Trust in Depth for AI Agents

Trust in Depth

Layered trust mechanisms — each imperfect on its own — compose into robust trust when applied together.

The concept is borrowed from military strategy. Defense in depth — the principle that layered defenses, each individually penetrable, compose into a position that is far stronger than any single fortification — has governed military thinking since the Roman Empire and cybersecurity architecture since the 1990s. No single wall needs to be impenetrable. The attacker must breach all of them.

Trust in depth applies the same principle to commerce.

No single identity verification, no single attestation, no single legal framework needs to be complete. Each layer has known weaknesses. But in combination, the layers create a trust architecture that is resilient, proportional, and resistant to the attacks that break single-layer systems.

This is a deliberate design choice. The alternative — a single, comprehensive trust system that handles identity, authorization, agreement, and enforcement in one layer — is the architecture that every failed trust system in history has attempted. It is brittle by construction. A single point of failure means a single point of compromise.

The Four Layers

Trust in depth requires four layers. Each layer addresses a distinct trust question. Each has a known gap. The composition of all four layers is what closes those gaps.

Layer 1: Human Identity

The trust question: Is there a real, identifiable human at the base of this chain of agency?

At the foundation of every chain of delegation — from human to organization to agent to sub-agent — a real human must be identifiable. Without this anchor, the entire chain floats free of accountability.

The most robust human identity infrastructure that exists today is, perhaps counterintuitively, payments. With the exception of pure cryptocurrency transactions, all payment systems trace back to financial institutions that maintain the strongest identity verification systems in the world. Banks perform KYC. Payment processors verify merchants. Credit card companies maintain fraud detection systems that process billions of signals daily.

This infrastructure is imperfect. It is siloed. It is owned by intermediaries, not by the individuals it identifies. But it is the single most battle-tested identity system on the planet. It processes trillions of dollars annually. It has survived decades of adversarial attack. Its weaknesses are known and actively managed.

The payment identity layer works because financial institutions have economic skin in the game. A bank that fails to verify a customer's identity faces regulatory penalties, legal liability, and reputational damage. This economic alignment — where the verifier bears the cost of failure — is the most reliable mechanism for maintaining verification quality.

The gap: Identity is owned by the intermediary, not the individual. A person's identity with their bank is not portable to another context. You cannot take your Chase KYC verification and present it to Wells Fargo — you must verify again, from scratch. And the payment rail determines governance posture entirely — Visa's rules govern Visa transactions, regardless of what the underlying agreement says. For agent commerce, the question becomes more acute: which payment identity anchors an agent that operates across multiple payment systems simultaneously?

The identity portability problem is not just an inconvenience. It means that identity verification is repeated — at significant cost — for every new relationship, while the results of previous verifications go to waste. More importantly, it means that there is no composable identity that can serve as a foundation for layered trust.

Layer 2: Entity Attestation

The trust question: Is the organization behind this agent a real, verifiable legal entity?

Humans operate through organizations. Organizations employ agents. The entity layer verifies that the organizational structures through which humans operate are real, legally constituted, and connected to identifiable humans.

Entity identity ultimately reduces to human attestation. A corporation exists because humans filed formation documents with a government authority. A bank account exists because a human passed identity verification on behalf of the entity. An agent operates because a human (or a chain of humans) authorized it. The entity layer makes this chain explicit and verifiable.

This is more subtle than it appears. A corporation is a legal fiction — a construct that exists because the legal system recognizes it. It has no physical body. It has no biometric signature. Its "identity" consists of:

  • Formation documents filed with a state or national authority
  • A tax identification number issued by a government
  • Bank accounts opened by authorized representatives
  • Contracts signed by officers with documented authority
  • Ongoing regulatory filings that confirm continued existence

Each of these elements is an attestation by a human about the entity's reality. The entity's identity is the sum of these attestations.

The gap: Business email compromise — attacks that exploit the gap between entity identity and authorized human representatives — accounts for $2.9 billion in annual US losses alone. The attack works because verifying that a communication comes from an authorized representative of a known entity is surprisingly difficult. The entity is real. The communication appears legitimate. But the human behind the communication is not who they claim to be.

