Agent Trust Framework
Defines how trust is computed, expressed, and propagated for AI agents — the Agent Trust Score model, trust anchors, delegation chain trust inheritance, accountability, and cross-organization federation.
Trust as a first-class concern
In human identity systems, authentication is the gateway. Once a user proves who they are, trust is largely implied by their role. This model breaks for AI agents. An agent can be who it claims to be — its identity perfectly verified — and still be untrustworthy: compromised by a prompt injection, operating outside its authorized scope, exhibiting anomalous behavior, or three delegation hops removed from the original human intent.
AGF treats trust as a first-class, independently evaluated property — separate from identity and separate from policy compliance. An agent can be authenticated (verified identity), authorized (policy permits the action), and yet still not trusted enough to proceed (trust score below threshold). These three checks are deliberately separated because conflating them creates systems where a technically-authorized-but-compromised agent can't be caught.
The Agent Trust Score is the mechanism that operationalizes this separation. It is a continuously computed numeric value, attached to an agent's identity, that reflects how much inherent trust to extend based on observable facts about the agent's lineage, history, and context — independent of what the agent is asking to do.
The Agent Trust Score
The Agent Trust Score is a value in [0, 1] that reflects the aggregate trust confidence in an agent at a given moment. It is not a static attribute — it is computed at evaluation time from multiple inputs and may change between requests. A score of 1.0 represents full trust under current conditions; 0.0 represents no trust.
The score is composed from three independent components: Lineage Trust (how far is the agent from the originating human principal, and how clean is the delegation chain?), Credential Trust (how fresh are the agent's credentials, and have any principals in the chain had their credentials recently modified?), and Anomaly Trust (is the agent's current behavior consistent with its historical patterns and the context of its task?).
Each component contributes a weighted value. Weights are configurable per domain in policy — a high-security financial system may weight lineage heavily; a creative agent platform may weight anomaly detection more loosely. The composite score is compared against a per-action trust threshold: if score ≥ threshold, trust is sufficient; if not, the request is denied or escalated for human review.
Trust Score formula
trust_score = w₁·lineage_trust + w₂·credential_trust + w₃·anomaly_trust
where w₁ + w₂ + w₃ = 1.0
weights configured per domain in policy
Lineage Trust:
depth 1 (direct delegation) → 0.90
depth 2 → 0.75
depth 3 → 0.55
depth 4+ → 0.35
Credential Trust:
credentials < 1h old → 1.00
credentials 1–4h old → 0.85
credentials > 4h old → 0.60
parent principal modified → −0.30
Anomaly Trust:
within normal patterns → 1.00
unusual hour → −0.12
10× normal volume → −0.20
external document in input → −0.15Trust anchors
A trust anchor is a root entity whose trust is assumed rather than derived — the starting point of a trust chain. In PKI, Certificate Authorities serve as trust anchors. In AGF, the trust anchor is the Domain Authority: the organization-level trust service that issues Agent IDs, holds the root key material, and vouches for the agents it has provisioned.
The Domain Authority's trust is established either through self-assertion (within a single organization) or through cross-organization attestation (when organizations establish mutual trust federations). In both cases, the trust anchor is explicit, documented, and cryptographically bound — there is no implicit trust.
Trust anchors matter because every Agent Trust Score is ultimately evaluated relative to the trust assumptions of the Domain Authority. If the Domain Authority itself is compromised, all downstream trust scores are potentially invalidated. This is why AGF separates the Domain Authority from the Policy Decision Point (PDP) — compromising one does not automatically compromise the other.
Trust in delegation chains
When an agent delegates authority to a sub-agent, it does not transfer its own trust score. Trust is not inherited; it is independently computed for each agent in the chain. However, the parent agent's trust score is an input to the child's Lineage Trust calculation — if the parent has a low trust score, the child's lineage trust score is penalized accordingly.
The depth of the delegation chain is a first-order trust signal. Depth 1 (human → agent) is the most trusted; each additional hop reduces trust because each hop introduces another point of potential compromise, scope ambiguity, and accountability diffusion. AGF policies define a maximum delegation depth per action type — high-risk actions may be limited to depth 1; routine low-risk actions may permit depth 4.
Branch-cut revocation interacts with trust: when a node in the delegation chain is revoked, all downstream agents have their lineage trust score set to 0 immediately. This is computed from the revocation event, not from a re-evaluation of each agent — revocation propagates to trust scores in under 500 ms, ahead of the revocation index update reaching all PDPs.
Accountability and trust attribution
Accountability is the property that makes trust operationally meaningful. It is not sufficient to compute a trust score and enforce a threshold — the system must also record who was trusted, for what, under what conditions, and what happened as a result. This is the basis for after-the-fact investigation, audit, and continuous improvement of trust policies.
AGF's decision artifacts serve as the accountability record. Every authorization decision that includes a trust evaluation records the trust score components, the threshold, the outcome, and the agent's full delegation chain at time of evaluation. This record is signed by both the PDP and the Trust Evaluation Service, making it independently verifiable.
The accountability chain must trace to a human principal. However long the delegation chain, however many agent-to-agent hops, the originating human identity is preserved in the lineage record of every decision artifact. This is a non-negotiable requirement for regulated industries and is enforced by the delegation token model: no token can be issued without a traceable human origin in its lineage.
Cross-organization trust federation
The agent economy is not confined within organizational boundaries. Agents from one organization routinely interact with systems, APIs, and other agents belonging to different organizations. Cross-organization trust requires a federation model: a way for organizations to establish mutual trust without sharing internal identity infrastructure.
AGF's cross-organization trust model is built on DID-based Agent Passports and Global Authority attestations. When an agent from Organization A presents its Agent Passport to a system in Organization B, Organization B's Domain Authority can verify the passport's signature chain — tracing it back to Organization A's Domain Authority — without calling back to Organization A's internal systems.
Trust scores do not cross organizational boundaries without attestation. An agent's trust score computed by Organization A's Trust Evaluation Service is not automatically accepted by Organization B. Organization B computes its own trust score for the agent, using the Agent Passport claims as inputs but applying its own policies and thresholds. This separation ensures that each organization retains control over its trust decisions.
Trust revocation
Trust can be revoked explicitly (an administrator action) or implicitly (a trust score falls below a threshold). Explicit revocation is immediate and absolute — the agent's trust score is set to 0 across all active sessions. Implicit revocation — where the trust score decays over time or due to anomaly detection — results in a 'trust degradation' state where the agent can continue operating in lower-privilege contexts but is blocked from high-risk actions.
Branch-cut revocation is the AGF mechanism for revoking an entire subtree of the delegation chain simultaneously. When a node is revoked, all agents that received their delegation authority from that node — directly or transitively — have their delegations invalidated in a single operation. This is critical for responding to security incidents where an orchestrator agent is compromised: you can revoke the orchestrator and all its downstream agents in one operation, rather than hunting down each sub-agent individually.
After revocation, the agent's identity (Agent ID) is preserved — it is placed in a 'retired' or 'suspended' state in the identity registry, not deleted. This preservation is essential for audit: the historical record of what the agent did while it was trusted must remain intact even after trust is revoked.
Next: Agent Lifecycle Framework
The six governed stages of an agent's existence.

