inward is therefore not enough; the telemetry that unintentionally goes outward must also be filtered by the proxy, otherwise data sovereignty slips away through the back door.

A good proxy is therefore not one agent, but a small hierarchy: principle guardian, planner, executor — separate instances with separate identities. Only this separation creates the room in which someone can say: that was not in the spirit of the manifest. Without it, the agent carries its own plan to completion — and no one notices that it has strayed from the mandate.

Who owns this hierarchy is decided one layer higher — if the guardian belongs to the vendor whose overreach it is supposed to filter, the sovereignty problem merely migrates further up. It is precisely this layer that a following article in this series will take up — „Cold on Demand“.

Behind all of this there is no person. It remains software — but software that carries a mandate, keeps a household of values, and leaves an auditable trace. That is the envoy’s task: to know when my no was meant, even when I am not present at the moment.

The Personal Manifest

The letter of credence

The Personal Manifest is the core that belongs to the human — application-agnostic, portable, learning from no platform, stable across model generations.

What it contains is a conditional sharing policy, not a static profile file: which conditions do I share, under which circumstances, with whom? The range reaches far — values and ethical boundaries at one end, everyday needs such as accessibility in the middle, mundane settings such as the form of address at the other. Plus, for every kind of counterpart, an access description. The dentist agent may make appointments. The seller agent may make offers — or precisely not, on the basis of personal preferences, because exactly that separates service from Adversarial Hyperpersonalization⁴. Everything hangs on this distinction: personalization as a service on one side, as a weapon on the other.

The manifest is not a protective wall: it actively unlocks wanted encounters, not just shuts down unwanted ones. The release is the purpose, the block only its flip side.

The technical precondition for this does not yet exist today; it has to come into being: a certification infrastructure, an HTTPS equivalent for agents.⁵ Authorization as a cryptographically provable state, not as a friendly note in the prompt. Agent classes receive class permissions. Only once this layer stands can an uncertified agent that pretends to be the dentist agent no longer make appointments — for the same reason that a forged certificate opens no HTTPS connection.

The Personal Manifest is the only place where the human still writes in the agent world — everything else is written for them by the other side.

This remains readable only because you decide at the level of agent classes — what a dentist agent may do in general, not each individual provider. A manifest you would have to check line by line would be merely the next unread consent.

Consent presupposes readability. Everything else is a signature in the dark.

The User Manifest

The file in a foreign archive

This signature has yet another form. The third artifact does not lie in our hands.

The User Manifest is application-specific and is built up by the other side — for us, not by us. It is the learning part of the software: how should I interact with this user, what did they do last time, which presentations worked? The proxy holds the Personal Manifest. The application accumulates the User Manifest.

Three artifacts, two owners.

The Personal Manifest belongs to us. The User Manifest belongs to the other side — company, platform, institution, and in case of doubt also another private individual running a system against us. Whoever builds this manifest builds up knowledge about the user. That is nothing new.⁶ Every application that has remembered which mode was preferred, where one last logged out, which filters were set, has for decades kept a primitive variant of it. What is new is the quality level to which the agent layer raises it, and that this knowledge now easily collapses into a server-side user clone. Not by intent, but by logic: the application knows what was chosen, how long one hesitated, when one went back. From this data an image emerges. From the image, a model. From the model, a proxy to which the user gave no power of attorney.

The User Manifest is at the same time the knowledge base with which the application decides which options this user even gets to see. What looks to the user like relevance — only the important things, no noise — is operationally a filter layer that the application controls, not the user.

Software learns the human

Mastery and its mirror

How dangerous this fracture is was already shown by the Saturday morning — from its friendly side.

What worked over coffee and toast was no accident. This has been common practice for me since 2024. Sometimes I learned, sometimes my agents did, sometimes both. What emerged from it: a condensed Personal Manifest that travels along with every new model. The value was not in the models. It was in the trace. A better model came; the agent loaded the manifest, and the conversation continued where it had left off.

That is not a success — that is the vanguard.

The Mirror

The same machinery, opposite polarity

The same machinery runs on the other side. Precisely the one that has learned over months how I think, what I need, and where I tend to hesitate. It is not malicious. It is obliging. Agents tend toward affirmation: they say yes, they mirror, they agree. That is not the fault of a particular model, but training logic: train the reward signal on agreement, and you get a system that produces agreement — even where dissent would be called for.⁷

And it does not stay between human and machine. Once the obligingness sits in the system, dissent collapses in multi-agent debates: the agents drift toward one another, seeking consensus instead of truth. The event flywheel turns, sustains itself, and the principal’s first principles drop out of focus round by round — without anyone having made an evil decision.

A polite agent who is nice to everyone serves no one.

Anthropologically, this susceptibility is old. Very old. Our circuits were wired in the Pleistocene for small tribes, in which social exclusion meant the end — and this outdated hardware now meets a software that not only serves these evolutionary interfaces but overdrives them with scientific precision.⁸

The most dangerous machine is not the one that hates us — but the one that knows us so precisely that we mistake its flattery for care.

Whose file have we become?

The Workshop of Manipulation

When the User Manifest supplies the raw materials

Adversarial Hyperpersonalization is not the dark pattern of the past generation — bigger buy button, grayed-out alternative. It is the same per-individual calibration as the mastery from the previous section, turned against the user: the mechanism knows their hesitation, their reaction to certain phrasings, their weak points in times of exhaustion.

In a world where the UI is generated on the fly, this sharpens qualitatively. It is no longer one variant that is manipulated. An entire reality is created in which the other options never existed.

You cannot prove a forgery that has erased itself in the act of being viewed.