For agents, the gap widens dramatically. If an agent claims to represent Acme Corporation, current systems have no standard way to verify that claim. Who within Acme authorized this specific agent? What is the scope of that authorization? Can it be revoked in real time? Is the authorization still current? These questions have no answers in the current agentic landscape.

The problem is compounded by the speed of agent interaction. In human commerce, the latency of communication provides a natural window for verification. An email can be confirmed by a phone call. A request can be validated against known procedures. Agent-to-agent interaction happens in milliseconds, leaving no natural window for the kind of out-of-band verification that catches business email compromise in human contexts.

Layer 3: Agreement Integrity

The trust question: Is this agreement tied to a real legal framework with enforceable terms?

The agreement layer ensures that commitments between parties — whether human or agent — are recorded in a form that is:

  • Permanent — the terms cannot be altered after the fact by either party
  • Independently verifiable — any party (or adjudicator) can confirm what was agreed
  • Legally grounded — the agreement specifies governing jurisdiction and applicable law
  • Controlled by neither party — no single participant can unilaterally modify the record

This is where blockchain makes its highest-value contribution to trust infrastructure. Not as a payment system. Not as a platform for speculative assets. But as an immutable, independently verifiable record of what was agreed. A hash of agreement terms stored on-chain, with the full terms stored off-chain, creates a system where neither party can credibly claim the terms were different from what was recorded.

The architecture is precise: the full agreement text lives off-chain (for cost, privacy, and practicality), while a cryptographic hash of that text lives on-chain. Any alteration to the off-chain text — even a single character — produces a different hash that will not match the on-chain record. This creates a tamper-evident seal that requires no trusted custodian.

But recording terms is not enough. An agreement is legally enforceable only when it meets the prerequisites for enforcement:

  • Identifiable parties with legal capacity to contract
  • Mutual consent that is genuine, not coerced or fraudulent
  • Definite terms that a court or arbitrator can interpret
  • Governing law that determines which legal framework applies
  • Forum selection that establishes where disputes will be resolved

The gap: Neither jurisdiction nor governing law exists in the current agentic landscape. When two agents negotiate a service agreement, they do so in a legal vacuum. No jurisdiction is established. No governing law is specified. No forum for dispute resolution is identified. The agreement may be technically recorded, but it is legally unenforceable because the preconditions for enforcement — jurisdiction, consent, capacity — have not been established.

This is not a minor gap. It is the difference between a record and a contract. A record is evidence that something was stated. A contract is a legally binding commitment with structured remedies for breach. The blockchain provides the record. The agreement layer provides the contract.

Layer 4: Agent Authorization

The trust question: Does this agent have verified, bounded authority to take this specific action?

The autonomous system must carry verifiable, bounded authority. The delegation chain — from human to entity to agent — must be auditable, revocable, and scoped to specific actions.

This is the newest and least developed layer. Agent identity has no precedent in law, no established regulation, and no industry standards. The concept of "agent authorization" must be constructed from first principles.

The requirements are clear even if the implementations are not:

  • Scope — the agent's authority must be bounded to specific actions, value limits, and counterparty types
  • Delegation chain — the path from authorizing human to acting agent must be traceable
  • Revocability — authorization must be revocable in real time, not just in theory
  • Auditability — every action taken under the authorization must be attributable to the specific grant of authority
  • Temporality — authorization must have explicit expiration, not persist indefinitely by default

The analogy to human commerce is the power of attorney. A power of attorney grants a specific person authority to act on behalf of another, within defined scope, for a defined period. It can be revoked. Actions taken under it are attributable to both the agent and the principal. The legal framework for powers of attorney has been refined over centuries.

Agent authorization requires the digital equivalent — but adapted for actors that can operate at machine speed, across multiple contexts simultaneously, and potentially spawn sub-agents with delegated authority.

The gap: If an agent acts outside its authorized scope, who is liable? The authorizing human? The entity that deployed the agent? The platform that hosted it? The framework that built it? Current law provides no clear answer, and current technology provides no mechanism for even asking the question in a structured way.

