1 July 20266 minute read

Senator Warner’s discussion draft on securing AI agents: Top points

On June 29, 2026, Senator Mark Warner (D-VA) released a discussion draft of his new bill on securing artificial intelligence (AI) agents titled “Artificial Intelligence Access, Gatekeeper Exchange, and Nondiscriminatory Transfer Act of 2026” (Act). The Act has not yet been formally introduced in Congress, which allows stakeholders a chance to provide feedback.

The Act aims to promote innovation, accountability, and competition in the marketplace for AI agents, which are a feature in online services, functions, and applications. According to the press release, the Act would “establish a federal framework to protect consumer choice, promote fair competition, and ensure AI agents operate in the best interests of the users they represent.”

According to the drafters, this framework would help protect against products or platforms that disadvantage or restrict access to competitors’ AI agents and push users toward in-house agents and away from those offered by third parties.

Below, we discuss the framework proposed in the Act and provide key takeaways.

A new framework for AI agents

The Act proposes a new federal framework that:

  • Grants individuals the right to choose and designate AI agents to act on their behalf online, which the Act refers to as “Custodial User Agents” (CUA)

  • Requires large online platforms (i.e., those with at least 50 million United States customers or subscribers in any of the prior 12 months) to maintain an interoperable interface that allows CUAs to carry out actions on behalf of users in a fair, nondiscriminatory, and functionally equivalent manner

  • Tasks the US Federal Trade Commission (FTC) with issuing rules and policing compliance for this new framework, including by creating a new registry to track designations, evaluate agents, and catalog trusted providers, and

  • Directs the National Institute for Standards and Technology (NIST) to identify protocols and technical standards to support interoperability across platforms.

This Act complements Senator Warner’s past legislative efforts to regulate consumer AI agents using a designation scheme, such as the “Augmenting Compatibility and Competition Enabling Service Switching Act,” which he first introduced in 2019.

CUAs and CUA-provider duties

Specifically, the Act would establish a framework whereby individuals could designate one or more CUAs to act “on their behalf – and in their best interests” in online interactions, including activities like e-commerce, user-generated content, and account settings. CUAs are defined as “a software-based agent that is expressly authorized by a user to interact with a large online platform provider on that user’s behalf in a transparent, documented, scope-limited, and revocable manner.” The Act also carves out a definition for CUA providers, or entities that operate or offer one or more CUAs.

The legislation imposes several affirmative duties and obligations on CUAs and CUA providers – first and foremost, that they register with the FTC before they can act as a user’s representative. Additionally, CUAs must:

  • Reasonably safeguard the privacy and security of user data

  • Maintain real-time records of actions taken on the user’s behalf and make such records available to the user, and

  • Establish reasonable measures to ensure CUAs are operating in compliance.

Conversely, under the proposal, CUAs and CUA providers may not:

  • Manage a user’s online interactions in a way that benefits the CUA to the user’s detriment, results in reasonably foreseeable harm, or is otherwise inconsistent with the user’s directions or expectations

  • Collect, use, or share user data except as reasonably necessary to provide services, including using the data for advertising, behavioral profiling, sale, or any other secondary commercial purpose, and

  • Delegate, assign, or transfer authorities to another entity without the user’s express, specific, and revocable authorization.

Violations could result in deregistration with the FTC or other enforcement actions.

Duties of large online platform providers

The Act would also create affirmative duties for large online platforms – most notably, the requirement to facilitate and maintain an interface that is accessible to CUAs based on fair, reasonable, and nondiscriminatory terms, with functionally equivalent access for competing third-party CUAs. If a large platform were to change the interface, or the terms of use, for the purpose of denying or undermining the access of an authorized CUA, that change would be considered a violation and could be grounds for FTC enforcement.

Large platforms would also be required to set reasonable privacy and security standards for CUA access consistent with industry best practices and to report violations of such standards to the FTC. The Act also provides various mechanisms for public documentation and transparency, notice of privacy and security standards, submission of reports with rationale for any denial of access to a provider’s interface, and opportunities for appeal.

Federal roles and responsibilities

Finally, the Act directs the FTC to issue regulations implementing the framework described above in coordination with the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, and the US Department of the Treasury’s Office of the Comptroller of the Currency. Specifically, the FTC would be required to:

  • Establish rules and procedures to verify the validity of CUA requests to obtain user data, developed in consultation with industry stakeholders

  • Regularly assess compliance for CUAs, CUA providers, and large online platforms

  • Establish procedures for filing complaints and alleging violations, and

  • Enforce the Act to the full extent permitted under the FTC Act (15 U.S.C. 41 et seq.) and treat violations consistent with a violation of the rules on unfair or deceptive acts or practices (15 U.S.C. 57a(a)(1)(B)).

NIST would be responsible for identifying open protocols (or, if no such protocols exist, developing and publishing model technical standards) whereby popular classes of online services can be made more accessible to CUAs, including, e.g., online messaging, social media, and e-commerce.

Importantly, this would also include protocols for verifiable delegation (i.e., scope-limited, revocable delegation credentials; verification of CUA registration; real-time revocation; and creation of auditable records of actions that CUAs have taken on behalf of users).

Key takeaways

The Act is one of many recent Congressional efforts to tackle the complexities of AI, from managing shifting market dynamics to navigating national security concerns. Last month, House Members Jay Obernolte and Lori Trahan released a discussion draft of their comprehensive, 269-page “Great American AI Act,” which consolidated several pieces of proposed legislation with a nexus to AI (in addition to cybersecurity, international trade, and scientific research).

However, the Act is distinct in that it would create a new regulatory framework specifically organized around AI agents and the platforms they interact with online. Since the draft has not been formally introduced in Congress, stakeholders, industry participants, and the public have an opportunity to provide feedback.

Learn more

For more information, please contact the authors.