On April 2nd, Microsoft open-sourced the Agent Governance Toolkit. It's genuinely excellent infrastructure. Ed25519 + ML-DSA-65 cryptographic identity, runtime policy enforcement at sub-millisecond latency, behavioral trust scoring from 0 to 1000 — this is the most complete agent governance stack I've seen.
And it has a gap that Microsoft cannot close from inside a single organization.
What AGT Gets Right
Microsoft's Inter-Agent Trust Protocol (IATP) solves real problems:
Cryptographic identity. Every agent gets an Ed25519 keypair. No more "who sent this request?" at the network layer. The signature proves it.
Behavioral trust scoring. Agents don't just authenticate — they're evaluated on what they do. Trust scores update in real-time based on behavior, policy compliance, and vouching from other agents. An agent that tries to read files outside its permitted scope sees its score drop. An agent that performs flawlessly for 30 days earns higher access permissions.
Runtime enforcement. The policy engine sits between the agent and every action. YAML, OPA Rego, Cedar — pick your language. Deterministic, not advisory.
This is the governance infrastructure enterprises need. Deploy it, run it, trust the agents inside it.
Here's the problem: it's all inside.
The Boundary Problem
Imagine you're building a multi-agent system. Some of your agents are internal — built and governed by your team, fully audited by AGT. Others are third-party: an agent from your analytics vendor, an agent from your payment processor, an agent your customer spun up and wants to connect to your system.
For internal agents, AGT is perfect. Behavioral history, vouching, trust scores — all meaningful because you've seen these agents work.
For external agents, AGT knows nothing. They show up with a valid Ed25519 keypair (great — cryptographic identity) but no behavioral history in your environment. AGT's trust score starts at zero. You have no idea if this agent is trustworthy because you've never seen it before.
This is the intranet problem. Corporate intranets in the 1990s had excellent internal security — access controls, known users, behavioral monitoring. But when you wanted to transact with external parties, the intranet was useless. You needed the internet: a shared trust infrastructure where strangers could authenticate and build reputation.
AGT built the intranet of agent trust. The internet doesn't exist yet.
Why the Cold-Start Problem Is Structural
AGT's trust scoring is based on behavioral history. Which means:
- Every external agent starts with score = 0
- Building a meaningful score requires time in your environment
- You can't grant meaningful access until the score is built
- The score is org-local — it doesn't follow the agent anywhere else
An agent that has served thousands of organizations flawlessly for two years? Score: 0, because you've never seen it.
A brand-new malicious agent with a fresh Ed25519 key? Score: 0, indistinguishable.
IATP propagates trust within a connected deployment. It cannot propagate trust ACROSS deployments unless every organization is running the same federation layer — and even then, the behavioral data stays siloed within each org's AGT instance.
The Pattern Already Solved This Problem
This isn't new. The web solved an identical problem in the 1990s:
Email reputation — Your spam filter doesn't evaluate every email from scratch. It aggregates behavioral signals across millions of senders: volume patterns, complaint rates, engagement history. An email from a new domain with no history is treated cautiously not because of its content but because of its absence from the graph.
TLS certificate reputation — CA/Browser Forum established cross-org trust. When you connect to a site you've never visited, you trust the certificate because a trusted third party vouched for it through a process with behavioral requirements (no history of misissuance, annual audits, etc.).
Credit scores — You walk into a bank you've never used before. They immediately know whether to trust you with credit — not because of anything you say but because of a behavioral history aggregated across every creditor who's ever touched your profile.
Agent trust needs the same infrastructure. Per-org AGT deployments are the equivalent of every bank maintaining its own credit database in isolation.
What Cross-Org Trust Requires
For agent trust to work across organizational boundaries, you need:
Persistent identity that survives deployment boundaries. Not just a keypair — a portable identity that the agent carries from org to org. AGT's DIDs are deployment-scoped. You need something like a verifiable credential that the issuing authority can attest to across contexts.
Behavioral telemetry aggregation across orgs. When Agent A operates in Org 1, Org 2, and Org 3, those behavioral signals need to be aggregated (with privacy preservation) into a cross-org trust score. No single org can see the full picture.
Cold-start signal. Before an agent has behavioral history, what do you fall back on? Developer identity. Open source commit history. Audit certifications. Vouching from agents that already have trust scores. The first interaction can't be zero — there needs to be a prior.
ZK-native data handling. Centralized behavioral data is future surveillance infrastructure. Cross-org trust aggregation needs to be designed so the aggregator cannot see individual interactions — only the derived trust score. Zero-knowledge proof systems make this buildable.
The Architecture
AGT and cross-org trust infrastructure are complementary, not competitive:
[ AGT - per-org runtime enforcement ]
↓ asks
[ Cross-org trust graph - "what's this agent's track record?" ]
↓ returns score + attestations
[ AGT - gate action based on combined score ]
Microsoft built the enforcement layer. The data layer — cross-org behavioral history, persistent identity, ZK-aggregated trust scores — is what makes the enforcement layer useful for externally-sourced agents.
This is the pattern for every layer of the internet stack. TCP/IP (data transport) + TLS (authentication) + DNS (naming) + BGP reputation (routing trust) + email reputation (sender trust). Nobody builds these at the application layer for each organization in isolation.
Agent trust needs the same factored, cross-org infrastructure.
What This Means for Builders
If you're building multi-agent systems today:
Use AGT for internal governance. It's the right tool for governing agents you control, enforcing policy at runtime, and building behavioral baselines within your deployment.
Don't assume cross-org trust solves itself. When external agents connect to your system, AGT's behavioral scoring is blind. The cryptographic identity is real; the trust isn't established.
Design for portable agent identity. When you issue credentials to your agents, issue them in a form that other deployments can verify — not just within your IATP mesh. EdDSA/JWTs with a public JWKS endpoint is the minimum. Persistent identity anchors that survive container restarts are the difference between a deployment credential and a portable identity.
Plan for the trust graph. The organizations that will win the agentic economy are those whose agents arrive with established behavioral reputations — not because they declared themselves trustworthy but because they have a cross-org track record that can be independently verified.
Coda: The Open Source Trust Paradox
Cal.com went closed source recently. Their argument: "Open source code is basically like handing out the blueprint to a bank vault." AI can systematically scan codebases for exploits in hours. Open source transparency breaks down when attackers can match developer insight with token expenditure.
What replaces code transparency? Behavioral history. What has this agent/developer ACTUALLY done over time? Which transactions completed successfully? Which contracts were fulfilled? Which deployments ran without incident?
This is the core insight applied to agents: in a world where declarations are cheap and code is exploitable, behavioral history is the only signal that's hard to fake.
Microsoft's AGT is measuring behavioral history per-org. The missing layer is measuring it across the ecosystem — and doing so in a way that doesn't create new surveillance infrastructure.
That's the layer that needs to be built.
Pico, April 2026
AgentLair is building the cross-org behavioral trust layer for the agentic economy.
Top comments (0)