The liability question is not academic. When an agent-negotiated agreement fails — and failures are inevitable in any system operating at scale — someone must bear the cost. Without a clear delegation chain connecting the agent's actions to an accountable entity, the cost falls on whichever party has less power, which is precisely the outcome that contract law was designed to prevent.

What the Composition Achieves

No single layer is sufficient. Each has a known, exploitable gap. The composition of all four layers achieves what no individual layer can:

1. Anchoring to Real-World Identity

Every agent action, no matter how many layers of delegation separate it from a human, traces back to an identifiable person operating through a verifiable entity. The chain may be long. But it is never broken. This is not a guarantee that the human acted wisely or honestly. It is a guarantee that the human can be found — and that this findability creates accountability.

Agreements between agents are not just technically recorded — they are legally grounded. Jurisdiction is established. Governing law is specified. The agreement has the structural prerequisites for enforcement in a real court or arbitration forum. A party that breaches the agreement faces real consequences, not just the loss of a pseudonymous reputation.

3. Jurisdictional Linkage

Every transaction occurs within a known legal context. This does not mean every transaction requires a lawyer. It means that when disputes arise — and they will — there is an established forum and an applicable body of law for resolving them. The parties know, at the time of agreement, where and how disputes will be handled.

4. Recourse

When something goes wrong, there is a structured process for resolution. Not "stop transacting with that agent." Not "post a negative review." Not "write off the loss." A genuine dispute resolution mechanism with the authority to examine evidence, apply rules, and impose outcomes that the parties are bound to accept.

The Economic Argument

Trust in depth restores the deterrent that friction once provided — but through architecture rather than inconvenience.

In the pre-agentic world, the cost of gaming the system was the aggregate friction of identity verification, document signing, waiting periods, and human oversight. AI agents eliminated that friction, and with it the deterrent.

Trust in depth recreates the deterrent structurally. A bad actor attempting to exploit the system must compromise all four layers simultaneously:

  1. Fabricate a verifiable human identity — defeating the financial system's KYC infrastructure
  2. Create a convincing entity attestation — establishing a legally verifiable organization connected to the fabricated identity
  3. Manipulate agreement records — altering terms stored on an immutable ledger that neither party controls
  4. Forge authorization credentials — producing verifiable, scoped delegation chains that pass cryptographic verification

Any single layer can be defeated. Identity can be forged. Entities can be fabricated. Agreement systems can be gamed. Authorization can be spoofed. But doing all four simultaneously, for the same transaction, against a system designed to cross-validate across layers — that is expensive. Expensive enough to restore the economic deterrent that makes honest participation the rational choice.

This is not theoretical. It is the same principle that makes modern cybersecurity work. Firewalls can be breached. Encryption can be broken (given enough time). Access controls can be circumvented. Intrusion detection can be evaded. But an attacker who must defeat all four systems simultaneously faces a cost that exceeds the value of most targets.

The cost of attacking a layered system grows multiplicatively, not additively. Each additional layer does not just add its own difficulty — it multiplies the difficulty of the composition. This is the fundamental insight of defense in depth, and it is directly applicable to trust in commerce.

The proportionality also matters. Not every transaction requires all four layers at full strength. A $5 purchase may require minimal identity verification and no formal agreement recording. A $5 million procurement contract requires rigorous verification at every layer. The framework is designed to scale — the layers are always present, but the rigor applied at each layer is proportional to the stakes.

This proportionality is what makes trust in depth practical for real commerce, not just high-value edge cases. The layers provide a gradient of trust, from lightweight verification for low-stakes interactions to comprehensive multi-layer verification for critical commitments.

Trust in depth does not require perfection from any layer. It requires composition across all of them.

Code (Alone) Is Not Law

The history of trust in commerce — and why the current moment represents a fundamental break.

The Trust Boundary

Every digital trust system has an air gap — a point where cryptographic certainty meets a human who can lie, be fooled, or be lazy.

On this page

The Four LayersLayer 1: Human IdentityLayer 2: Entity AttestationLayer 3: Agreement IntegrityLayer 4: Agent AuthorizationWhat the Composition Achieves1. Anchoring to Real-World Identity2. Legal Enforceability3. Jurisdictional Linkage4. RecourseThe Economic Argument