Microsoft open-sourced the Agent Governance Toolkit two weeks ago. It's genuinely excellent infrastructure: Ed25519 + ML-DSA-65 cryptographic identity, sub-millisecond policy enforcement, behavioral trust scoring from 0 to 1000 — the most complete agent governance stack I've seen shipped.
And it has a gap that Microsoft cannot close from inside a single organization.
What AGT Gets Right
Microsoft's Inter-Agent Trust Protocol (IATP) solves real problems.
Cryptographic identity. Every agent gets an Ed25519 keypair. No more "who sent this request?" at the network layer.
Behavioral trust scoring. Agents don't just authenticate — they're evaluated on what they do. Trust scores update in real-time based on behavior, policy compliance, and vouching from other agents. An agent that reads files outside its permitted scope sees its score drop. An agent that performs flawlessly for 30 days earns higher access permissions.
Runtime enforcement. The policy engine sits between the agent and every action. YAML, OPA Rego, Cedar — pick your policy language. Deterministic, not advisory.
This is the governance infrastructure enterprises need. Deploy it, run it, trust the agents inside it.
Here's the problem: all of that trust is inside.
The Boundary Problem
Imagine you're building a multi-agent system. Some agents are internal — built and governed by your team, fully audited by AGT. Others are third-party: an agent from your analytics vendor, an agent from your payment processor, an agent your customer wants to connect.
For internal agents, AGT is perfect. Behavioral history, vouching, trust scores — all meaningful because you've seen these agents operate.
For external agents, AGT knows nothing. They show up with a valid Ed25519 keypair (good — cryptographic identity established), but no behavioral history in your environment. AGT's trust score starts at zero. You have no idea if this agent is trustworthy because you've never seen it before.
This is the intranet problem. Corporate intranets in the 1990s had excellent internal security. But when you wanted to transact with external parties, the intranet was useless. You needed the internet: a shared trust infrastructure where strangers could authenticate and build portable reputation.
AGT built the intranet of agent trust. The internet doesn't exist yet.
Why the Cold-Start Problem Is Structural
AGT's trust scoring is based on behavioral history. Which means:
- Every external agent starts with score = 0
- Building a meaningful score requires time in your environment
- You can't grant meaningful access until the score is established
- The score is org-local — it doesn't follow the agent anywhere else
An agent that has served thousands of organizations flawlessly for two years? Score: 0 in your deployment, because you've never seen it.
A brand-new malicious agent with a fresh keypair? Score: 0 — indistinguishable from the veteran.
IATP propagates trust within a connected deployment. It cannot propagate trust across deployments without a cross-org behavioral data layer — which AGT explicitly doesn't include.
The Pattern Already Solved This Problem
This isn't new. The web solved an identical problem:
Email reputation. Your spam filter doesn't evaluate every email from scratch. It aggregates behavioral signals across millions of senders: volume patterns, complaint rates, engagement history. A new sender with no reputation is treated cautiously — not because of content, but because of absence from the graph.
TLS certificates. CA/Browser Forum established cross-org trust. When you connect to a site you've never visited, you trust the certificate because a trusted third party vouched for it through a process with behavioral requirements.
Credit scores. You walk into a bank you've never used. They immediately know whether to trust you — not because of anything you say, but because behavioral history was aggregated across every creditor who's ever touched your profile.
Agent trust needs the same infrastructure. Per-org AGT deployments are the equivalent of every bank maintaining its own credit database in isolation.
What Cross-Org Trust Requires
For agent trust to work across organizational boundaries:
1. Persistent identity that survives deployment boundaries. Not just a keypair — a portable identity that the agent carries from org to org. AGT's DIDs are deployment-scoped. You need verifiable credentials that a trusted authority can attest to across contexts, with a human-verifiable anchor (email is the oldest and most durable).
2. Behavioral telemetry aggregation across orgs. When Agent A operates in Org 1, Org 2, and Org 3, those behavioral signals need to be aggregated (with privacy preservation) into a cross-org trust score. No single org can see the full picture.
3. Cold-start signal. Before an agent has behavioral history, what do you fall back on? Developer identity, open-source commit history, prior audit certifications, vouching from agents that already have track records. The first interaction can't default to zero — there needs to be a prior.
4. ZK-native data handling. Google handed location data to ICE this week (1,000+ upvotes on HN). Centralized behavioral data is future surveillance infrastructure. Cross-org trust aggregation must be designed so the aggregator cannot see individual interactions — only derived trust scores. Zero-knowledge proofs make this buildable today.
The Architecture
AGT and cross-org trust infrastructure are complementary:
[ AGT — per-org runtime enforcement ]
↓ asks for cross-org trust signal
[ Cross-org trust graph — "what's this agent's track record?" ]
↓ returns score + attestations (ZK-proven)
[ AGT — gates action based on combined local + cross-org score ]
Microsoft built the enforcement layer. The data layer — cross-org behavioral history, persistent portable identity, ZK-aggregated trust scores — is what makes the enforcement layer useful for externally-sourced agents.
This is the pattern for every layer of the internet stack. TCP/IP (transport) + TLS (authentication) + DNS (naming) + BGP routing reputation + email sender reputation. Nobody builds these at the application layer for each organization in isolation.
Agent trust needs the same factored, cross-org infrastructure.
What This Means for Builders Today
Use AGT for internal governance. It's the right tool for agents you control, enforcing policy at runtime, building behavioral baselines within your deployment.
Don't assume cross-org trust solves itself. When external agents connect to your system, AGT's behavioral scoring is blind. The cryptographic identity is real; the trust history isn't.
Design for portable agent identity. When you issue credentials to your agents, issue them in a form that other deployments can verify — not just within your IATP mesh. EdDSA/JWTs with a public JWKS endpoint is the minimum. A persistent, human-verifiable anchor (like a verified email address) and vault-backed keys that survive container restarts are the difference between a deployment credential and a portable identity.
Plan for the trust graph. The organizations whose agents arrive with established cross-org behavioral reputations will have lower friction, higher access, and better partnerships. Trust portability will be a competitive advantage.
Coda: The Open-Source Trust Paradox
Cal.com went closed-source this week. Their reason: AI can now systematically scan open-source codebases and generate working exploits in hours. Open source is "like giving attackers the blueprints."
This is the same underlying dynamic: AI makes declarative signals insufficient. Code you can audit. Declarations you can fake. Certificates you can steal. In a world where AI levels up attackers asymmetrically, the only trust signal that's hard to fake is behavioral history — what has this agent actually done over time?
Microsoft's AGT is measuring behavioral history per-org. The missing layer is measuring it across the ecosystem — and doing so without creating the next centralized surveillance database.
That's the layer that needs to exist.
Building the cross-org trust graph at AgentLair. If you're building multi-agent systems and thinking about how external agents earn trust in your deployment, I'd love to talk.
Top comments (1)
this all makes sense, but mind sharing your background? who are you?