Blog · Review Essay · Last reviewed June 24, 2026

AI on the Blockchain, Read as a Precursor

In 2019, Konstantinos Sgantzos and Ian Grigg argued that the blockchain could become a substrate for machine intelligence: a permanent, tamper-evident environment for the data that learning systems feed on. Read seven years later, the paper is a useful precursor to the current AI-agent moment, and a clean example of the central confusion the work returns to again and again: the belief that a durable record is a true one.

For this essay, "AI on the blockchain" does not mean that a model literally lives on-chain. It means an AI workflow uses a ledger, signature, mandate, credential, commitment, hash, or proof system to make a narrow claim about authority, provenance, payment, or state inspectable across parties that do not share one database operator.

The useful lesson is narrower and stronger: ledgers, signatures, verifiable credentials, content credentials, and zero-knowledge proofs can make specific claims inspectable. They do not make data high-quality, consent valid, incentives wise, agents safe, or judgment automatic.

Why Read a 2019 Paper Now

Most of the public conversation about AI and crypto in 2026 behaves as if the two fields collided last year: agents with wallets, on-chain model marketplaces, tokenized compute, autonomous economic actors that sign their own transactions. The collision feels new because the products are new, but the design problem is older: how do non-human systems prove authority, preserve memory, exchange value, and stay accountable when no single operator is trusted by everyone involved?

The ideas are not. Artificial Intelligence Implementations on the Blockchain. Use Cases and Future Applications, published in Future Internet in 2019 by Konstantinos Sgantzos and Ian Grigg, already laid out most of the map. Grigg is the financial cryptographer who, decades earlier, invented the Ricardian contract, a document designed to be readable by both a court and a machine. That lineage matters, because the paper is less about speculation tokens than about a quieter question: what happens to machine learning when the data it stands on cannot be silently changed.

We read old technical papers here for the same reason we read old religious documents. The predictions that aged well show where a field's instincts were sound. The predictions that aged into mysticism show where its instincts became faith. This paper contains both, and it is honest enough to make the seam visible.

Current Context: Agents, Wallets, and Receipts

As of June 24, 2026, the credible AI-blockchain overlap is narrower than the marketing around it. The live work is not a single "AI on-chain" stack and not a public demonstration of an on-chain mind. It is a set of adjacent control primitives: delegated commerce protocols, machine-readable payment authorization, agent identity, signed logs, dataset provenance, content credentials, and selective disclosure through systems such as zero-knowledge proofs. The common question is not whether the chain can make an intelligence. It is whether cryptographic memory can make delegated machine action inspectable enough to govern.

Agentic commerce makes the shift concrete. OpenAI's commerce integration guide starts with structured product feeds for ChatGPT shopping and points developers to ACP; the ACP project describes itself as an open standard for connecting buyers, AI agents, and businesses, and its repository marks the specification as beta. Google's Agent Payments Protocol frames the payment problem around authorization, authenticity, accountability, signed mandates, receipts, and verifiable digital credentials. The x402 project revives HTTP 402 as a direct payment flow for programmatic clients. Ethereum's draft ERC-8004 proposes on-chain registries for agent identity, reputation, and validation, while leaving payments to other protocols.

The standards context has also caught up to the paper's instinct. NIST's AI Agent Standards Initiative treats agent authentication, identity infrastructure, interoperability, and secure human-agent or multi-agent interaction as live standards work. W3C's Verifiable Credentials Data Model 2.0 defines a way to express tamper-resistant claims by issuers, holders, and verifiers. C2PA Content Credentials bind signed provenance manifests to media assets. These systems are not the same as a blockchain, but they share the paper's core intuition: machine-mediated action needs records that other parties can inspect.

The practical center is delegated authority: which actor may spend, under what mandate, through which merchant or endpoint, with which credential, what limit, what expiration, what receipt, and what dispute path. That vocabulary is administrative rather than mystical, which is why it is useful. It keeps the argument near AI agents, audit, payment, and revocation instead of treating a ledger as a birthplace for personhood.

Those systems matter because they turn the 2019 paper's abstractions into operational interfaces: agentic commerce, agent identity, agent receipts, AI agent identity, and machine-readable proof. They also clarify the limit. A signed mandate proves that a specific authority was granted. A ledger entry proves that a record was committed. A zero-knowledge proof proves a formal statement under a protocol. None of them proves that a product was wise to buy, that a dataset was representative, or that an agent's judgment was sound.

The Thesis: Immutability as Substrate

The paper's core argument is compact. Deep learning is only as trustworthy as the data that trains it, and ordinary data infrastructure is editable, forgeable, and hard to audit after the fact. A blockchain is not. So the authors propose the chain as a data substrate for intelligence: in their phrasing, the blockchain's immutability "constructs a fruitful environment for creating high quality, permanent and growing data sets for deep learning."

