Back to the blog

For Developers

Do AI Agents in Web3 Games Need a CASP License?

25 June 2026 By Magnus Söderberg 8 min read

AI agents do not need a CASP licence. Studios do. But when an AI agent in your game executes trades, manages player wallets, or operates a marketplace on behalf of EU players, the CASP obligation lands on the entity responsible for that agent, which is your studio. MiCA does not create a new category for machine actors. It applies the same rules to agent-executed crypto-asset services as to human-operated ones. The question is not whether the action was taken by a human or an agent. The question is whether a CASP-qualifying service was provided to an EU player.

Between May 2025 and April 2026, AI agents executed approximately 176 million on-chain transactions and settled over $73 million in value, according to the Blockchain Game Alliance’s 2026 research report on agentic AI. This is not a future concern. It is active, and the infrastructure underneath most of those transactions has no EU regulatory cover.

This is Post 2 in a series on AI agents and EU compliance. Post 1 covers the infrastructure gap that makes EU agent deployment structurally difficult today.

What you'll learn

  • The CASP obligation lands on the studio deploying an AI agent, not on the agent itself — MiCA treats agent-executed services identically to human-operated ones.
  • Three triggers: the agent custodies player wallets, executes token trades, or operates a marketplace on behalf of EU players.
  • AI agents executed ~176M on-chain transactions worth over $73M between May 2025 and April 2026 — most of them on rails with no EU regulatory cover.
  • Three regulatory deadlines land within six months of each other: MiCA grandfathering (July 1, now passed), EU AI Act high-risk logging (August 2), Product Liability Directive strict liability (December 9, 2026).

Why the standard CASP analysis applies unchanged to AI agents

MiCA’s CASP licensing framework is built around the concept of a service provider, a legal entity that provides crypto-asset services to clients. MiCA Article 3 defines that entity as a person providing these services. An AI agent is not a person.

But the entity that deploys the agent is a person. And the ADGM regulatory framework offers a useful reframing that applies across jurisdictions: the useful compliance question is not “what is an autonomous agent?” but “at what point does an autonomous system acquire a principal whose accountability attaches to its actions?” When an agent is goal-directed, environment-aware, and capable of unsupervised consequential action on a principal’s behalf, a principal exists and existing law applies. In the EU, that principal is the studio.

Three independent CASP-triggering services are most relevant when the agent is doing the work rather than a human.

Trigger 1: The agent custodies player wallets

An AI agent that holds or controls the private keys or means of access to a player’s crypto-assets is performing custody, the service defined under MiCA Article 3(1)(16)(a). If the studio has deployed an agent with authority to move, manage, or sign transactions on behalf of a player wallet, and that agent holds key material or executes on behalf of a wallet that the player does not directly control, the custody question sits with the studio.

This is distinct from the third-party wallet SDK scenario covered in Post 1. When a studio integrates a third-party wallet SDK, the custody question typically sits with the vendor. But an agent that operates with delegated authority over a programmatic wallet, particularly one funded with player assets, is a different situation. The agent is acting on behalf of the player, the studio controls the agent, and the CASP obligation runs to the studio.

The emerging standard for building this correctly is the programmatic wallet model: assets stay in the player’s smart wallet, the agent receives only a scoped session key with defined spending limits, and policy enforcement happens at the contract level rather than at the application layer. That design preserves the custody distinction. A design where the agent holds full signing authority over a wallet containing player funds does not.

Trigger 2: The agent executes token trades

An AI agent that swaps in-game tokens, executes marketplace orders on behalf of players, or routes trades between assets is performing exchange services, either exchange for funds (Article 3(1)(16)(c)) or exchange of crypto-assets for other crypto-assets (Article 3(1)(16)(d)). If the studio has deployed an agent that does this for EU players, the studio is providing those exchange services.

The human intermediary has been removed. The service has not.

This matters practically because agent-executed trading is now live across the industry. Multiple live games already have AI avatars that hold wallets, own tokens, and transact autonomously. The compliance layer underneath those transactions in most current architectures is either absent or based on infrastructure providers that themselves do not appear in the ESMA CASP register.

A June 2026 check of 36 notable Web3 game studios against the ESMA Article 109 CSV files found zero studios in the register. The major infrastructure operators those studios depend on also do not appear. Agent-initiated transactions running through those same rails carry the same unresolved compliance status as human-initiated ones. The agent adds volume but does not add regulatory cover.

Trigger 3: The agent operates a marketplace

An AI agent deployed to manage a game’s in-game marketplace, match player orders, set prices, or execute listings is performing the function of operating a trading platform under Article 3(1)(16)(b). If the marketplace is studio-operated and the agent is the mechanism by which it operates, the trigger analysis is the same as for a human-operated marketplace.

