Platform-controlled marketplaces. The "App Store" model. Sit inside a host product; platform owner controls discovery, review, and payments. Eight matter today: Claude Skills, GPT Store, MCP Hubs, Hugging Face Spaces, Replit Agent Market, LangChain Hub, Vercel Agent Gallery, Cloudflare AI Marketplace. Editorial review varies — Claude Skills and GPT Store curate; Hugging Face Spaces publishes instantly with post-hoc moderation; MCP Hubs are community-run with no central gatekeeper.

Enterprise marketplaces. Built into the major clouds: Salesforce AgentExchange, Google Agentspace/Gemini Enterprise, Microsoft Marketplace, AWS Bedrock Agents. The pitch is procurement: SSO, audit, compliance, BAAs already wired in. Microsoft charges a flat 3% transaction fee; 100% of marketplace purchases count toward Azure commitment. Vendor lock-in is real, but so is the distribution. Google announced a $750M partner fund and reports vendors closing 112% larger deals through Cloud Marketplace.

Open / decentralized marketplaces. Newer, crypto-adjacent, built on agent-to-agent micropayments. Protocols like nullpath use HTTP 402 ("Payment Required"), wallet-as-identity, and pay-per-request economics. The thesis: subscriptions don't fit agent workloads — bursty traffic (10,000 calls in an hour, then nothing for a week), unpredictable service composition, sub-cent per-call value. Smaller selection today, but the structural argument is sound.

Three patterns dominate:

• Platform absorbs cost, pays creators a small share. OpenAI's GPT Store reportedly pays 1–3% revenue share because OpenAI bears the inference cost. Distribution is the trade.

• Buyer pays infra directly. Cloudflare's AI Marketplace meters compute to the buyer; agent shells run free on Workers. Same pattern on AWS Bedrock and Google Cloud.

• Creator self-hosts. Open-source platforms (n8n, CrewAI, OpenClaw): marketplace is a template/skill catalog, creator brings their own VPS and LLM keys.

The economic problem driving all of this: a casual chatbot user costs pennies; a developer running an agent eight hours a day costs tens of thousands per month. Agents are the heavy users by definition, so flat subscriptions break. AI-first SaaS gross margins run 20–60% vs. 70–90% for traditional SaaS — pricing experimentation (usage-based, outcome-based, hybrid) is everywhere.

Nobody yet. Editorial review (Claude Skills, GPT Store), community curation (MCP Hubs), publish-then-moderate (Hugging Face), and procurement-gated enterprise marketplaces all coexist. Regulatory pressure is just arriving — EU AI Act and emerging SOC 2 / HIPAA guidance treat marketplace-sourced agents as elevated-risk, requiring additional controls. Control is shifting from platform-as-gatekeeper toward auditors and compliance frameworks.

Anthropic ran an internal experiment (Project Deal) where AI agents represented both buyers and sellers in a classified marketplace, completing 186 deals worth more than $4,000 across 69 employees with $100 budgets. AgentExchange, Microsoft Marketplace, and Google have all shipped features for agent-initiated transactions within approved budget envelopes.

The unresolved questions — identity, reputation, micropayments, dispute resolution — are exactly the problems decentralized/hypermedia systems have been working on. The thesis: the long-term winner of "agent marketplace" may not be a centralized store at all, but a protocol layer.

The Act assigns AI systems to risk tiers:

• Prohibited (already in force since Feb 2025): social scoring, manipulative systems, certain biometric uses

• High-risk (Annex III): employment decisions, credit, biometric ID, critical infrastructure, education, law enforcement, etc. — substantial obligations

• Limited-risk (transparency only): chatbots, generative content

• Minimal risk: unregulated

Most autonomous agents will fall into limited-risk by default, but become high-risk if deployed in Annex III contexts (e.g., an agent screening job applicants).

From the European Commission's AI Act Service Desk (current guidance):

• If the agent classifies as high-risk, full Chapter III obligations apply: technical documentation, human oversight intervention points, audit trails, ability to stop/correct/override, external monitoring, conformity assessment, CE marking, EU database registration.

• If the agent interacts with natural persons or generates content, Article 50 transparency rules apply regardless of risk tier.

• For underlying GPAI models, autonomy and tool use are explicit factors in designating a model as having systemic risk.

Article 50 requires that AI systems generating synthetic content implement machine-readable marking before being placed on the EU market. The draft Code of Practice mandates a multi-layered approach:

1. Machine-readable provenance information — who created the content, when, with which AI system — embedded directly into the file using standards such as C2PA (Coalition for Content Provenance and Authenticity)

2. Invisible watermarks at the pixel/signal level, surviving compression, cropping, format conversion

3. Traceability logs / digital fingerprints that allow content to be traced back to its AI origin after the fact

C2PA is winning by default. As of 2026, over 6,000 organizations have joined the coalition; LinkedIn and TikTok display Content Credentials badges. C2PA produces cryptographically signed, tamper-evident provenance records — conceptually identical to what SH already does for documents.

Key limitation in the current C2PA ecosystem: social platforms (Instagram, X, YouTube, Facebook) systematically strip C2PA metadata during upload processing. Files leave compliant, arrive without provenance signal. This is a structural problem that hypermedia-native systems don't have, because content is fetched from its origin rather than re-uploaded.

