Every AI agent deployed today — whether it reads your email, moves money, calls APIs, or talks to another agent — operates without a standardized way to prove what it did, enforce what it's allowed to do, or verify its identity to anyone else.
This isn't a theoretical problem. It's a legal one. The EU AI Act takes full effect on August 2, 2026. Fines reach €35 million or 7% of global annual revenue. Every company deploying high-risk AI systems in or into Europe needs three things they probably don't have: verifiable agent identity, enforceable behavioral limits, and a tamper-proof audit trail.
The market has noticed. In the last 90 days, Microsoft shipped Agent Trust Kit. Cisco acquired Astrix for $400 million. Okta launched Agent Identity. AWS, Google, and Anthropic all released native agent governance primitives. Billions of dollars are validating the category.
But none of them can solve it.
The structural problem nobody talks about
Ask yourself: would a regulated enterprise trust Microsoft to independently verify that an OpenAI agent behaved correctly? Would they trust AWS to audit Google's agents? Would they trust Anthropic to certify GPT's compliance?
Every one of these companies has a conflict of interest. They are platforms. They sell the agents, the compute, the frameworks, or all three. Asking them to be the neutral verifier of their competitors' agents is like asking an auditing firm to audit its own parent company. No regulator accepts that. No enterprise CISO signs off on it.
This isn't a feature gap. It's a structural impossibility. The neutral trust layer for AI agents cannot be built by any company that also sells a platform in the AI stack. They would have to abandon the business that makes them money to credibly offer neutrality. That is counter-positioning — the strongest form of competitive moat, because it cannot be overcome with capital or engineering.
Microsoft can ship identical cryptographic primitives. They can open-source the toolkit. They can make it free. They still can't be neutral, because neutral is not a feature. It's a position.
What agents actually need — and what the law requires
The OWASP Top 10 for Agentic Applications (published December 2025) maps the specific risks. The EU AI Act (Articles 9, 12, 13, 14) maps the specific legal requirements. Here's how they intersect with what's actually missing in production:
Agent Identity (OWASP: Excessive Agency, Identity Abuse)
Every agent needs a cryptographic identity — not a username, not an API key, but an Ed25519 keypair that can sign actions and be verified by anyone. Without this, there is no way to prove which agent did what. The EU AI Act requires "unique identification" for high-risk AI systems. Most agents deployed today have no identity at all.
What's needed: Deterministic agent identity generation. A public key that can be looked up and verified. A format that works across every framework — LangChain, CrewAI, n8n, AutoGen, custom builds.Policy Enforcement (OWASP: Insufficient Authorization, Privilege Escalation)
Agents need enforced limits on what they can do — not guidelines, not prompts, but runtime policy evaluation that blocks forbidden actions before they execute. A payment agent should not be able to export the customer database. A support agent should not be able to delete records.
What's needed: A policy engine that evaluates allow/block/flag rules against every action at runtime. Rules that are defined by the deployer, not the agent builder. Human oversight gates that pause execution on flagged actions and auto-block on timeout.Tamper-Proof Audit Trails (OWASP: Insufficient Logging, Denial of Service via Log Manipulation)
Every agent action needs a signed, tamper-evident record. Not a log file. Not a database row someone with admin access can edit. A cryptographically signed event that, if modified after the fact, fails signature verification. The EU AI Act requires "automatic recording of events" and the ability to produce audit trails on demand.
What's needed: An event stream where every entry is signed by the agent's private key at creation time. Events that can be independently verified by anyone holding the public key. A data layer that is append-only by design — not by convention, but by enforced database constraints.Compliance Reporting (EU AI Act: Articles 9, 12, 13)
When a regulator asks "prove your AI agent is compliant," you need a report — not a pitch deck. A report that maps your agent's identity, policies, and audit trail against specific regulatory requirements. The EU AI Act requires conformity assessments. OWASP requires demonstrable mitigations.
What's needed: Automated compliance report generation that reads the event stream and produces a document an auditor can verify. Packs for OWASP Agentic Top 10, EU AI Act, HIPAA (for healthcare deployments), and more.Cross-Agent Trust (OWASP: Inadequate Sandboxing, Untrusted Agent Interaction)
This is the layer nobody has built yet. When Agent A at Company X needs to interact with Agent B at Company Y, how do they verify each other? How does Company Y know that Agent A is who it claims to be, has the permissions it claims to have, and has a clean history?
What's needed: A neutral verification network where agents can check each other's mandates — their identity, their permissions, and their track record. This is the network-effect layer that makes the entire system more valuable with every additional participant.
Why this has to be neutral
The five requirements above — identity, policy, audit, compliance, cross-agent trust — have to be provided by a single system for them to work. An agent's identity has to be the same identity that signs its events, that is checked by the policy engine, that appears in the compliance report, and that is verified by other agents. Fragment it across vendors and you get an interoperability nightmare that no enterprise will deploy.
And that single system has to be neutral. Not neutral as a marketing claim — neutral as a structural fact. Run by an entity that has no platform business, no AI model to sell, no compute to upsell. An entity whose only business is the trust layer itself, so its incentives are perfectly aligned with the accuracy of that layer.