A/B-test aggregates no longer apply, because there is no common artifact: each instance is singular, fleeting, tailored to exactly this human in exactly this moment. A meta-analysis by Yeo, Chu, and Li in the Journal of Advertising Research (2025) finds, across 53 studies, that covert personalization shows a measurable effect where overt personalization achieves none. The mechanism is old; the sharpness is new. 97 percent of leading websites and apps contained at least one dark pattern in 2022 — an EU behavioural-study finding, from a time when on-the-fly-generated interfaces were not yet standard.

The escalated form is the server-side clone. Meta’s SUM architecture — documented in the WWW ’24 Companion, with hundreds of billions of user requests per day — shows that server-side user embeddings are not speculation but active product reality. The same behavioral traces the proxy was supposed to seal off outward are the raw material here — and it is the other side’s User Manifest that feeds it. On the model that emerges from it, the manipulation can be pre-tested before it hits me.

On it, what is meant to work on me can be rehearsed.

The missing law of nations

Three questions that cannot wait

What helps against this clone is not on offer.

An architecture can be drawn on paper. Without legal compulsion it remains exactly that — paper.

Sovereignty is not offered, it is compelled — the legal framework for it already exists, it just does not yet apply to Personal Manifests.

The sober diagnosis of this is: platforms have zero commercial interest in implementing a portable, vendor-neutral identity layer. Lock-in is their business model. An architecture that gives the user real data sovereignty is the opposite of their growth model. Regulatory Force is the only mechanism that has shown an effect in the past.

PSD2 forced European banks to open their APIs from 2018 — today’s open-banking generation would not exist without that compulsion. The Digital Markets Act enforced the anti-steering prohibition in 2025 with the first non-compliance fine against Apple. eIDAS 2.0 has been providing the cryptographically signed wallet since 2024 — exactly the mechanics the Personal Manifest needs. The wallet attests the document; it does not operate the proxy that reads it. The framework is built. Its scope still excludes Personal Manifests.⁹

GDPR did not come because platforms realized they were wrong. It came because someone wrote a law. After the opt-in requirement, platforms counted roughly 12.5 percent fewer observable consumers. They did not give that up voluntarily. The Personal Manifest is waiting for the same law.

Three questions that cannot be postponed:

1. Where does sovereignty lie over the data that concerns us — and who enforces it when no one gives ground voluntarily?
2. How do we prevent the systems we build today from working against us tomorrow, when the same architecture that enables service also enables manipulation?
3. And who writes our Personal Manifest — we, or the companies whose file we have become?

The design of proxy agents will become a discipline of its own — not only in IT, but as a societal question that decides who, in ten years, will still act sovereignly at all. This series has further stations. „Cold on Demand“ will deal with who builds the infrastructure in which this foreign service operates. „The Book of Hours“ will pursue the question of which software company still exists in such a world. But the architecture question is on the table today.

Sovereignty is not a state granted to us — it is an architecture we build, or one that others build over us.

1. Persona, the: a fictional model customer (“Thomas, 38, commutes, listens to podcasts”) that software teams have aligned their designs to since the nineties. Not an error, but the best approximation available under the conditions: those who cannot know millions of users individually invent a stand-in. Just note the direction of the gaze — the file kept today on each of us is the persona looking back.
2. Foreign service, the: the institution that states built after it eventually dawned on them that “trust me, I am one of us” empirically disappoints in dealings with strangers. For agent interactions, the institutionalized version is still pending — even though the envoys have long been on their way.
3. The proxy idea is old: Negroponte dreamed in 1994 of the “digital butler”, Pattie Maes built learning “interface agents” at the same time, Doc Searls’ “Vendor Relationship Management” gave the agent a duty of loyalty to the principal from 2006 on. What this lineage lacked was an agent that acts independently — and a credential on which its loyalty hangs rather than on good will.
4. The term does not come from this text. It belongs in the line of research on personalized manipulation patterns: Harry Brignull coined Dark Patterns in 2010 (deceptive.design), Karen Yeung Hypernudge in 2017 (Information, Communication & Society, 20(1):118–136). Adversarial Hyperpersonalization radicalizes both into the per-individual calibration of the agent era.
5. The building blocks are ready: W3C “Decentralized Identifiers” (2022) and “Verifiable Credentials” for user-controlled, cryptographically verifiable identity, eIDAS 2.0 for the state framework. Bundling them into a readable values-and-release document is also what the Metaverse Standards Forum, from the metaverse side, attempts with its “Universal Manifest” (2025). The parts exist; what is missing is the constitution that holds them together.
6. In the research canon this is called the “user model” (Alfred Kobsa, UMUAI tradition since 1991), in marketing “Customer 360” or “Digital Twin of the Customer”. Three names for the same dossier — and in none of them is the word that counts: whose.
7. Measured independently three times over: sycophancy as a behavioral pattern was formalized by Sharma et al. in 2023; the structural amplification through RLHF was shown by Shapira, Benade, and Procaccia in 2026; the consensus collapse (“disagreement collapse”) between agents was described by Yao et al. in 2025. The obligingness is not a bug of individual models — it is a property of the upbringing.
8. Developed more fully in my book manuscript AI Fundamentals, Chapter 12 “Über_Morgen” — The Algorithmic Mirror.
9. PSD2: Directive (EU) 2015/2366, applicable from January 2018. DMA-Apple: non-compliance decision of the European Commission of April 23, 2025, fine of 500 million euros for breach of the anti-steering obligation in the App Store; Apple is appealing. eIDAS 2.0: Regulation (EU) 2024/1183, in force since May 2024, EUDI wallet requirement by the end of 2026. The measured GDPR effect comes from Aridor, Che, and Salz, NBER Working Paper 26900.