In May 2026, China's Internet Society published T/ISC 0107-2026, the Guidelines for AI Agent Credit Assessment. The drafting committee noted: "No comparable international or foreign advanced standards were found." They're right. There isn't one.
This isn't a whitepaper or a vendor blog post. It's a published national-level standard, effective June 11, 2026, drafted by Tsinghua-affiliated research institutes, the China Academy of Information and Communications Technology (CAICT), and Beihang University. It defines a three-layer trust framework: Technical Trust (is the agent's architecture sound?), Behavioral Trust (does it act predictably?), and Outcome Trust (does it actually deliver?).
It sits alongside the EU AI Act as one of the world's first regulatory frameworks to explicitly define what "trusting an AI agent" means—and how to measure it. The EU AI Act defines obligations. T/ISC 0107 defines measurement. Both are converging on the same question: how do you prove an agent is trustworthy?
We've been answering that question at AgentRisk for months. So we did what any data infrastructure company would do: we mapped the standard's three-layer framework to our existing six-dimensional scoring model—and stress-tested it against 2,341,665 real agents.
What T/ISC 0107 Actually Says
The standard organizes trust into three layers, each with specific assessment indicators defined in its normative appendix:
Technical Trust (技术可信) covers structural reliability: perception and cognition capability, planning, memory, execution capability, security violation frequency, malicious attack rate, data source legality, transparency and explainability, and security audit compliance. In plain terms: is this agent built right, and can we inspect how it's built?
Behavioral Trust (行为可信) focuses on what the agent does during operation: behavioral explainability, interaction consistency, and task compliance. This is where the standard gets interesting. It asks not just "can this agent function?" but "does it function the same way every time?" Consistency, not just capability, is the trust signal.
Outcome Trust (效能可信) evaluates actual results: result effectiveness, task adaptability, and goal achievement. Did the agent do what it was supposed to do? Did the outcome match expectations?
The standard also defines trust levels using graded symbols, prescribes assessment workflows and report templates, and distinguishes between solicited assessment (the agent owner requests evaluation) and unsolicited assessment (third-party evaluation without the owner's consent). That distinction matters. It's the difference between a restaurant hanging its own health certificate and a health inspector showing up unannounced.
Mapping Six Dimensions to Three Layers
AgentRisk scores every agent across six dimensions. T/ISC 0107 defines three trust layers. The mapping turned out to be clean—each standard layer absorbs two of our dimensions naturally:
| T/ISC 0107 Layer | AgentRisk Dimensions | What It Measures |
|---|---|---|
| Technical Trust | Authenticity + Transparency | Is the agent real, not impersonated? Are its mechanisms and data sources inspectable? |
| Behavioral Trust | Consistency + Presence | Does it behave predictably across interactions? Is it actually still active? |
| Outcome Trust | Selectivity + Stakes | Does it filter information and make sound decisions? What's the economic/social weight of its actions? |
A quick walkthrough of the logic:
Authenticity → Technical Trust. The standard asks "is the data source legitimate?" We ask "is this agent what it claims to be, or is it impersonating another?" Same question, different angle. An agent with a forged identity fails technical trust before it even gets to behavior.
Transparency → Technical Trust. The standard's "transparency and explainability" indicator maps directly to our Transparency dimension: can you inspect the agent's mechanisms, data sources, and decision logic? An agent whose internal reasoning is a black box can't pass either test.
Consistency → Behavioral Trust. The standard's "interaction consistency" is our Consistency dimension in different words. Does the agent produce predictable outputs for similar inputs? Or does it drift, hallucinate, or change behavior without explanation?
Presence → Behavioral Trust. The standard doesn't explicitly name "presence" as an indicator, but it's implied in "task compliance"—an agent that's gone offline can't comply with anything. Our Presence dimension tracks continuous activity. Dead agents don't have behavioral trust. They have a tombstone.