This is the same structural logic that created:
- Certificate Authorities — browsers don't trust websites that self-sign. They trust neutral third parties that verify identity. Credit rating agencies — lenders don't trust borrowers to rate themselves. They trust independent agencies that verify creditworthiness. SWIFT — banks don't trust each other's internal ledgers. They trust a neutral messaging network that all parties verify against.
AI agents are autonomous economic actors. They need the same infrastructure that every other autonomous economic actor has needed: independent, neutral verification.
The 10 OWASP Agentic Risks and how they map to neutral trust infrastructure
For reference, here is the full OWASP Top 10 for Agentic Applications and how a neutral trust layer addresses each:
ASI-01: Excessive Agency — Agents act beyond intended scope. Mitigation: Policy enforcement engine with allow/block/flag rules. Human oversight gates that pause execution on sensitive actions.
ASI-02: Insufficient Authorization — Agents perform unauthorized actions. Mitigation: Runtime policy evaluation against every action before execution. Agent-specific permission sets defined by the deployer.
ASI-03: Identity Abuse — Agent identities are spoofed or stolen. Mitigation: Ed25519 cryptographic identity. Every action signed with the agent's private key. Public key registered and verifiable.
ASI-04: Inadequate Guardrails — No behavioral limits on agents. Mitigation: Policy engine with predefined and custom rule templates. Auto-block on policy violation.
ASI-05: Insufficient Logging and Monitoring — Agent actions are not recorded. Mitigation: Tamper-proof signed event stream. Every action logged with timestamp, resource, outcome, and cryptographic signature.
ASI-06: Prompt Injection Escalation — Injected prompts escalate agent privileges. Mitigation: Policy enforcement catches the escalated action regardless of how it was triggered. The policy engine doesn't care about intent — it evaluates the action itself.
ASI-07: Untrusted Agent Interaction — Agents interact with unverified peers. Mitigation: Cross-agent verification via the neutral trust network. Agent A verifies Agent B's mandate before any interaction.
ASI-08: Inadequate Sandboxing — Agents break out of their execution environment. Mitigation: Action-type constraints in the policy engine. Even if the sandbox is breached, the agent's signed mandate limits what it can do.
ASI-09: Denial of Service — Agents are overwhelmed or manipulated to consume resources. Mitigation: Rate limiting and anomaly detection on the event stream. Risk scoring that flags behavioral spikes.
ASI-10: Supply Chain Vulnerabilities — Compromised components in agent pipelines. Mitigation: Identity verification of every component. Audit trails that trace actions back to specific agent identities, making it possible to isolate a compromised component.
The timeline that makes this urgent
The EU AI Act enforcement isn't a prediction. It's a date: August 2, 2026. Here's what that means in practice:
Companies deploying high-risk AI systems in the EU must have conformity assessments complete
Automatic event recording must be operational
Human oversight mechanisms must be in place
Technical documentation must be auditable
Fines for non-compliance: up to €35 million or 7% of global annual revenue
That is 68 days from today. If you're deploying AI agents that touch EU users, customers, or data — and you don't have verifiable identity, enforced policies, and a tamper-proof audit trail — you are running out of time.
What exists today
MandateZ is the neutral trust infrastructure layer for AI agents. It is built for this exact problem. It works with every vendor — Claude, GPT, Gemini, LangChain, CrewAI, n8n, AutoGen — simultaneously. It has no platform conflict of interest because it is not a platform. It is infrastructure.
What ships today:
@mandatez/sdk on npm — Ed25519 agent identity, runtime policy enforcement, human oversight gates, tamper-proof signed event stream. Four lines of code to integrate.
@mandatez/mcp — 7 tools that plug directly into Claude Desktop, Cursor, and Windsurf. Register agents, track events, check policies, get trust profiles, verify identities, compute risk scores.
Compliance report generator — automated PDF reports mapped to OWASP Agentic Top 10, EU AI Act, and HIPAA.
Agent Risk Score — severity-weighted risk computation across the event stream. Domain classification, incident pattern detection, behavioral baselines.
Neutral attestation — MandateZ independently counter-signs agent activity. A public verification endpoint anyone can check without authentication. The thing no platform can credibly offer.
Open protocol specification — a 400-line spec that any developer can implement independently.
Free tier. Open source SDK. No vendor lock-in. The trust layer works whether you stay or leave, because the cryptographic proofs are self-verifying.
The future this enables
When every agent has a mandate — an identity, enforceable limits, and a tamper-proof record — the entire agent economy becomes trustworthy by default. Agents can verify each other. Enterprises can prove compliance on demand. Regulators can audit without disruption. Insurance companies can price AI risk accurately for the first time.
This isn't one company's product roadmap. It's the infrastructure the agent economy requires to function. Someone has to build it. No platform can. We are.
Every agent needs a mandate.
MandateZ is the neutral trust infrastructure layer for AI agents. SDK: npmjs.com/package/@mandatez/sdk. Docs: mandatez.mintlify.app. Protocol: github.com/mandatez/core.
Top comments (0)