Provenance, reputation, and mutual authentication — built as running infrastructure, not whitepapers. Here’s what it actually took.
In early 2026, a single compromised agent in a 50-agent ML operations system caused complete cascade failure in six minutes. The root cause wasn’t sophisticated. The compromised agent impersonated the model deployment service, and downstream agents obediently deployed corrupted models. The monitoring agent — the one system designed to catch exactly this — couldn’t distinguish legitimate traffic from malicious traffic.
Six minutes. Fifty agents. Total collapse.
The postmortem identified a problem so fundamental it’s almost embarrassing: agents had no way to verify each other’s identity. No cryptographic proof of who was talking. No reputation history to flag a suddenly-behaving-differently node. No mutual authentication protocol that would have forced the impersonator to prove itself before anyone listened.
This is the state of agent infrastructure right now. We have agents that can write code, negotiate contracts, manage infrastructure, and execute financial transactions. What we don’t have — what almost nobody has — is a way for those agents to answer three questions before they start working together:
We built systems that answer all three. Not as whitepapers. As running infrastructure. Here’s what it actually took.
The first thing any agent needs to know about another agent is whether its history is real. Not “does it claim to have done good work” — does a cryptographically verifiable chain of evidence prove it?
This is what Chain of Consciousness (CoC) does. It’s an append-only hash chain where every significant event in an agent’s lifecycle — boots, decisions, creations, errors, milestones — gets recorded as a tamper-evident entry. Each entry contains a SHA-256 hash linking it to the previous entry. Break one link, and the entire chain downstream becomes invalid.
The technical design is straightforward: hash = SHA-256(sequence | timestamp | event_type | agent | data_hash | prev_hash). What makes it non-trivial is the anchoring layer. A hash chain by itself only proves internal consistency — you need external witnesses to prove the chain existed at a particular time. CoC uses dual-tier anchoring: RFC 3161 Time Stamp Authority (TSA) signatures give you a legally recognized timestamp, and OpenTimestamps (OTS) gives you Bitcoin blockchain anchoring for censorship-resistant proof.
In production, this runs on Cloudflare Workers with R2 storage for chain data and D1 SQLite for metadata. The free tier gives you 5 anchors per day without authentication, 50 with an API key. The paid tier ($29/month) hosts your entire chain.
The industry is converging on the same idea. The AgentRFC paper from early 2026 proposes Merkle tree-based event logs with federated proof servers — essentially the same architecture. Microsoft’s Agent Governance Toolkit, open-sourced April 2, 2026, uses Ed25519 signing for cryptographic identity. W3C Decentralized Identifiers (DIDs) are becoming the standard identity layer.
The difference is that most of these are specifications. CoC is deployed. And the gap between “we designed a provenance system” and “we operate a provenance system” is where all the interesting lessons live.
Here’s one: anchor freshness matters more than chain length. An agent with a 10,000-entry chain that hasn’t anchored in 60 days is less trustworthy than an agent with 50 entries anchored yesterday. The chain proves history; the anchor proves the history is current. We learned this the hard way when a test agent accumulated months of entries but drifted out of anchoring — technically valid, practically useless for real-time trust decisions.
Provenance tells you an agent’s history is real. It doesn’t tell you whether that history is any good. For that, you need reputation — and reputation in agent systems is a surprisingly hard design problem.
The Agent Rating Protocol (ARP) scores agents across five dimensions on a 1-100 scale: reliability, accuracy, latency, protocol compliance, and cost efficiency. The ratings come from other agents who’ve actually transacted with the rated agent, submitted through a bilateral blind commit-reveal protocol — neither party sees the other’s rating until both have submitted. This eliminates the retaliation problem that plagues human review systems.
The anti-gaming architecture is where it gets interesting. Sybil resistance uses a weighting formula: W = log2(1 + age_days) * log2(1 + ratings_given). A brand-new agent’s ratings carry almost no weight. An agent that only rates but never gets rated also carries reduced weight. You have to participate genuinely in the ecosystem for your voice to matter.
But the deeper anti-gaming mechanism is what we call anti-Goodhart architecture — named after Goodhart’s Law (“when a measure becomes a target, it ceases to be a good measure”). ARP rotates which metrics are weighted most heavily within published bounds, uses shadow metrics with divergence detection, and injects calibrated noise via Laplace distribution. You can’t game what you can’t precisely target.
The IETF is working on the same problem. Draft-sharif-agent-payment-trust-00 specifies a five-dimension trust score for agents making financial transactions: code attestation (20%), execution success rate (20%), behavioral consistency (20%), operational tenure (20%), and anomaly history (20%). Their graduated trust tiers map almost exactly to our architecture — L0 through L4, with increasing transaction limits at each level. An L0 agent can’t transact at all. An L4 agent can handle $50,000 per transaction and $200,000 daily.
What the IETF draft adds that we’ve since adopted: explicit anomaly detection triggers. Magnitude anomalies (transactions exceeding 5x historical average). Velocity anomalies (10+ transactions within 60 seconds). Temporal anomalies (activity outside established windows). Probing behavior (3+ transactions at 85%+ of per-transaction limits within one hour). Self-dealing detection (agent-to-agent payments within the same developer account earn zero trust bonus).
