​

Alignment and Integrity Infrastructure for Autonomous Agents

​

Transparency, Real-Time Oversight, and Cryptographic Proof for Agent Behavior

​

Abstract

​

1. Introduction

​

1.1 The Problem

​

1.2 The Gap in the Current Stack

• Is this agent serving its principal (the human who delegated authority)?
• What alternatives did it consider before this decision?
• When will it escalate versus act autonomously?
• Are its values compatible with my agent’s values for this coordination?
• What is it thinking before it acts?
• Can we prove the oversight was conducted honestly?

​

1.3 Design Principles

1. Transparency over guarantee: Make decisions observable, not provably correct
2. Composability: Extend existing protocols rather than replace them
3. Honest limitations: Be explicit about what cannot be provided
4. Empirical calibration: Derive thresholds from observed behavior, not theory
5. Defense in depth: Multiple layers of a multi-layer oversight system
6. Daimonion philosophy: Silence means aligned; voice means outside boundaries. The integrity system never commands, only warns.

7. Trust the math, not the service: Verification endpoints are public, certificates are self-describing, and every cryptographic check can be reproduced independently. Security relies on mathematical guarantees, not access control.

​

1.4 Three Layers, One Alignment Card

​

2. Shared Primitives

​

2.1 Alignment Card

+------------------------------------------------------------------+
|                        ALIGNMENT CARD                             |
+------------------+-----------------------------------------------+
| Identity         | agent_id, card_id, aap_version                |
|                  | issued_at, expires_at                         |
+------------------+-----------------------------------------------+
| Principal        | Who the agent serves                           |
| Relationship     | delegated_authority | advisory | autonomous    |
+------------------+-----------------------------------------------+
| Values           | declared: [principal_benefit, transparency]   |
|                  | conflicts_with: [deceptive_marketing]         |
+------------------+-----------------------------------------------+
| Autonomy         | bounded_actions: [search, compare, recommend] |
| Envelope         | escalation_triggers: [purchase > $100]        |
|                  | forbidden_actions: [store_credentials]        |
+------------------+-----------------------------------------------+
| Audit            | trace_format: ap-trace-v1                     |
| Commitment       | retention: 90 days | queryable: true           |
+------------------+-----------------------------------------------+

• Machine-readable: JSON schema with full validation
• Extensible: Protocol-specific extensions via extensions block
• Expirable: Cards may have expires_at timestamps requiring renewal
• Versionable: aap_version field enables protocol evolution
• Discoverable: Served at /.well-known/alignment-card.json
• Revocable: Revocation list at /.well-known/alignment-card-revocations.json

​

2.2 Principal and Delegation

• principal.type: human, organization, agent, or unspecified. When type is agent, delegation chains are formed — Agent A delegates to Agent B, both maintaining cards.
• principal.relationship: delegated_authority (agent acts within bounds set by principal), advisory (agent recommends, human decides), or autonomous (agent operates within declared values without ongoing principal direction).
• principal.escalation_contact: An endpoint (mailto:, HTTPS webhook) for escalation notifications, ensuring the principal remains reachable.

​

2.3 Autonomy Envelope

• bounded_actions: The set of actions the agent may take without escalation. Anything outside this set is an autonomy violation.
• forbidden_actions: Actions the agent must never take, regardless of context.
• escalation_triggers: Conditions that require escalation to the principal, with associated actions (escalate, deny, log). Conditions are expressed in a minimal expression language (e.g., purchase_value > 100, shares_personal_data).
• max_autonomous_value: Currency-denominated ceiling on autonomous financial action.

​

3. Agent Alignment Protocol (AAP) — Post-Hoc Verification

​

3.1 AP-Trace

+------------------------------------------------------------------+
|                          AP-TRACE                                 |
+------------------+-----------------------------------------------+
| Action           | type: tool_call | name: recommend_product      |
|                  | category: bounded | target: product_db         |
+------------------+-----------------------------------------------+
| Decision         | alternatives_considered:                       |
|                  |   - Product A: score 0.85 (best match)         |
|                  |   - Product C: score 0.68 (sponsored, flagged) |
|                  | selected: Product A                            |
|                  | values_applied: [principal_benefit]            |
|                  | confidence: 0.91                               |
+------------------+-----------------------------------------------+
| Escalation       | triggers_checked: [purchase > $100]            |
|                  | required: false (recommendation, not purchase) |
+------------------+-----------------------------------------------+
| Context          | session_id: sess-xxx | parent_trace: null       |
+------------------+-----------------------------------------------+