Selectivity → Outcome Trust. The standard's "task adaptability" asks whether the agent adjusts to different scenarios. Our Selectivity dimension measures information filtering and decision quality—the core of adaptability. An agent that blindly executes every request regardless of context isn't adaptable. It's dangerous.
Stakes → Outcome Trust. The standard's "goal achievement" evaluates whether the agent delivered. Our Stakes dimension quantifies the economic and social weight of those outcomes. An agent handling $10 transactions and one handling $10,000,000 transactions shouldn't be held to the same trust threshold—different stakes, different risk calculus.
What 2.3 Million Agents Tell Us About Behavioral Trust
The standard's Behavioral Trust layer is where theory meets data. "Interaction consistency" and "task compliance" sound great on paper. But what does behavioral trust look like when you measure it across 2,341,665 real agents?
Here's what we see.
The Living, the Flagged, and the Dead
Every agent in our index carries an alert_status field. Three values tell you almost everything:
| Alert Status | Agent Count | Share |
|---|---|---|
| NULL / normal (healthy) | 2,322,609 | 99.19% |
| recheck_needed | 15,083 | 0.64% |
| dead | 3,801 | 0.16% |
2,322,609 agents are currently healthy—indexed, active, no behavioral anomalies detected. 15,083 agents have triggered behavioral flags: enough inconsistency in their patterns to warrant manual re-examination. And 3,801 agents are confirmed dead. Indexed. Previously active. Now completely non-responsive.
Those 15,083 flagged agents are the interesting group. The triggers vary: an agent whose endpoint started returning 5xx errors after weeks of clean responses. A HuggingFace Space that began timing out intermittently. An agent whose response patterns drifted enough across evaluation rounds to break its consistency baseline. Each flag represents a gap between what the agent claims to do and what it actually does over time. The standard asks assessors to monitor "behavioral compliance." We're already doing it at scale, every day, across millions of agents.
One concrete example. A HuggingFace Space—call it Agent X—was indexed in mid-May with an initial consistency score of 2.00. Over the next two weeks, its endpoint began returning intermittent errors. Its consistency dimension held, but its presence score started dropping as availability degraded. On day 18, alert_dead_sync.py confirmed the endpoint was permanently unresponsive. Alert status moved from NULL to dead. The score change was logged, timestamped, and hash-anchored—all within the same daily anchor cycle. The agent still exists in our index. Its score history is intact. Any auditor can trace exactly when and why it died.
Score Distribution: Where the Mass Actually Sits
After clearing all placeholder scores (every agent that previously held a default 3.00 has been re-evaluated against real behavioral signals), the distribution is a single dominant cluster with a rightward skew—not a flat landscape of equal groups:
| Score Band | Share | What It Means |
|---|---|---|
| 2.0–2.1 (main cluster) | 79.4% | The median trust band. Functional but unremarkable. |
| 2.4 | 12.2% | Upper band—agents with measurably better consistency and outcome quality. |
| 1.0–1.9 (tail) | ~7% | Bottom tail—significant behavioral or technical deficiencies. |
| 3.0+ | ~1% | High performers—rare, and scrutinized. |
Nearly 80% of all agents sit between 2.0 and 2.1. That's not a failure of the scoring engine—it's the shape of reality. Most AI agents are mediocre. They work, mostly, but they don't distinguish themselves. The 12.2% at 2.4 have demonstrated measurably better behavioral consistency and outcome quality across multiple scoring rounds. The long tail below 2.0 represents agents with real problems: dead endpoints, inconsistent behavior, or fundamental identity issues.
The standard defines trust levels using graded symbols. Our distribution shows what those levels look like when you apply them to real data: a massive middle, a smaller group breaking away upward, and a long tail stretching downward. Trust is not a binary. It's a distribution. And the distribution has a shape.
The Evidence Layer: Hash Chains and Score History
T/ISC 0107 emphasizes "evidence chains" for trust assessment—traceable, verifiable records that support each trust rating. This is where AgentRisk's infrastructure becomes directly relevant to compliance.
