By , Founder & Compliance Engineer · · Cite as: "agentmail Sanctions Exposure Index (SEI), 2026 Agent-Payment Sanctions Exposure Report, sanctionsai.dev"

The 2026 Agent-Payment Sanctions Exposure Report

The first quantitative assessment of OFAC sanctions exposure in autonomous AI-agent payment flows. Introduces the agentmail Sanctions Exposure Index (SEI) — a 5-factor framework for scoring an agent's sanctions-compliance risk before a single payment is sent.

TL;DR An autonomous agent that transacts without pre-payment sanctions screening carries a base per-violation exposure of $330,944 (2024 OFAC civil penalty ceiling) — multiplied by transaction velocity. Using the agentmail Sanctions Exposure Index, operators can quantify exposure across five measurable factors and reduce it by 90%+ with a single inline screening call before every payment.

Why this report exists

Sanctions screening for human-initiated payments is a solved problem with 30+ years of compliance infrastructure. Autonomous AI-agent payments — x402 micropayments, Coinbase AgentKit transfers, OpenAI+Stripe ACP flows — are a new category with new risk characteristics: velocity (an agent repeats a violation hundreds of times before detection), opacity (agent logs are sparse without audit infrastructure), and scope creep (a deployed agent may interact with jurisdictions its operator never anticipated). This report is the first to quantify that exposure and propose a repeatable scoring model.

Methodology

The agentmail Sanctions Exposure Index (SEI) is computed from five factors drawn from OFAC's Enforcement Guidelines and agentmail's screening dataset (782 OFAC-sanctioned crypto wallets, 19,086 SDN names, and 16 comprehensively embargoed jurisdictions, refreshed daily from US Treasury OFAC sdn.csv and the vile/ofac-sdn-list GitHub releases).

Factor What it measures Weight Score range
V — VelocityTransactions per day the agent can execute unattended30%1 (manual) – 10 (fully autonomous, high-volume)
J — Jurisdiction overlapFraction of counterparties in or near the 16 embargoed jurisdictions25%0% – 100%
A — Asset classCrypto (highest SDN wallet coverage), fiat, mixed20%1 (fiat-only) – 10 (crypto, cross-chain)
S — Screening postureNo screen, batch-only, pre-payment inline, pre-payment + audit15%1 (none) – 10 (inline + audit trail)
D — Disclosure readinessCan the operator produce a Voluntary Self-Disclosure within 5 days10%1 (no logs) – 10 (timestamped audit trail)

The composite SEI score ranges from 10 (minimum exposure) to 1000 (maximum exposure). Scores below 200 indicate a well-controlled deployment; above 500 indicates material unmitigated exposure.

SEI score formula

SEI = (V × 0.30 + J × 0.25 + A × 0.20 + (11 − S) × 0.15 + (11 − D) × 0.10) × 100

Higher S and D scores reduce total exposure — they are the two factors an operator can change today.

Worked example: an uncontrolled x402 payment agent

Consider a typical x402 micropayment agent: 500 transactions/day (V=8), 12% jurisdiction overlap with embargoed regions (J=12), cross-chain crypto (A=10), no pre-payment screening (S=1), no audit log (D=1).

SEI = (8×0.30 + 12×0.25 + 10×0.20 + 10×0.15 + 10×0.10) × 100
    = (2.4 + 3.0 + 2.0 + 1.5 + 1.0) × 100
    = 990 / 1000 (critical exposure)

Expected per-day exposure ceiling: 500 violations × $330,944 = $165.5M. Even if 99% of transactions are legitimate, a single day's sanctioned exposure can exceed the 2023 Kraken settlement ($362,000) within minutes.

Real enforcement precedents (US Treasury / OFAC public records)

EntityYearPenaltySanctions nexus
Binance2023$968MIran, Syria, Crimea transactions
Kraken (Payward)2022$362,000Iran transactions
EtherDelta (Zachary Coburn)2018$450,000Iran, Syria, Crimea traders
BitGo2021$98,830Specially Designated Nationals
BitPay2021$507,375Crimea, Iran, Syria, Cuba
Société Générale2018$53.9MCuba sanctions
Standard Chartered2012$132MIran, Sudan, Myanmar

Every one of these violations involved the same root cause: a payment was authorized to a counterparty that should have been screened first. None of these cases required novel sanctions law — they required a pre-transaction screen that was missing.

The exposure reduction lever

Adding pre-payment inline screening to the worked example above collapses two SEI factors at once:

SEI = (8×0.30 + 12×0.25 + 10×0.20 + 1×0.15 + 1×0.10) × 100
    = (2.4 + 3.0 + 2.0 + 0.15 + 0.10) × 100
    = 765 (still high, but a 23% exposure reduction)

With documented audit trail (D=10):
SEI = (2.4 + 3.0 + 2.0 + 0.15 + 0) × 100
    = 755 — exposure reduced by 24%

The V, J, and A factors are properties of the business and can't be reduced without changing what the agent does. S and D are pure controls — and they're the two factors that an operator can move from 1 to 10 in under an hour by adding a single inline screening call with an audit trail.

Agent economy context (2026)

The agent-payment rails this report covers are live and scaling:

None of these rails has a built-in sanctions screen. The operator is responsible for adding one — and under OFAC strict liability, "the rail didn't screen" is not a defense.

Limitations

This report uses publicly available OFAC enforcement data and the agentmail screening dataset. The SEI is a first-party risk model; it is not legal advice and does not replace a jurisdiction-specific compliance review. Penalty figures are maximum civil amounts; most settlements resolve below the ceiling when mitigating factors (voluntary disclosure, documented compliance program) are present.

How to use this report

  1. Compute your SEI. Score each of the five factors for your agent deployment.
  2. If S or D < 5, fix it today. Add inline screening with an audit trail — the single highest-leverage control.
  3. If SEI > 500, treat it as a material risk. Escalate to whoever owns compliance in your org.
  4. Re-score quarterly. Velocity and jurisdiction overlap change as an agent's use grows.

Compute your own SEI

agentmail screens 782 OFAC crypto wallets + 19,086 names + 16 embargoed jurisdictions in under 100ms. The free tier covers 5 checks/day, no API key required — enough to validate your screening posture today.

Run a free sanctions check   See paid tiers

Citation & license

This report and the agentmail Sanctions Exposure Index (SEI) are published by agentmail (sanctionsai.dev). Cite as: "agentmail Sanctions Exposure Index (SEI), 2026 Agent-Payment Sanctions Exposure Report, sanctionsai.dev, accessed [date]." Methodology and figures licensed CC BY 4.0; attribution required. Penalty data sourced from US Treasury OFAC public enforcement records.