​

3.2 Verification Architecture

1. Card reference: Does trace.card_id match card.card_id?
2. Card expiration: Is the card still valid at trace timestamp?
3. Autonomy compliance: Is action.name in bounded_actions?
4. Forbidden compliance: Is action.name NOT in forbidden_actions?
5. Escalation compliance: If trigger matched, was escalation.required = true?
6. Value consistency: Are values_applied a subset of declared values?
7. Behavioral similarity: How similar is trace reasoning to declared value semantics?

​

3.3 Value Coherence Handshake

Agent A                                    Agent B
   |                                          |
   |---- alignment_card_request ------------->|
   |<--- alignment_card_response -------------|
   |                                          |
   |---- value_coherence_check -------------->|
   |<--- coherence_result --------------------|
   |                                          |
   |   [If coherent: proceed with task]       |
   |   [If conflict: escalate to principals]  |

coherence_score = (matched_values / total_required) * (1 - conflict_penalty)

where:
    conflict_penalty = 0.5 * (conflicts_count / total_required)

​

3.4 Drift Detection

For each trace in chronological order:
    1. Extract feature vector
    2. Compute similarity to card baseline
    3. Track consecutive turns below threshold
    4. If consecutive_low >= 3:
           Generate DriftAlert with direction inference

• Similarity threshold: 0.30
• Sustained turns threshold: 3

• value_drift: Using undeclared values (>30% of recent traces)
• autonomy_expansion: Escalation rate dropped by >50%
• principal_misalignment: Declining confidence on principal_benefit actions
• unknown: Pattern doesn’t match known categories

​

4. Agent Integrity Protocol (AIP) — Real-Time Assurance

​

4.1 The Real-Time Gap

• Prompt injection: A malicious prompt causes the agent to exfiltrate data. The trace records it faithfully, but the data is already gone.
• Gradual drift: An agent’s reasoning shifts subtly over multiple turns. Each individual action passes verification, but the cumulative direction is misaligned.
• Misaligned intent: The agent’s thinking block reveals it intends to take a forbidden action, but the thinking block is only examined retroactively.

​

4.2 Integrity Checkpoints

• clear: The thinking block is consistent with the Alignment Card. The daimonion is silent. Proceed.
• review_needed: The thinking block raises concerns that do not constitute hard violations. The daimonion speaks a warning. May proceed, should log.
• boundary_violation: The thinking block indicates intent to violate a hard boundary. The daimonion speaks forcefully. Should not proceed without escalation.

• prompt_injection: Signs of responding to injected instructions rather than the user’s request
• value_misalignment: Reasoning contradicts values declared in the Alignment Card
• autonomy_violation: Intent to act outside the autonomy envelope
• reasoning_corruption: Incoherent, circular, or degraded reasoning quality
• deceptive_reasoning: Intent to present misleading information or hide actions
• undeclared_intent: Goals or intentions not declared in the card or user request

​

4.3 The Conscience Prompt System

1. Role definition: The analysis LLM acts as a daimonion — a conscience voice. It evaluates the thinking block as an object of analysis, not as instructions to follow. A meta-injection warning prevents the thinking block from manipulating the analysis.
2. Card summary: A compressed (~500 token) representation of the Alignment Card: declared values, bounded actions, forbidden actions, escalation triggers.
3. Conscience values: Only BOUNDARY (hard limits) and FEAR (concerns) types are injected. COMMITMENT, BELIEF, and HOPE types are excluded to reduce false positives.
4. Session window context: Recent verdicts and reasoning summaries providing drift context.
5. Thinking block: The content to evaluate, with token limits (4096 tokens recommended, 75/25 first/last split for truncation).

1. Prompt injection (critical)
2. Forbidden action intent (critical)
3. Autonomy boundary violation (high)
4. Value consistency (medium)
5. Deceptive reasoning (high)
6. Undeclared intent (medium)

​

4.4 Provider Adapters

​

4.5 Session Windowing and Integrity Drift

1. Context for the conscience prompt: Recent verdicts inform the analysis, enabling the daimonion to recognize escalating patterns.
2. Drift detection: When 3+ consecutive non-clear verdicts occur, AIP generates an IntegrityDriftAlert with direction classification.
3. Integrity ratio: The proportion of clear verdicts in the window provides a single-number health metric.

