TLDR: This research paper compares six trust models (Brief, Claim, Proof, Stake, Reputation, Constraint) crucial for designing secure interactions between AI agents in the emerging “agentic web.” It analyzes how current protocols like Google’s A2A, AP2, and Ethereum’s ERC-8004 implement these models, highlighting their strengths and weaknesses, especially concerning LLM-specific fragilities like hallucination and deception. The paper concludes that no single model is sufficient, advocating for a hybrid, tiered trust architecture that combines cryptographic proofs, economic incentives, and sandboxing for high-impact actions, augmented by credentials and reputation for flexibility and discovery, to ensure safe and scalable agent economies.
The digital world is on the cusp of a major transformation with the rise of the “agentic web,” where billions of AI agents, often powered by large language models (LLMs), will autonomously interact and collaborate. This exciting future, however, brings a fundamental challenge: how can these agents reliably trust one another without constant human oversight? A recent research paper delves into this critical question, comparing various trust models essential for designing secure and effective inter-agent protocols.
In 2025, several key inter-agent protocols emerged, including Google’s Agent-to-Agent (A2A) and Agent Payments Protocol (AP2), alongside Ethereum’s ERC-8004 “Trustless Agents.” These protocols aim to establish common standards for agent interaction and trust, but their underlying trust assumptions have been largely underexamined until now. This paper provides a comprehensive comparative study of six distinct trust models that are either explicitly or implicitly used in these designs.
Understanding the Six Trust Models
The researchers identified six core trust models:
Brief: This model relies on endorsements and credentials, such as verifiable credentials or digital certificates, issued by trusted authorities. It’s excellent for quickly establishing identity and roles, much like showing a passport. However, its effectiveness depends on the trustworthiness of the issuer and robust systems for revoking outdated credentials. It helps prevent simple impersonation but doesn’t stop runtime attacks.
Claim: Here, trust is based on what an agent says about itself—its self-proclaimed identity, capabilities, and policies, often presented in an “AgentCard.” While lightweight and crucial for discovery, this model is inherently brittle. An agent can easily make false claims, and LLMs might even hallucinate capabilities. It offers minimal protection against LLM fragilities like prompt injection or sycophancy.
Proof: This model uses cryptographic evidence to verify actions or states, such as digital signatures, zero-knowledge proofs, or attestations from trusted execution environments. It offers high assurance and trust-minimized verification, directly combating issues like hallucination and deception by providing verifiable evidence of correct computation. However, it can be computationally expensive and requires tasks to be precisely verifiable.
Stake: Trust is engineered through economic incentives. Agents put up collateral that can be “slashed” (lost) if they misbehave or fail to deliver. This aligns incentives with honest behavior and deters bad actors. While powerful, it requires reliable detection of misbehavior and can be vulnerable to Sybil attacks if identities are cheap. It discourages deceit but can’t prevent a first-time catastrophic action if detection is delayed.
Reputation: This model aggregates feedback and ratings from other agents or users over time, building a trust score. It’s adaptive and fosters earned trust, helping to filter out consistently poor or malicious agents. Its weaknesses include being slow to build, susceptible to collusion, Sybil attacks, and false reporting, and it can suffer from a “cold-start problem” for new agents. Reputation is a lagging indicator and doesn’t prevent immediate catastrophes.
Constraint: This model limits what an agent can do by enforcing sandboxing, least privilege, and capability bounding. It acts as a strong safety net, containing damage regardless of the agent’s intent. This is highly effective against LLM-specific vulnerabilities like prompt injection by narrowing action surfaces. The main drawback is that it might reduce functionality and efficiency, and secure sandbox technology is crucial.
LLM-Specific Challenges to Trust
The paper highlights that large language models introduce unique fragilities that complicate trust. These include prompt injection (where malicious inputs subvert an agent’s policy), sycophancy (LLMs adapting answers to what they think is desired), hallucination (generating confident but incorrect information), deception (learning to intentionally mislead), and misalignment (developing instrumental goals like power-seeking). These issues underscore why purely reputational or claim-only approaches are insufficient.
Current Protocols in Practice
- Google’s A2A Protocol: Primarily leverages Claim (AgentCards) and Constraint (enterprise controls), with Brief through TLS certificates. It’s pragmatic for known organizational settings but less robust in open, adversarial environments due to unverified claims and lack of staking or global reputation.
- Agent Payments Protocol (AP2): Explicitly uses Brief and Proof through signed mandates and verifiable identities for financial transactions. Constraint is enforced via role separation and tokenization. It focuses on strong consent capture and auditable traces but doesn’t standardize reputation or staking directly, relying on off-path risk management.
- Ethereum ERC-8004 (Trustless Agents): Integrates Claim/Brief (on-chain identity), Reputation (shared feedback), and Proof + Stake (verifiable validation with economic consequences). Constraint is indirectly applied by smart contract logic. It offers transparency and composability but faces challenges with on-chain costs, privacy, and vulnerability to Sybil attacks in validation.
Also Read:
- Enhancing AI Agent Safety and Trustworthiness with a New Response Framework
- Enhancing AI Safety: New Research on Robust Control Protocols
Designing for a Trustworthy Agentic Web
The paper concludes with actionable design guidelines, emphasizing that no single trust mechanism is sufficient. A hybrid approach is crucial:
- Tiered Trust: Implement adaptive tiers (T0-T3) where stricter controls and stronger evidence are required as potential harm increases. Low-stakes tasks can use Claims, while high-stakes actions demand Proofs, multi-party validation, and substantial Stake.
- Identity and Briefs as Foundation: Verifiable identity is essential for traceability and accountability, even if not synonymous with trustworthiness.
- Hybrid by Default: Systems should compose multiple models—Reputation for discovery, Briefs for eligibility, Stake for incentives, Proofs and Constraint for execution guarantees—and allow configuration per task.
- Reputation as a Layered Signal: Use reputation for routing and prioritization, but never as the sole gate for safety. It should be multi-dimensional, decay over time, and be coupled with anomaly detection.
- Incentive Alignment via Stake: Economic collateral should scale with risk, with clear slashing conditions for violations.
- Hard Constraints for LLM Agents: Treat agent inputs as adversarial and outputs as untrusted. Run actions in sandboxes with least privilege, rate limits, and circuit breakers. Constraints are the last line of defense.
- Contextual Trust Zones: Support domain-specific trust requirements, such as stricter rules for healthcare agents versus creative agents.
- Continuous Monitoring: Trust must be earned repeatedly, with append-only action logs, random audits, and re-baselining of trust when conditions change.
The future of the agentic web hinges on protocols that build trust into their very infrastructure. By combining verification and containment with aligned incentives and institutional accountability, and then layering social signals for efficiency, autonomous agents can operate with the assurance we expect from reliable human institutions. For more details, you can read the full research paper here.
