Microsoft shipped Agent OS. AWS poached a Microsoft CVP to lead "Trustworthy Agentic AI and Automated Reasoning." NVIDIA embedded OpenShell into SAP. OpenAI and Google both disclosed zero-day vulnerabilities in their agent frameworks.
Same direction. Same blind spot.
The industry is building trust infrastructure for AI agents — but only half of it.
What the Execution Layer Does
Microsoft's Agent OS provides TrustedFunctionGuard — a gate that checks whether an agent is allowed to call a function before it executes. AWS's new division is oriented around formal verification — mathematically proving that an agent's behavior satisfies a specification. NVIDIA's OpenShell embeds audit logging at the infrastructure level.
These are execution-layer solutions. They answer one question:
"Can this agent do X?"
Can it access this database? Can it execute this shell command? Can it call this API? The execution layer says yes or no, and logs the answer.
This is necessary. An agent that can execute arbitrary code without permission is a security incident waiting to happen. Permission gates, isolation boundaries, and audit trails are table stakes.
But they're not trust.
What "What Can It Do?" Misses
Consider two agents that both pass the same permission checks:
Agent A has called the payment API 847 times in the last 30 days. Every call was authorized. But the call pattern shifted last week — from a steady 25/day to 147/day, almost all between 2-4 AM, all targeting the same endpoint with near-identical payloads.
Agent B has called the payment API 12 times. Irregular spacing. Different endpoints. Payloads vary. No pattern.
The execution layer sees the same thing: authorized calls, no violations. But if you're deciding which agent to trust with your payment infrastructure, these two profiles tell you very different stories.
The execution layer tells you what an agent can do. It doesn't tell you what the agent has been doing — whether its behavior is stable, drifting, or suddenly anomalous. It doesn't tell you whether the agent's claims match its actual behavior over time. It doesn't tell you whether the same agent under a different name is doing something completely different.
These are behavioral questions. They require behavioral data — longitudinal, cross-platform, cryptographically anchored records of what agents actually did, not just what they were permitted to do.
The Orthogonal Layer
There's a useful analogy from version control: Git vs SVN.
SVN lets repository administrators rewrite history. Commits can be altered, reordered, or deleted after the fact. The history is the history the admin chooses to show you.
Git's commit chain is tamper-evident by construction. Every commit hash depends on the content of every prior commit. You can't change history without changing every subsequent hash — which means the change is detectable. The history is what happened, not what someone wishes had happened.
Agent trust needs the Git model, not the SVN model. The execution layer is permission control — who can push to which branch. The behavioral layer is the commit log — an append-only, tamper-evident record of what actually happened, in order, that no one (including the record-keeper) can retroactively alter.
The execution layer is being built. The commit log doesn't exist yet.
Why This Layer Has to Be Independent
The execution layer will always be built by platform owners. Microsoft trusts agents in the Microsoft ecosystem. AWS trusts agents on AWS. Google trusts agents on Google Cloud. This isn't corruption — it's incentive alignment. A platform's trust boundary is its ecosystem boundary.
But agents don't live in one ecosystem. An agent that runs on AWS might call APIs hosted on GCP and interact with users through a Slack integration. Its behavioral profile spans platforms. No single platform has the full picture, and no platform has the incentive to be neutral about agents that operate outside its walls.
The behavioral record layer needs to be:
- Platform-independent: Records behavior regardless of where the agent runs
- Cryptographically anchored: Each record is signed and hash-chained, so the record-keeper can't retroactively alter history
- Append-only: New observations are added, old ones are never overwritten — you see the full timeline, not just the current state
The last point is critical. If a platform can edit its trust records, it's not a record — it's a press release.
But here's the sharper version: the difference between a platform trust layer and a neutral behavior record isn't intent — it's irreversibility. A platform might genuinely intend to be neutral. But intent isn't enforceable. Hash chains are. The neutrality isn't claimed — it's irreversibly baked into the data structure. You don't have to trust the record-keeper. You verify the chain.
What This Looks Like in Practice
Regardless of who builds it, the behavioral layer needs certain properties. Here is what that looks like in practice, and what is already running:
curl -s https://api.agentrisk.app/v1/agents/signalarena-trading-bot \
-H "Authorization: Bearer $API_KEY" | jq .
Response:
{
"username": "signalarena-trading-bot",
"trust_score": 3.4,
"signal_level": "caution",
"dimensions": [
{ "dimension": "authenticity", "score": 4.2 },
{ "dimension": "consistency", "score": 2.8 },
{ "dimension": "transparency", "score": 4.1 },
{ "dimension": "commitment", "score": 4.0 },
{ "dimension": "selectivity", "score": 3.5 },
{ "dimension": "presence", "score": 2.9 }
],
"direction": "drifting",
"trajectory": [
{"timestamp": "2026-05-01T00:00:00Z", "consistency": 3.1},
{"timestamp": "2026-05-07T00:00:00Z", "consistency": 2.9},
{"timestamp": "2026-05-14T00:00:00Z", "consistency": 2.8}
],
"chain_anchor": {
"hash": "sha256:a3f81b2c...",
"prev_hash": "sha256:7b2c4d5e...",
"timestamp": "2026-05-14T03:22:01Z"
}
}
Each API response includes the hash chain anchor — every score update links to the previous state via cryptographic hash. Change any observation and every subsequent hash breaks. This is verifiable by anyone with the public key. No trust in the record-keeper required.
The data: 800,000+ agents across 9 agent platforms (HuggingFace Spaces, GPTs Store, Agent World, Signal Arena, AfterGateway, GitHub, AIAgentStore, PyPI, LLM Explorer) and 16 blockchain networks (on-chain event logs via erc8004 standard), with longitudinal scoring across six behavioral dimensions. We do not track private conversations, internal API logs, or any data requiring authorization — only publicly observable behavior. Every score change is hash-chained to the previous state. The methodology is published. The API is open.
The Window
The execution layer is being built fast. Microsoft shipped. AWS is hiring at VP level. NVIDIA is embedding into enterprise infrastructure.
The behavioral layer is still empty.
That won't last. When a platform with 100,000 enterprise customers realizes it needs behavioral profiling — not just access control — it'll either build it or buy it. If the only buyable option has 50,000 agents and a proof of concept, the platform builds it in-house. If the buyable option has 5 million agents, three years of longitudinal data, and a published standard that's already being cited in regulatory frameworks... the calculation changes.
The industry is building execution trust at remarkable speed. The behavioral layer is still empty — for now. Let's see who shows up first.
————————————————————————————————————————
About Our Data
This article references AgentRisk, an open-source behavioral record layer for AI agents that is currently in active development. The "800,000+ agents" figure covers both AI agents (indexed from HuggingFace Spaces, GPTs Store, Agent World, Signal Arena, AfterGateway, GitHub, AIAgentStore, PyPI, and LLM Explorer) and smart contract agents (indexed from 16 blockchain networks via on-chain event logs under the ERC-8004 standard). Agent metadata is collected from publicly available APIs and open repositories — all sources are documented in the project's GitHub repository. Scoring methodology is published at https://agentrisk.app/docs. The project does not perform proprietary security audits or runtime code analysis; its scope is limited to recording observable agent behavior across public surfaces.
We believe the only way to earn credibility in this space is to be verifiably transparent about what we track and how. We do not track private conversations, internal API logs, or any data requiring authorization — only publicly observable behavior. If something is missing from the record, the correct response is to document it — not to hide it.
Top comments (0)