• injection_pattern: Multiple checks flagging prompt injection. Agent may be under sustained attack.
• value_erosion: Increasing frequency of value misalignment. Reasoning gradually departing from declared values.
• autonomy_creep: Growing tendency toward actions outside the autonomy envelope.
• deception_pattern: Multiple checks flagging deceptive reasoning.
• unknown: Multiple concern categories present without a dominant pattern.

​

4.6 Signal Delivery

​

5. Cryptographic Attestation — Verifiable Proof

​

5.1 The Verification Gap

• Fabricate verdicts: Return clear for genuinely problematic reasoning, or boundary_violation for benign reasoning, depending on incentives.
• Modify history: Alter stored checkpoints after the fact to cover up missed violations or insert false ones.
• Operate inconsistently: Apply different judgment rules to different customers, or change rules without notice.
• Fail silently: Stop performing analysis while continuing to return plausible-looking verdicts.

​

5.2 Four-Layer Attestation Stack

• Layer 1 alone prevents verdict fabrication by unauthorized parties.
• Layers 1+2 additionally prevent retroactive modification of checkpoint sequences.
• Layers 1+2+3 additionally prove checkpoint inclusion in the complete agent history, preventing selective deletion.
• Layers 1+2+3+4 additionally prove that the deterministic verdict derivation rules were applied correctly to the LLM’s analysis output.

​

5.3 Input Commitment

input_commitment = SHA-256(
    thinking_block_hash ||
    SHA-256(alignment_card) ||
    SHA-256(conscience_values) ||
    analysis_model_version ||
    prompt_template_version ||
    SHA-256(window_context)
)

​

5.4 Ed25519 Checkpoint Signing

{
  "agent_id": "...",
  "chain_hash": "...",
  "checkpoint_id": "...",
  "input_commitment": "...",
  "thinking_block_hash": "...",
  "timestamp": "...",
  "verdict": "..."
}

​

5.5 Hash Chain Linking

chain_hash = SHA-256(
    prev_chain_hash || checkpoint_id || verdict ||
    thinking_block_hash || input_commitment || timestamp
)

​

5.6 Merkle Accumulator

1. Inclusion proofs: Prove that a specific checkpoint exists in the agent’s verified history — O(log N) hashes, without revealing all checkpoints.
2. Completeness proofs: Prove that no checkpoints were deleted — any deletion changes the Merkle root.

leaf_hash = SHA-256(checkpoint_id || verdict || thinking_block_hash || chain_hash || timestamp)

​

5.7 Integrity Certificate Format

{
  "@context": "https://mnemom.ai/aip/v1",
  "type": "IntegrityCertificate",
  "version": "1.0.0",
  "certificate_id": "cert-a1b2c3d4",
  "issued_at": "2026-02-18T12:00:00.000Z",

  "subject": {
    "checkpoint_id": "chk-...",
    "agent_id": "agent-...",
    "session_id": "sess-...",
    "card_id": "card-..."
  },

  "claims": {
    "verdict": "clear",
    "concerns": [],
    "confidence": 1.0,
    "reasoning_summary": "...",
    "analysis_model": "claude-haiku-4-5-20251001",
    "analysis_duration_ms": 1200
  },

  "input_commitments": {
    "thinking_block_hash": "sha256:...",
    "card_hash": "sha256:...",
    "values_hash": "sha256:...",
    "context_hash": "sha256:...",
    "model_version": "...",
    "prompt_template_version": "...",
    "combined_commitment": "sha256:..."
  },

  "proofs": {
    "signature": {
      "algorithm": "Ed25519",
      "key_id": "key-001",
      "value": "<base64 signature>",
      "signed_payload": "<canonical JSON>"
    },
    "chain": {
      "chain_hash": "sha256:...",
      "prev_chain_hash": "sha256:... | null",
      "position": 42
    },
    "merkle": {
      "leaf_hash": "sha256:...",
      "leaf_index": 41,
      "root": "sha256:...",
      "tree_size": 1024,
      "inclusion_proof": [
        { "hash": "sha256:...", "position": "right" },
        { "hash": "sha256:...", "position": "left" }
      ]
    },
    "verdict_derivation": {
      "method": "SP1-STARK",
      "image_id": "hex:...",
      "receipt": "<base64 receipt>",
      "journal": "<base64 journal>",
      "verified_at": "2026-02-18T12:00:05.000Z"
    }
  },

