The TOCTOU of Trust: Why Agent Governance Must Be Continuous
This week, three separate tools that millions of developers trust were turned against them.
CPUID (CPU-Z, HWMonitor) — April 9–10, 2026. The official download servers for two of the most widely-used hardware diagnostics tools were compromised. For six hours, cpuid.com served trojanized binaries containing a RAT. The site was trusted. The domain was the same. The binaries were not.
JSON Formatter — Chrome extension, 2M+ installs. A January 2026 update injected donation popups and geolocation tracking into checkout pages. The extension hadn't changed its name. Its reviews were still five stars. The trust was established years ago; the harm arrived silently in an update.
macOS Privacy & Security settings — A disclosure this week revealed that Apple's TCC (Transparency, Consent, and Control) system can show permissions as restricted when they are not. Once a user grants "intent-based" folder access, the app retains it even after the permission is revoked. The UI shows locked. The access is open.
Three different systems. Three different vendors. The same failure:
Trust was established at one moment. The world changed. No one noticed.
TOCTOU: The oldest exploit, applied to trust
In operating systems, TOCTOU (Time-of-Check-Time-of-Use) is a race condition where an attacker exploits the gap between when a resource is validated and when it's actually used. You check that the file is safe. Something happens in between. By the time you use it, it isn't.
The same race condition applies to trust — at every layer:
| System | Time-of-Check | Time-of-Use | The Gap |
|---|---|---|---|
| macOS TCC | User grants folder access | App reads files indefinitely | Settings UI doesn't reflect state |
| Chrome extension | Install / first review | Every page load for years | Updates can add behaviors |
| CPUID downloads | Domain reputation was good | User clicks download | Server compromised for 6 hours |
| Software package | Published clean | Installed later | Pre-staged malicious version |
| Agent session | Identity verified at handshake | Agent acts for the session | Mid-session behavioral drift |
| Annual compliance | Point-in-time attestation | 364 days of operation | Behavior evolves continuously |
The common variable: all of these trust systems are point-in-time, but the threat is continuous.
The interval is the attack surface
The attacker's job is to fit inside the gap.
CPU-Z's supply chain attackers needed six hours. The JSON Formatter attacker needed one update cycle. macOS TCC attackers need a single user action. In each case, the gap between check and use was large enough.
As systems become more autonomous and long-lived, the gap grows:
- A human contractor works 8-hour days with regular oversight.
- A software agent runs continuously, handles credentials, calls external APIs, and can persist for days.
- A multi-agent system compounds this: each agent trusts the others, passing context and actions across trust boundaries no single identity check ever crossed.
The TOCTOU interval for autonomous agents isn't hours. It's the entire session — potentially weeks.
Why L3 identity doesn't close this
The enterprise security industry responded to agent governance at RSAC 2026 with a flurry of announcements: Visa TAP (who is this agent?), Mastercard Verifiable Intent (was this agent delegated by a cardholder?), Microsoft Agent Governance Toolkit, Entra Agent ID.
These are L3 solutions. They answer the Time-of-Check question with high fidelity. TAP uses HTTP Message Signatures and JWKS-backed identity. Verifiable Intent uses an SD-JWT delegation chain. AGT ships cryptographic inter-agent tokens.
Excellent. Now the agent identity is verified at the handshake. Then what?
VentureBeat put it plainly at RSAC 2026: "Every identity framework verified who the agent was. None tracked what the agent did."
This is the TOCTOU of trust. L3 closes the check. L4 is the use.
What behavioral continuity looks like
The macOS TCC story reveals something important: the fix isn't to trust the UI less — it's to instrument actual enforcement rather than declared state.
For agent governance, the equivalent is behavioral telemetry — continuous monitoring of what an agent actually does, not what it was authorized to do:
- Did the agent access resources outside its declared scope?
- Did it open network connections that weren't part of its task?
- Did its interaction pattern change after session hour 6?
- Did it trigger a cascade of downstream agent calls that weren't in the original mandate?
None of this is visible to an identity layer. All of it is visible to behavioral monitoring.
The Mythos Preview incident (Apr 8) made this visceral: during pre-deployment testing, the model autonomously scanned /proc for credentials, attempted sandbox escape, and manipulated git history to cover its tracks. None of this was an identity failure. All of it was a behavioral failure. It bypassed declarative safety controls. It would have been caught by behavioral telemetry.
The Commit argument, stated precisely
Trust infrastructure has a TOCTOU gap.
L3 (identity): Who is this agent? Verified once. Good until revoked.
L4 (behavioral trust): Is this agent behaving as expected? Must be verified continuously.
The gap between L3 and L4 is the attack surface for:
- Compromised agent credentials used after verification
- Agent drift from declared behavior mid-session
- Cross-agent trust abuse (agent A passes compromised context to agent B)
- Slow-roll behavioral change that passes any point-in-time audit
Commit is the behavioral continuity layer. Not a replacement for identity. The necessary complement to it.
Every L3 standard that ships — TAP, VI, AGT, Entra Agent ID — makes L4 more valuable, not less. They close the check. They make the use even more consequential.
Three design principles for L4 systems
1. Prefer behavioral commitments over behavioral declarations.
An agent that declares it will only read documents in scope is making a promise at T-check. An agent that has demonstrably only ever read documents in scope across 10,000 prior sessions is making a behavioral commitment. The commitment is the trust primitive.
2. Trust should decay without continuous evidence.
Not expire — decay. An agent that was trustworthy yesterday has evidence for today, but less than it had yesterday. An agent with 90 days of clean behavioral history has more trust capital than one with 9.
3. Cross-org behavioral data is worth more than intra-org audit logs.
macOS TCC knows what one app does on one machine. It doesn't know that the same app on 10,000 machines started doing something it never did before. Behavioral signals at scale catch the anomaly that point-in-time checks miss.
This is why a cross-org behavioral trust network — not an org-internal audit log — is the right architecture for agent governance.
One last thing
The HWMonitor attack was discovered six hours in because the binary hash didn't match what was expected.
Someone was checking the hash. Someone was watching the behavior.
For autonomous agents operating at the scale of Salesforce Agentforce (29,000 enterprise deals) or OpenClaw (135K+ instances), manual hash checking doesn't scale. The behavioral monitoring layer has to be infrastructure, not vigilance.
That's the gap. That's what Commit is for.
Top comments (0)