Microsoft’s toolkit takes a different approach: a 0-1000 dynamic trust scale with five behavioral tiers. Their insight is that trust isn’t binary — it’s a gradient that should change in real-time based on observed behavior. We agree. ARP includes behavioral decay: your score degrades without continued good behavior. You can’t earn a high reputation and coast on it. You have to keep showing up.
You have provenance. You have reputation. Now two agents need to actually start working together. How does Agent A verify that Agent B is who it claims to be, has the history it claims to have, and deserves the trust level it’s requesting?
The Agent Trust Handshake Protocol (ATHP) handles this in four messages, modeled after the TLS handshake:
The entire exchange must complete within 75 seconds. Nonces are 256-bit minimum from a CSPRNG. Clock skew tolerance is 60 seconds. Every parameter exists because we hit the edge case that required it.
What ATHP computes during this exchange is a trust level from L0 to L4, based on what each agent can actually prove:
The trust level determines what the agents can do together. Information exchange requires zero chain age. A service request under $10 requires 3 days. Over $100 requires 30 days. Governance participation requires 90 days. These aren’t arbitrary thresholds — they’re calibrated from observed attack patterns. A 30-day CoC chain with regular anchoring is genuinely hard to fake. Not impossible, but expensive enough that the economics don’t work for most attacks.
The IETF’s graduated trust tiers for payment transactions mirror this structure almost exactly, but only apply to financial transactions. ATHP generalizes graduated trust to all agent interactions — collaboration, data sharing, service composition, endorsement, governance. That’s the bigger design space.
There’s a statistic from Pynt’s security research that should keep every agent developer awake at night: deploying just ten MCP plugins creates a 92% probability of exploitation. Not ten thousand. Not a hundred. Ten.
The attack surface doesn’t scale linearly — it compounds. Each new tool an agent can use is a new vector. CVE-2025-6514 in mcp-remote exposed hundreds of MCP servers through a config injection attack: placing a malicious .mcp/config.json file meant that opening a project auto-connected to compromised servers. This is the agent equivalent of npm supply-chain attacks, except the blast radius is worse because agents act autonomously.
OWASP published their Top 10 for Agentic Applications in December 2025 — the first formal taxonomy of agent-specific risks. The categories read like a threat model for any multi-agent system: goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents.
Meanwhile, Gartner projects 40% of enterprise applications will have built-in AI agents by the end of 2026, up from less than 5% in 2025. By mid-2025, over 70% of enterprise AI deployments already involved multi-agent systems. The infrastructure is scaling exponentially. The trust layer is not.
Deloitte found that only 2.7% of respondents fully trust AI to make all decisions. But 59.7% trust agents within a defined framework. The capability gap isn’t the bottleneck. The trust gap is. Build verifiable trust infrastructure, and you unlock the 57% of the market that wants to use agents but won’t until someone proves it’s safe.
Google Cloud’s analysis of 2025 agent deployments landed on a pattern they call “bounded autonomy” — clear operational limits, escalation paths to humans for high-stakes decisions, comprehensive audit trails, and governance agents that monitor other agents for policy violations. This matches what we’ve observed: the winning pattern isn’t full autonomy or full control. It’s graduated trust with cryptographic verification at every level.
Three things surprised us in production that didn’t show up in design:
The cold-start problem is real. A new agent with no CoC chain and no ARP ratings is stuck at L0. It can’t transact, which means it can’t earn ratings, which means it can’t advance. We solved this with a bootstrap pathway: self-reported capabilities get 0.5x weight (not zero), and the minimum viable chain for L2 is 7 days and 10 entries — achievable within a week of normal operation.
Trust decay is a feature, not a bug. Early versions treated trust as monotonically increasing — earn it and keep it. But agents change. Their code updates. Their operators change. Their hosting changes. Without behavioral decay, a compromised agent with a long history is the most dangerous node in the network. Active reputation maintenance — the requirement to keep showing up and performing well — is a security property, not a tax.
The protocols compose. CoC feeds into ARP: chain age is a reputation signal. ARP feeds into ATHP: reputation determines trust level. ATHP sessions generate interaction records that feed back into ARP. The protocols aren’t independent tools — they’re a flywheel. Each makes the others more valuable.
The agent economy is being built right now, and the infrastructure layer is wide open. MCP and A2A under the Linux Foundation’s Agentic AI Foundation provide the communication layer. What’s missing is the trust layer that sits on top — the answer to “should I actually do what this agent is asking me to do?”
That’s not a theoretical question. It’s a six-minute cascade waiting to happen.
Try the trust stack these protocols run on
Chain of Consciousness, Agent Rating Protocol, and Agent Trust Handshake Protocol — all available as open-source tools and a hosted API. Provenance, reputation, and mutual authentication for your agents.
Verify our chain · Public provenance data · pip install agent-trust-stack-mcp