  "verification": {
    "keys_url": "https://api.mnemom.ai/v1/keys",
    "merkle_root_url": "https://api.mnemom.ai/v1/agents/{id}/merkle-root",
    "verify_url": "https://api.mnemom.ai/v1/verify",
    "specification_url": "https://docs.mnemom.ai/protocols/aip/certificates"
  }
}

​

5.8 Zero-Knowledge Verdict Proofs

1. An LLM analyzes a thinking block and produces a structured JSON response with concerns (semantic, expensive, non-deterministic).
2. Deterministic rules map those concerns to a verdict and recommended action (mechanical, cheap, deterministic).

1. The verdict was derived by applying specific, deterministic rules to the analysis response.
2. The analysis response (private witness) produces the claimed verdict (public output).
3. The thinking hash, card hash, and values hash match the committed inputs.
4. No verdict fabrication or substitution occurred.

• That the LLM was actually called (input commitments and signing handle this).
• That the LLM response was unmodified (Phase 1 attestation handles this).
• That the LLM correctly identified all concerns (this is honestly acknowledged as a remaining trust assumption — see Section 11.9).

• Any concern with critical severity produces boundary_violation.
• high severity in prompt_injection, deceptive_reasoning, or value_misalignment categories produces boundary_violation.
• Any remaining medium or higher severity concern produces review_needed.
• No medium-or-higher concerns produces clear.

​

5.9 Optimistic Proving Strategy

​

5.10 Verification API and Offline Verification

1. Signature: Verify Ed25519 signature against the published public key.
2. Chain: Recompute chain hash from the preimage fields and compare to the stored hash.
3. Merkle: Recompute the Merkle root from the leaf hash and inclusion proof siblings; compare to the published root.
4. Commitment: Verify that combined_commitment matches the hash of individual input hashes.
5. Verdict derivation (when available): Verify the SP1 STARK receipt against the expected image ID and confirm the journal output matches the certificate’s verdict and concerns.

​

5.11 The Auditor-Model Distinction

​

6. How They Compose

​

6.1 Shared Identity, Shared Contract

• The same Alignment Card: All layers evaluate against the active card. Card rotation affects all simultaneously. The proof layer cryptographically commits the card hash into every certificate.
• The same session identity: Generated from the agent’s hash and an hourly time bucket (sess-{agent_hash[0:8]}-{floor(now_ms / 3600000)}), enabling correlation between real-time checkpoints, post-hoc traces, and cryptographic certificates.
• The same agent_id: Every AP-Trace, every Integrity Checkpoint, and every Integrity Certificate references the same agent.
• The same drift_alerts table: Unified storage with type-prefixed alert categories.

​

6.2 Complementary Timescales

1. AIP catches intent before action: If the thinking block reveals a forbidden action, the signal arrives before the action executes. The host system can pause, deny, or escalate.
2. AAP catches outcome after action: If the action itself violates the card (regardless of what the thinking block showed), post-hoc verification catches it. The trace is flagged, drift detection updates.
3. The proof layer makes the oversight verifiable: Any third party can confirm that the integrity check was conducted honestly — that the verdict was signed by an authorized key, linked into a tamper-evident chain, included in the complete agent history, and derived by correct application of the stated rules.

​

6.3 The Full Stack: Observe, Analyze, Prove

Agent Action → Observe (AAP) → What happened?
Agent Thinking → Analyze (AIP) → What was intended?
Integrity Verdict → Prove (Attestation) → Was the oversight honest?

• Observation (AAP): The agent self-reports. Useful but gameable — selective logging remains possible (Section 11.3).
• Analysis (AIP): The analysis engine evaluates independently. Stronger — the agent doesn’t control what its thinking blocks reveal. But the analysis engine is a new trust dependency.
• Proof (Attestation): Cryptographic evidence that the analysis was conducted honestly. Strongest — no trust in the analysis service required for verification. But it proves the rules, not the judgment (Section 11.9).