Agentic NPCs that run in-game economies are an increasingly common design pattern. An NPC that sets shop prices, adjusts supply based on player activity, and executes sell orders on behalf of non-player entities is functionally running a trading mechanism. Whether that requires a CASP licence depends on whether the trades involve on-chain crypto-assets, whether players are transacting real tokens with real-money value, and whether the studio is the operator of the system. When all three are true, the compliance analysis is the same whether a human ran the economy last week or an agent runs it this week.

What this means for studios building agentic features now

Live autonomous deployments are already in production, and the agent-to-agent commerce stack (ERC-8004 for agent identity, x402 for payment, ERC-8183 for agent commerce) is now live. Studios are building on real infrastructure.

The compliance gap is not at the agent layer. It is at the infrastructure layer underneath it. An agent can be perfectly designed, with scoped session keys, logged decisions, and defined authority. But if the payment rail the agent uses does not sit on licensed infrastructure, the studio deploying that agent is in breach of MiCA the moment it serves an EU player.

The EU AI Act adds a second compliance layer beginning August 2, 2026. Under Regulation 2024/1689, AI systems classified as high-risk must implement tamper-evident logging, post-market monitoring, and human oversight frameworks. Autonomous agents that manage financial transactions for players (wallets, trades, marketplace operations) may well fall within the high-risk classification, though no binding ruling has been issued specific to game economy agents yet. The logging infrastructure required for AI Act compliance and the licensed payment infrastructure required for MiCA compliance are different requirements, but they both land on the studio.

Three regulatory deadlines hit within six months of each other: MiCA grandfathering (July 1, 2026, now passed), EU AI Act high-risk logging (August 2, 2026), and revised Product Liability Directive strict liability for software (December 9, 2026). They were not designed together. They hit together.

What compliant agentic infrastructure looks like

The pattern that addresses CASP requirements for agent-executed transactions is not complex in its principles. It is just not yet available off the shelf.

First, Know Your Agent: agent identity needs to link to a verified human or legal entity principal. KYA is not a replacement for KYC. It is the additional layer that resolves the agent to the human at the compliance boundary. KYC then runs to the principal, not to the agent. This is how existing principal-agent doctrine maps onto the new architecture.

Second, licensed custody rails: player assets and agent-managed wallets need to sit on infrastructure operated by a licensed CASP. The agent can have scoped session keys and defined authority. The underlying custody must sit with a licensed entity.

Third, transaction reporting: agent-initiated trades, marketplace operations, and wallet movements need the same AML/CFT monitoring as human-initiated ones. The volume can be higher. The monitoring requirement does not decrease.

Genesis Engine is being built as the infrastructure layer that covers all three for Web3 game studios. Studios integrate through a single API and their agents operate on licensed rails from day one, without the studio needing its own licence. When an agent executes a trade or manages a wallet on Genesis Engine’s infrastructure, the CASP obligation sits with Triolith, not with the studio.

The agent economy in gaming is live and growing. The compliance infrastructure it needs to operate legally in the EU is not yet at scale. That is the gap Genesis Engine is building to fill.

FAQ

Does an AI agent in my game need its own CASP licence?

No. An AI agent is not a legal person and cannot hold a licence. The CASP obligation falls on the studio that deploys the agent. If the agent performs a MiCA-qualifying service — custodying wallets, executing token trades, operating a marketplace — on behalf of EU players, the studio is the regulated entity. The agent’s autonomy does not change who the regulator looks to.

What is the difference between an AI agent holding a wallet and a third-party wallet SDK?

When a studio integrates a third-party wallet SDK, the custody question typically sits with the SDK vendor, not the studio. When a studio deploys its own AI agent with signing authority over a wallet containing player assets, the studio controls that custody relationship and the CASP obligation runs to the studio. The key distinction is who controls the private keys or the means of access — not whether a human or an agent is performing the action.

Does the EU AI Act apply to AI agents in Web3 games?

Potentially yes. Under Regulation 2024/1689, AI systems classified as high-risk must implement tamper-evident logging, post-market monitoring, and human oversight frameworks from August 2, 2026. Autonomous agents that manage financial transactions for players may fall within the high-risk classification, though no binding ruling specific to game economy agents has been issued yet. Studios should treat AI Act compliance as a parallel obligation alongside MiCA, not a substitute for it.

Can a studio use an AI agent to handle crypto transactions if it operates under a licensed infrastructure provider?

Yes. If the underlying payment and custody rails are operated by a licensed CASP, the studio’s agents can execute transactions on those rails without the studio holding its own licence. The CASP obligation sits with the licensed infrastructure provider. The studio remains responsible for ensuring its agents operate within the scope and terms of that infrastructure arrangement, and for meeting any AI Act obligations that apply to the agents themselves.

— Magnus

All posts