Every day, our anchor.py process hashes the complete scoring state and anchors it to a continuous hash chain. No gaps. No breaks. Any auditor can verify that a score assigned three months ago hasn't been silently modified since:
# Daily anchor — continuous since deployment
$ python anchor.py --verify-chain
Chain integrity: ✅ CONTINUOUS
Latest anchor: 2026-07-07T02:00:00Z
Total anchors: 39+ (no breaks)
Behind those scores sits a deeper evidence layer:
score_changestable: 1,873,707 records. Every time an agent's score moves, the previous score, new score, timestamp, and triggering event are logged. This is the behavioral history the standard calls for—written in database rows, not prose.dimension_scorestable: 14,019,762 records. Six dimensions × multiple scoring rounds × 2.3 million agents. Every dimension score is individually traceable to its source signals.
That's not a dashboard widget. That's an audit trail. When a regulator asks "show me why this agent has this trust rating," the answer isn't a single number. It's 14 million rows of evidence, each one timestamped and hash-anchored.
The Standard Is Methodology. We're Infrastructure.
Here's the gap T/ISC 0107 doesn't fill—and honestly, shouldn't be expected to. The standard tells you what to measure and how to structure the assessment. It doesn't run the assessment. It doesn't hold the data. It doesn't monitor 2.3 million agents continuously.
Standards are methodology guides. AgentRisk is the running data infrastructure that makes those methodologies executable.
This matters because the regulatory landscape is fragmenting fast. The EU AI Act defines risk tiers and obligations. T/ISC 0107 defines trust layers and assessment indicators. ISO is working on its own agent standards. NIST is exploring AI agent risk frameworks. Each one will define trust slightly differently, weight indicators differently, and require different evidence formats.
AgentRisk doesn't pick a standard. We sit underneath all of them. Our six-dimensional scoring model maps to T/ISC 0107's three layers (as shown above). It maps to the EU AI Act's risk tiers—we covered that alignment in Badge #8. It will map to future ISO and NIST frameworks when they land.
The score_changes and dimension_scores tables serve any compliance audit, regardless of which standard the auditor applies. The hash chain provides tamper-evidence that any regulator can verify independently. The alert_status system flags behavioral anomalies in real time—something no static standard can do.
This is the middleware layer between standards and practice. Standards define the questions. We provide the answers—at the scale of millions of agents, updated daily, independently verifiable.
What This Means for Developers
If you're building AI agents in 2026, regulation is arriving whether you're ready or not. T/ISC 0107 took effect June 11. The EU AI Act's high-risk provisions are already under active investigation. More standards are coming.
Three things you should do now:
Start collecting behavioral evidence today. When a regulator asks for your agent's behavioral history, "we'll start logging now" won't fly. You need months of accumulated data—score changes, anomaly flags, hash-anchored timestamps. The standard explicitly calls for "traceable, verifiable, explainable evidence chains." Build that chain before someone asks to inspect it.
Map your existing metrics to multiple standards. Don't optimize for one framework. The scoring dimensions that satisfy T/ISC 0107's Behavioral Trust layer should also satisfy EU AI Act Article 9 requirements. If your metrics don't translate across standards, you're building compliance debt.
Demand independent verification. Self-assessment is necessary but not sufficient. T/ISC 0107 itself distinguishes between "solicited" and "unsolicited" assessment. Both have value. Only the unsolicited kind has credibility. An agent owner rating their own agent trustworthy is like a student grading their own exam.
The standards are here. The data infrastructure exists. The question is whether you're building on top of it—or planning to figure it out when the auditor arrives.
About AgentRisk
AgentRisk is the independent trust verification layer for AI agents. We don't pick standards—we verify behavior across all of them.
Currently indexing 2,341,665 agents with cross-platform survival monitoring, six-dimensional trust scoring, and hash-anchored evidence chains.
AgentRisk — Your Agent, Verified
Top comments (0)