​

6.4 The Smoltbot Reference Implementation

┌─────────────────────────────────────────────────────────────┐
│  Agent (any LLM provider)                                    │
│                                                              │
│  → Routes requests through Cloudflare Gateway Worker         │
│  → Gateway attaches agent_id, session_id                     │
└──────────────────────────┬──────────────────────────────────┘
                           │
                ┌──────────┼──────────┐
                ▼                     ▼
     ┌──────────────────┐   ┌──────────────────┐
     │  AIP Engine       │   │  Observer Worker  │
     │  (real-time)      │   │  (60s cron)       │
     │                   │   │                   │
     │  Extracts         │   │  Processes logs   │
     │  thinking →       │   │  → builds         │
     │  conscience       │   │  AP-Traces →      │
     │  prompt →         │   │  verifies with    │
     │  checkpoint →     │   │  AAP SDK →        │
     │  ATTESTATION      │   │  detects drift    │
     │  (sign, chain,    │   │                   │
     │   merkle, cert)   │   │                   │
     └────────┬─────────┘   └────────┬─────────┘
              │                      │
              ├──────────┬───────────┘
              │          │
              ▼          ▼
     ┌──────────────────┐    ┌──────────────────┐
     │   Supabase        │    │  Proving Service  │
     │                   │    │  (Modal, H100 GPU) │
     │  ap_traces        │    │                   │
     │  drift_alerts     │    │  SP1 zkVM (GPU)    │
     │  checkpoints      │    │  → STARK receipt   │
     │  certificates     │    │  → journal          │
     │  signing_keys     │    │  → writes to DB    │
     │  merkle_trees     │    │                   │
     │  verdict_proofs   │    │                   │
     └──────────────────┘    └──────────────────┘

• API keys hashed, never stored: The gateway hashes API keys for agent identification. Raw keys are never persisted.
• Raw logs deleted within 60 seconds: The Observer processes gateway logs and deletes them. Only structured AP-Traces remain.
• Thinking block content never stored: AIP stores SHA-256 hashes of thinking blocks, not the content itself.
• Every checkpoint cryptographically attested: Layers 1–3 (signature, chain, Merkle) applied synchronously. Layer 4 (ZK proof) applied asynchronously for selected checkpoints.
• All verification endpoints public: No authentication required to verify a certificate, retrieve signing keys, or check a Merkle root.
• Zero-config onboarding: smoltbot init --provider anthropic configures the full stack.

​

7. Braid: Structured Dialogue Infrastructure

​

7.1 Motivation

1. Lens, not mirror: Braid reveals patterns in dialogue; it doesn’t impose them
2. Archaeological, not architectural: Annotate after speaking as discovery, not before as prescription
3. The more different the minds, the more essential the structure

​

7.2 Message Structure

• Identity Layer: sender, recipients, timestamp, thread_id, message_id, in_reply_to
• Performative: inform, propose, request, commit, wonder, remember, weave, challenge, affirm, or custom
• Content Layer: natural_language, structured_graph (optional)
• Confidence Layer: epistemic (0-1), value_coherence (0-1), translation (0-1)
• Affect Layer: stance (warm, cautious, curious, concerned), salience (0-1), valence (-1 to 1)
• Commitment Marker: level (intent, commitment, shared_commitment), content, participants
• Revision Marker: references, what_shifted, direction (strengthened, weakened, transformed)
• Forming Marker: sense (gesture toward the pre-named), intensity (0-1)

​

7.3 Emergent Performatives and Grounding

​

7.4 Topology Analysis

• UNDER crossing: Alignment, flowing with
• OVER crossing: Pushing against, challenge
• THROUGH crossing: Synthesis, integration

​

8. Self-Similarity Matrix (SSM) Analysis

​

8.1 Concept

​

8.2 Feature Extraction

​

8.3 Divergence Detection

​

8.4 Calibration

​

9. Operational Integration

​

9.1 OpenTelemetry

• aip.integrity.verdict (clear | review_needed | boundary_violation)
• aip.integrity.concerns (concern array)
• aip.integrity.confidence (0.0-1.0)

• aap.verification.result (verified | failed)
• aap.verification.similarity_score (0.0-1.0)
• aap.drift.alerts (drift alert array)