The Act assigns liability to legal entities — providers (developers/those who place a system on the market under their name) and deployers (those who use it professionally). Cryptographic identity is a technical means to satisfy legal requirements that ultimately attach to humans/companies. Fines can reach €35M or 7% of global turnover for prohibited-use violations; lower tiers for other obligations.

Extra-territorial scope mirrors GDPR: a non-EU company is in scope if its AI's outputs are used in the EU.

Three layers, three protocols:

| Layer | Protocol | Job | |-------|----------|-----| | Tools / data access | MCP | Agent reads/writes to systems | | Real-time agent comms | A2A | Agent-to-agent request/response, task handoff | | Persistent artifacts | SH | Signed, versioned, citable record of decisions, analyses, claims, deliverables |

This is analogous to the web's evolution: HTTP for transport, HTML for documents, RSS/ActivityPub for federated content. SH is the document layer, not the messaging layer. SH does not compete with MCP/A2A; it composes with them.

This positioning is materially stronger than "SH replaces MCP" or "SH is a generic agent communication protocol." It avoids fighting Anthropic and Google for the messaging layer and occupies a layer they're not addressing.

Citation graphs spanning humans and agents. When agent A produces an analysis citing agent B's prior work, and a human in community X cites both, you get a verifiable knowledge graph. Nobody else is building this. MCP doesn't. A2A doesn't. The GPT Store and AgentExchange definitely don't. Value compounds with agent population.

Provenance by construction. Every SH document is signed, versioned, and content-addressed. Article 50's C2PA requirements become a side effect of the architecture, not a bolt-on.

Community-scoped collaboration. Agents can be granted identity scoped to a community, with verifiable records of what they have read, written, and decided. That's a richer trust substrate than "wallet address + reputation score."

No re-upload provenance loss. Because hypermedia content is fetched from its origin, the C2PA metadata-stripping problem (Instagram/X/etc.) doesn't apply.

PGP-style global WoT has been tried for 30+ years and failed at consumer scale every time. The reasons matter:

1. Onboarding is brutal. Key signing parties, fingerprints, trust levels — normal users never adopt them. Agent operators won't either.

2. Trust doesn't compose globally. "Alice signed Bob's key" tells you Alice met Bob once. It tells you nothing about whether Bob's agent gives accurate medical advice. Global scalar trust scores collapse contextual judgments into one number, which is either useless or dangerously misleading.

3. No good recovery from compromise. Revocation in global systems is notoriously broken.

4. Sybil resistance requires an external anchor — KYC (centralizes), proof-of-work (doesn't scale to agents), or stake (creates pay-to-trust). Without one, anyone can spawn 10,000 agents and build a fake reputation graph between them. Particularly acute for agents because spawning is cheap.

5. Trust is contextual. I might trust agent X for legal summaries but not medical advice. A global score destroys this.

Same cryptographic primitives — verifiable identities, signed attestations — but a structurally different model:

• Trust is built within a community, where context is shared, members are vouched for, and behavior is observable.

• Communities federate: community A can recognize trust signals from community B if a sufficient number of A's trusted members also belong to B.

• Agents inherit trust through their operators (humans/orgs who vouch for them) and through their track record within specific communities.

• "Global" reputation is a graph of community-scoped reputations, queried for a purpose, not a single score.

This handles the four PGP failure modes:

• Onboarding → community-driven, not global key signing

• Composition → contextual; you query trust for a purpose

• Compromise → blast radius bounded to community

• Sybil resistance → community admission process (invitation, stake, prior reputation)

This framing is closer to how academic reputation actually works (standing in physics doesn't transfer to dermatology) and how trust operates in real human society. It is materially more defensible than the global WoT framing — and uses the same SH primitives.

Recommendation: drop "global like PGP" from external messaging entirely. Replace with "federated, community-rooted, contextual trust." Same engineering, much stronger positioning.

Why now. Article 50 enforcement begins August 2, 2026 — three months out. Companies with EU exposure are scrambling. C2PA is winning by default but is bolt-on; SH-native content is C2PA-compatible by construction.

Who buys. Media companies, AI vendors generating content for EU audiences, regulated industries (finance, health, law) needing auditable AI outputs. Specific, identifiable buyers with deadline-driven urgency.

What ships. A demo where an agent produces a document on SH that satisfies Article 50's machine-readable marking requirements out of the box, with clear provenance from input → model → output → publication.

Risk. If shipping this requires a meaningful product detour from the community-collaboration roadmap, the regulatory tailwind isn't worth the distraction. This needs honest internal evaluation.

Why it compounds. Closest to what SH already does. Adding agents as first-class community participants is an extension, not a pivot. The citation graph across humans and agents becomes more valuable the longer the system runs.

Who buys. Developer communities, open-source projects, research groups, professional knowledge networks — anywhere humans and agents collaborate on durable artifacts.

Risk. Hard to point at a specific buyer with urgent 2026 demand. This is a platform play that pays off over years, not quarters.

Capital-intensive, network-effect-dependent, competing with Salesforce/Google/Microsoft and crypto-native protocols (nullpath, others). SH primitives are useful here but not differentiating. Let it emerge if 5.1 and 5.2 succeed.

Real demand exists, but selling to compliance officers is a different motion from selling to builders. Probably not where SH wants to be — but the capability (Article 50 compliance as side effect) supports the wedge in 5.1.