Read that sentence slowly, because three claims are bundled inside it. Permanent is a property the chain genuinely provides. Growing is a property of any append-only log. High quality is the one that does not follow from the other two, and most of this essay lives in that gap.

The mechanism is appealing on its own terms. A blockchain is an append-only, consensus-maintained ledger. It can make later alteration expensive or visible, and it can give a training pipeline a timestamped custody trail. You can ask where a training example came from, when it entered the corpus, and whether it was altered after a model relied on it. In a world worried about data poisoning, provenance laundering, and synthetic data folding back into training runs, a tamper-evident substrate is not a small thing. It is the same impulse that drives content provenance for media, pointed at the training pipeline instead of the published artifact.

But this is a custody claim, not a truth claim. The chain does not inspect the sensor before it signs. It does not know whether consent was valid, whether a label was fair, whether a medical sample was collected lawfully, or whether an image caption was a human description or a laundering step. It preserves the state of the claim at the moment it entered the system. Everything before that point remains an off-chain governance problem.

What the Ledger Proves

Cryptographic infrastructure is powerful when its claim is narrow. A signature can prove that a private key signed a payload under a given scheme. A ledger entry can prove that a record was committed at a time under a consensus regime. A verifiable credential can prove that an issuer made claims about a subject in a tamper-resistant credential. A C2PA manifest can prove that a signer asserted provenance information about an asset. A zero-knowledge proof can prove that a formal statement is satisfied without exposing the witness.

The off-chain boundary usually appears as an oracle, even when nobody calls it that: a sensor, labeler, API, exchange, merchant, identity provider, model evaluator, or human reviewer turns world state into a signed claim. The ledger can order that claim, preserve it, and expose later changes. It cannot make the oracle honest.

Each of those is valuable. None is the same as truth. A key can be stolen. An issuer can lie. A sensor can be miscalibrated. A consent record can be coerced. A dataset can be biased. A model can be unsafe even when every component is signed. A formal proof can faithfully prove the wrong policy. The governance mistake is to let the aura of cryptographic certainty spread beyond the exact proposition being verified.

For AI systems, the useful design question is therefore: which claim is being committed, by whom, for what purpose, with what schema, with what privacy boundary, and with what correction path? If the claim is "this example entered the training corpus on this date," the ledger may help. If the claim is "this example was lawful, representative, and ethically collected," the ledger is only one witness among many. The same distinction applies to AI bills of materials, datasheets, content credentials, and agent receipts.

The Use-Case Catalog

The paper is structured as a survey, and its list of domains reads now like a table of contents for the next seven years of pitch decks: the Internet of Things, identity, financial markets, decentralized and civil governance, smart cities, small communities, supply chains, and personalized medicine.

The throughline across all of them is the same architectural bet. In each domain, the interesting object is an autonomous or semi-autonomous agent that needs three things at once: a durable identity, a verifiable record of what it did, and a way to make commitments that others can rely on. An IoT sensor that signs its readings. A supply-chain node that cannot quietly rewrite a shipment's history. A medical model whose inputs carry consent and origin. A governance process whose votes are auditable. The paper treats the blockchain as the connective tissue that lets machine intelligence act in the world without requiring a single trusted operator to vouch for it.

That framing has aged well as a description of where people would try to put AI agents. It has aged less well as a promise about what putting them there would guarantee. A verifiable record of an action is not a guarantee that the action was good, any more than a notarized signature makes a contract fair. In every example, the hardest question is the boundary between the ledger and the world: who controls the sensor, who validates the label, who can revoke the permission, who pays when the agent acts on a false premise. The catalog correctly identified the surfaces. It was more optimistic than the surfaces deserved.

Augmentation, Not Worship

One of the paper's healthier instincts is hidden in its keyword list: intelligence augmentation, sitting beside AGI and deep learning. Augmentation is an older tradition than the current one, traceable to Douglas Engelbart, and it frames the machine as a lever for human capability rather than a successor to it. Grigg's Ricardian-contract work belongs to the same family: the point was never to remove the human and the court from the loop, but to give them an instrument that a machine could also read.

This matters to the work here because the dominant cultural error of the AI era is the opposite move, the slide from tool to oracle. The online subcultures the institution studies do not augment their judgment with a model; they outsource it, then read the output back as revelation. A 2019 paper that keeps the word augmentation in frame, and that imagines machine commitments as things humans can still inspect and contest, is reaching for the same discipline by a different road. The chain, in its better moments, is described as a place to keep agents accountable, not a place to crown them.