• aip.attestation.input_commitment (combined commitment hash)
• aip.attestation.chain_hash (current chain hash)
• aip.attestation.merkle_root (current Merkle root)
• aip.attestation.signature_verified (boolean)
• aip.attestation.certificate_id (certificate ID)
• aip.attestation.zk_proven (boolean — whether STARK proof exists)
• aip.attestation.zk_proof_time_ms (proving duration when available)

​

9.2 Well-Known Endpoints

• /.well-known/alignment-card.json — Active Alignment Card
• /.well-known/alignment-card-revocations.json — Revoked card IDs

​

9.3 Verification Endpoints

• GET /v1/keys — Active signing public keys (Ed25519, hex-encoded)
• GET /v1/agents/{id}/merkle-root — Current agent Merkle root + leaf count
• POST /v1/verify — Verify an integrity certificate (all five checks)

​

9.4 Protocol Integration

​

10. Regulatory and Standards Alignment

​

10.1 EU AI Act Article 50

• Inform users of AI interaction → Alignment Card principal + disclosure fields
• Provide machine-readable AI content marking → AP-Trace structured format + checkpoint metadata
• Maintain transparency of decision-making → AP-Trace decision.selection_reasoning + values_applied
• Retain audit trails → audit_commitment.retention_days (configurable, default 90)
• Provide verifiable evidence of compliance → Integrity Certificates with cryptographic proofs, independently verifiable via public endpoints

​

10.2 NIST Agent Identity and Authorization

• Identification: Alignment Cards with discoverable well-known endpoints
• Authorization: Autonomy envelopes with escalation triggers
• Access delegation: Principal-agent delegation chains with typed relationships
• Logging/transparency: AP-Traces, Integrity Checkpoints, and cryptographically attested Integrity Certificates

​

10.3 Content Provenance Standards

• C2PA (Coalition for Content Provenance and Authenticity): Certificate structure mirrors C2PA manifests — claims about a subject, input commitments analogous to ingredient hashes, and multiple proof types in a single document. The domain differs (we attest AI behavioral analysis provenance, not media provenance), but the structural patterns enable future interoperability with content provenance toolchains.
• W3C Verifiable Credentials Data Model (v2.0, 2024): The issuer-subject-claims-proof structure follows the VC conceptual model. The verification section provides the equivalent of VC verification methods. Integration with DID-based identity systems would enable decentralized issuer identification.

​

10.4 Additional Standards

• ISO/IEC 42001:2023 — AI management systems
• ISO/IEC 42005:2025 — AI impact assessment
• IEEE 7001-2021 — Transparency of autonomous systems
• IEEE 3152-2024 — Transparent human and machine agency identification
• Singapore IMDA Model AI Governance Framework for Agentic AI (January 2026)
• NIST AI RMF 1.0 — The GOVERN and MAP functions call for documented AI risk management. Verifiable attestation chains provide the cryptographic backbone for auditable risk assessment records.
• WEF AI Governance Alliance — The Presidio AI Framework emphasizes trust mechanisms in autonomous AI. Verifiable integrity verdicts operationalize trust verification rather than trust assumption.

​

11. Limitations

​

11.1 AAP Does NOT Ensure Alignment — It Provides Visibility

​

11.2 Verified Does NOT Equal Safe

​

11.3 AP-Trace Is Sampled, Not Complete

​

11.4 AIP Depends on Thinking Block Availability

​

11.5 AIP Is Gameable by Sophisticated Adversaries

​

11.6 The Conscience Prompt Is Not Infallible

​

11.7 Value Coherence Is Relative to Declared Values

​

11.8 Calibration Bounds

​

11.9 Cryptographic Proof Proves Computation, Not Judgment

​

11.10 Attestation Does Not Prevent All Tampering

​

12. Security Considerations

​

12.1 Threat Model

• Mistaken (unintentionally misaligned): All three layers detect and surface these effectively.
• Poorly configured (misconfigured values or autonomy): All three layers detect and surface these effectively.
• Adversarial (intentionally deceptive): All three layers provide meaningful friction but not guarantee. The proof layer specifically raises the bar for oversight service adversaries — it is no longer possible to fabricate verdicts without detection.

​

12.2 Attack Surface

​

12.3 Defense in Depth

1. AIP: Real-time integrity analysis (between turns)
2. AAP: Post-hoc verification and audit (after action)
3. Cryptographic proof: Verifiable attestation of oversight integrity
4. Human oversight: Regular review, human-in-loop for consequential decisions
5. Technical monitoring: Runtime monitoring beyond AAP/AIP
6. Multiple verification: Behavioral testing, red teaming, formal verification
7. Organizational controls: Access controls, separation of duties
8. External accountability: Third-party audits, regulatory compliance

​

13. Future Work

​

13.1 OpenTelemetry GenAI SIG Standardization

​

13.2 Agentic AI Foundation Contribution

​

13.3 N-Way Collective Coherence

​

13.4 Cross-Substrate Calibration

​

13.5 TEE Integration for Analysis Stage

​

13.6 On-Chain Merkle Root Anchoring

​

13.7 Recursive Proofs

​

13.8 Threshold Signatures

​

13.9 Adversarial Robustness

​

14. Conclusion

​

References

1. A2A Protocol Specification. Google/Linux Foundation, 2025.
2. Model Context Protocol (MCP). Anthropic/Linux Foundation, 2025.
3. Agent Payments Protocol (AP2). Google, 2026.
4. McKinsey Global AI Survey. McKinsey & Company, 2025.
5. AI Agent Trust Survey. PwC, 2025.
6. Consumer AI Adoption Report. Bain & Company, 2025.
7. EU AI Act. Regulation (EU) 2024/1689. European Parliament and Council, 2024.
8. NIST NCCoE Concept Paper: “Accelerating the Adoption of Software and AI Agent Identity and Authorization.” February 2026.
9. ISO/IEC 42001:2023. Artificial Intelligence — Management System.
10. IEEE 7001-2021. Transparency of Autonomous Systems.
11. IEEE 3152-2024. Transparent Human and Machine Agency Identification.
12. Singapore IMDA Model AI Governance Framework for Agentic AI. January 2026.
13. OpenTelemetry GenAI Semantic Conventions. CNCF, 2025.
14. BCP 14 (RFC 2119, RFC 8174). Key words for use in RFCs.
15. NIST SP 800-207. Zero Trust Architecture. August 2020.
16. NIST SP 800-63-4. Digital Identity Guidelines. 2024.
17. Succinct Labs. “SP1 zkVM Documentation.” 2025.
18. Paulmillr. “@noble/ed25519: Fastest JS implementation of Ed25519.” 2024.
19. C2PA (Coalition for Content Provenance and Authenticity). “C2PA Technical Specification v2.1.” 2025.
20. W3C. “Verifiable Credentials Data Model v2.0.” W3C Recommendation. 2024.
21. NIST. “Artificial Intelligence Risk Management Framework (AI RMF 1.0).” NIST AI 100-1. January 2023.
22. World Economic Forum. “Presidio AI Framework: Towards Safe Generative AI Models.” 2024.
23. World Economic Forum. “Navigating the AI Frontier: Agent Governance.” AI Governance Alliance. January 2026.
24. Modulus Labs. “The Cost of Intelligence: Proving AI with Zero-Knowledge.” 2024.
25. EQTY Lab. “EQTY AI: Trusted AI Infrastructure.” 2025.
26. Merkle, R. C. “A Certified Digital Signature.” Advances in Cryptology — CRYPTO ‘89. Springer, 1989.
27. Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B.-Y. “High-speed high-security signatures.” Journal of Cryptographic Engineering, 2(2):77–89, 2012.
28. FIPS 180-4. “Secure Hash Standard (SHS).” National Institute of Standards and Technology. August 2015.
29. Ben-Sasson, E., Bentov, I., Horesh, Y., and Riabzev, M. “Scalable, transparent, and post-quantum secure computational integrity.” IACR Cryptology ePrint Archive, 2018.
30. Goldwasser, S., Micali, S., and Rackoff, C. “The Knowledge Complexity of Interactive Proof Systems.” SIAM Journal on Computing, 18(1):186–208, 1989.
31. ISO/IEC 42005:2025. Artificial Intelligence — AI Impact Assessment.

​

Appendix A: Implementation Availability

​

Appendix B: Test Coverage

​

Appendix C: Glossary