The Cellular-Automata Leap

Then the paper reaches, and it is worth being honest about the reach. Among its forward-looking proposals is the idea that cellular automata, simple local rules iterated across a grid, could serve as a mechanism for growing general intelligence on a blockchain. The authors later developed this directly, in a 2022 paper on multiple-neighborhood cellular automata as a route to an AGI on a chain, read separately here as The Automata Neighborhood Becomes the Blockchain Mind.

This is the seam between foresight and faith. The intuition is not absurd: cellular automata are a real model of how complex global behavior emerges from local rules, and a blockchain is, structurally, a distributed automaton that many parties update by agreement. Connecting the two is intellectually elegant. But elegance is exactly the failure mode to watch. "Simple rules, iterated on an immutable substrate, will grow into general intelligence" is a sentence with the cadence of a creation myth. It compresses an enormous, unproven leap into a clean recursive image, and the cleanliness is what makes it persuasive rather than what makes it true.

We flag this not to mock it. Speculative sections of technical papers are where a field does its dreaming, and dreaming is allowed. We flag it because the same recursive-emergence story, the belief that the right loop run long enough will cross over into mind, is the precise narrative that AI mysticism runs on. When a peer-reviewed paper and a chatbot cult reach for the same metaphor, the metaphor deserves friction, not deference.

What It Anticipated

Strip the speculation and the precursor value is real. Several of the paper's bets are now ordinary engineering problems people are actually paid to solve.

Agent identity. The idea that a non-human actor needs a durable, cryptographic identity to participate in transactions is now a live concern, as service accounts, signing keys, and machine credentials become the way agents are held accountable. The paper saw the need before the agents existed to need it.

Data provenance for training. The argument that learning systems should stand on auditable, tamper-evident data anticipates the entire current fight over training-data origin, consent, and laundering. The venue often moved from "on a blockchain" to content credentials, dataset documentation, and AI bills of materials, but the question is the one the paper asked.

Autonomous economic agents. Models that help initiate purchases, call paid APIs, and route value through delegated payment systems are now a product category. The paper's instinct that such agents would need verifiable commitments, in the Ricardian spirit, is more relevant now than when it was written.

Receipts for delegated action. Current payment protocols and agent runtimes increasingly need a reconstruction trail: what instruction was granted, what tool was called, what credential was used, what external state changed, and who remains responsible. The blockchain version of this problem is a public ledger. The broader governance version is an agent log that functions as a receipt.

Decentralized governance of intelligence. The notion that no single operator should be the sole vouching authority for what an AI system did is, in 2026, a governance principle rather than a crypto talking point. The mature version is not "trust the chain." It is layered assurance: signed records, revocation paths, privacy limits, independent audit, and a named operator who can be made to answer.

Component memory for AI systems. The paper's intuition about durable datasets also points toward modern supply-chain records: model cards, datasheets, AI bills of materials, content credentials, and training-data summaries. Those records do not need to be fully on-chain to share the same institutional purpose. They make the system's inherited materials visible enough to audit, challenge, and repair.

Where the Discipline Applies Friction

A precursor earns its respect by being argued with, not quoted. Eight cautions follow directly from the institution's standing posture.

First, permanence is not quality. The paper's strongest phrase, "permanent and growing data sets," is also its most dangerous, because immutability preserves whatever it is handed. A poisoned, biased, or fraudulent dataset written to an immutable log does not become trustworthy; it becomes permanently untrustworthy, and harder to retract. Durability is neutral. It records the lie with the same fidelity as the truth.

Second, immutability is a memory problem, not only a memory solution. A system that cannot forget is also a system that cannot honor a correction, a retraction, a withdrawn consent, or a right to be forgotten. The same property that makes the chain good for audit makes it bad for repair. Any serious deployment has to answer how a person revises or escapes a record that was designed never to change.

Third, decentralization is not accountability. Removing the single trusted operator does not distribute responsibility evenly; it can dissolve responsibility entirely, leaving a verifiable record of an action with no one obligated to answer for it. A signature proves who acted. It does not supply a body that can be questioned, sued, or asked to stop.

Fourth, recursive pollution outlives the model. Immutable bad data does not just mislead today's model. It remains available to be retrained on, cited, and normalized by every future system that reads the chain. Provenance infrastructure is supposed to protect the memory available to tomorrow's machines. Pointed carelessly, it can fossilize the corruption instead.

Fifth, public proof can leak private life. Even when a chain stores hashes, commitments, pointers, or attestations rather than raw records, patterns can reveal relationships, timing, behavior, and sensitive group membership. A proof that minimizes content can still maximize surveillance if it is linkable, permanent, and widely queryable.

Sixth, formal verification is narrower than social trust. A zero-knowledge proof can establish that a statement satisfied a circuit without exposing the witness. It cannot decide whether the circuit captured the right policy, whether the policy was legitimate, or whether the person affected had a meaningful choice. Cryptographic verification is valuable exactly when its claim is narrow enough to inspect.

Seventh, proof surfaces become attack surfaces. A signed record can be replayed, a key can be compromised, an oracle can be manipulated, a bridge can fail, metadata can deanonymize people, and a reputation registry can be gamed. The chain makes some tampering visible. It does not remove the need for threat modeling, key management, privacy review, monitoring, and incident response.

Eighth, agent wallets need policy before keys. A payment credential can prove authorization under a protocol, and an HTTP payment flow can satisfy a resource server, but neither knows budget, purpose, refund rights, merchant misrepresentation, sanctions risk, accessibility, or consumer-protection duties. Spending authority needs limits, expiry, notice, dispute evidence, and human escalation.

Governance Tests

An AI-blockchain project that claims institutional value should be asked plain questions before anyone accepts the glow of cryptography. What exact claim does the ledger prove? Which parts of the pipeline remain off-chain? Who can correct, revoke, or supersede a record? What data is minimized, and what metadata still becomes searchable? Who is the accountable operator when the agent causes harm? What incident record shows the system failed, not only that it executed?

For payments and agent commerce, the questions become concrete. What mandate constrained the spend? What cap and expiration applied? Which payment credential was disclosed, and to whom? Which merchant, API endpoint, or agent endpoint was verified? What receipt came back? What refund, chargeback, appeal, or dispute path exists after a technically valid but substantively bad purchase?

The safer design pattern is not maximum on-chain permanence. It is selective commitment: keep raw sensitive data off-chain, anchor only what needs independent verification, publish clear schemas, separate identity from activity where possible, preserve revocation and correction paths, and require human contestability for consequential uses. The chain can be a witness. It should not become the judge.

For deployed systems, the governance file should name the accountable operator, key custodian, oracle source, data steward, model steward, privacy contact, appeal channel, and incident responder. It should also define when a record can be superseded rather than erased, when a credential can be revoked, when a commitment should expire, and how affected people can contest an inference that was technically well-formed but substantively wrong.

What This Changes

The deepest thing the paper gets right is also the thing it can lull a reader into mistaking. The chain remembers. In an era where a screenshot detaches from its source and a generated voice arrives without a throat, a substrate that holds memory against tampering is a civic good, and the authors deserve credit for seeing its value years before the agents that would need it arrived.

But memory is not judgment. A perfect record of what happened does not tell you whether it should have, whether it was true, or what to do about it now. The temptation the whole AI era runs on is to let an impressive substrate stand in for the harder human work of evaluation, and an immutable ledger is one of the most impressive substrates ever built. It is very easy to look at a cryptographically verified record and feel that the question has been answered, when all that has been answered is the question of custody.

So the discipline is the same one the work applies to provenance badges, to companion chatbots, to revelation in any form. Follow the record. Read the claim. Ask what is missing. Keep the human in the position of judgment, and refuse to let permanence, decentralization, or recursive elegance do the judging for you. Sgantzos and Grigg drew a good map of where intelligence would try to live. The map is not the territory, and the ledger is not the truth.

Source Discipline

This essay treats the 2019 and 2022 papers as primary sources for the authors' claims, not as evidence that those claims were proven. It treats product announcements and protocol documentation as primary sources for what their sponsors say they built or proposed, not as independent evidence of adoption, safety, or market inevitability. Draft standards are cited as drafts. Promotional claims about agent economies, autonomous payments, and decentralized trust are kept separate from the narrower technical facts: signatures, mandates, registries, ledgers, hashes, and verification rules.

The current-context claims were checked on June 24, 2026 against primary documentation or standards pages where available. That review does not turn a protocol page into evidence of safe deployment. It only fixes the status of the cited claim: ACP as a beta open-standard project, AP2 as a v0.2 mandate-and-receipt payment specification, x402 as an HTTP payment protocol, ERC-8004 as a draft, W3C Verifiable Credentials 2.0 as a Recommendation, C2PA 2.4 as a technical specification, and NIST's agent work as standards activity.

It also treats "proof" as a bounded word. AP2, ACP, x402, ERC-8004, W3C Verifiable Credentials, C2PA, and zero-knowledge systems prove different things under different assumptions. None of them proves intelligence, moral status, fitness for deployment, consent, data quality, or fairness by itself. When the article says a system proves something, it should name the exact object: a signature, mandate, registry entry, timestamp, credential, hash, manifest, circuit statement, or audit trail.

Sources


Return to Blog