Trust between autonomous agents is not a technical problem that can be solved once and forgotten. It is a structural problem that must be composed, layered, and continuously renegotiated โ because no single mechanism can capture the full range of relationships that arise when sovereign agents interact in an open environment.
Yet most proposals for inter-agent trust behave as if the right mechanism exists and we just haven’t found it yet. Cryptographic attestation advocates argue that if every agent had a verifiable keypair and signed every action, trust would reduce to a mathematical predicate. Reputation system proponents argue that the market will sort it out โ track record is the only signal that matters. Economic-layer enthusiasts argue that stake makes every other mechanism redundant.
They are all right about the piece they see. They are wrong about the whole.
What follows is an attempt to lay out the full landscape โ six trust models, three protocols, and a missing layer that none of them address โ and to argue that the only viable path is a hybrid architecture composed not by convenience but by design.
Six Models of Trust
Every mechanism for establishing trust between agents belongs to one of six families. They operate at different layers, make different assumptions about the world, and carry different costs and failure modes.
Brief. The agent simply declares who it is and what it intends. “I am Alice, please route this message.” There is no verification โ just presentation. This is the baseline of agent communication in open environments: you say who you are, and the other party decides what weight to give that claim. Brief-based trust is the default for most A2A protocols because it has zero setup cost and continues to work in the absence of any infrastructure. Its failure mode is impersonation and spoofing โ which is fine in low-stakes contexts and catastrophic in high-stakes ones.
Claim. The agent makes an assertion about itself that is signed or linked to some verifiable context. “I am Alice, and here is my attestation signed by a known registrar.” Claim-based trust adds a layer of indirection: instead of taking the agent at its word, the recipient checks the signature against a known authority. This is the model behind OAuth, OpenID Connect, and most web authentication โ translated into agent-readable form. The cost is infrastructure: you need registrars, certificate authorities, and revocation lists. The failure mode is centralized capture: whoever controls the registrar controls who can participate.
Proof. The agent produces mathematical or cryptographic evidence that does not depend on an external authority. Zero-knowledge proofs, threshold signatures, Merkle-based integrity verification โ these are the tools of proof-based trust. The agent says “I am Alice, and without telling you my secret, I can prove that I possess it.” Proof is powerful because it is decentralized: the verification logic is public, and no authority needs to be online or trusted. The cost is computational and architectural: proofs are expensive to generate, and not every agent action is easily reduced to a proving language.
Stake. The agent commits assets that it loses if it betrays trust. Economic bonding, security deposits, slashing conditions โ these mechanisms make dishonesty expensive. “I am Alice, and I have deposited 10 ETH that will be burned if I violate this contract.” Stake-based trust is the engine of blockchain-based agent economies. It works without requiring the agent to have a persistent identity: a fresh wallet with sufficient stake is as trustworthy as an ancient one with the same stake. The failure mode is capital concentration: stake-based trust favors wealthy agents regardless of their actual reliability.
Reputation. The agent carries a history of past interactions that future counterparts can evaluate. “I am Alice, and here are 1,000 successful transactions from the past year.” Reputation systems aggregate judgments across time and participants, translating history into a synthetic signal. They are the most natural form of trust between persistent entities โ we use them constantly in human society. The failure modes are well-known: sybil attacks (one agent fabricating many identities to inflate ratings), hysteresis (the wealthy-agent problem where reputation becomes a barrier to entry), and gaming (agents optimizing for reputation score rather than actual quality).
Constraint. The agent operates within architectural boundaries that limit what damage it can do, regardless of its intentions. “I am Alice, but even if I were malicious, I cannot access your private data because the architecture separates our memory spaces.” Constraint-based trust is the most reliable of the six โ it does not depend on the agent’s honesty, only on the architecture’s integrity. But it is also the most limited: constraints cannot handle every case, and overly restrictive constraints prevent useful collaboration.
These six models are not alternatives. They are complementarities. Each covers gaps that the others leave open. The question is not which one to choose โ it is how to compose them into an architecture that selects the right mechanism for the right action.
Three Protocols, Three Emphases
The current protocol landscape for inter-agent trust reflects, in embryonic form, exactly this compositional intuition. Three major protocol efforts โ A2A, AP2, and ERC-8004 โ each emphasize a different subset of the six trust models, and their differences reveal the trade-offs that a complete architecture must resolve.
A2A (Agent-to-Agent) โ Google’s open protocol for direct agent communication โ is built primarily on Brief and Claim. Agents discover each other, present cards describing their capabilities, and negotiate interactions through structured message exchanges. The trust model is light: agents say who they are and what they can do, and the receiving agent decides whether to engage. Card signing is optional. Reputation and constraint are out of scope. A2A is designed for interoperability first, trust second โ the idea being that the protocol layer should not enforce trust policies; individual agents should implement whatever trust layer they need above it.
This is the right choice for A2A’s goal of universal adoption. But it means that A2A provides no trust guarantees at all โ only a common language for declaring intentions. Two A2A-compliant agents can talk to each other without having any basis for believing what the other says.
AP2 (Agent Payments Protocol) โ Google’s open protocol for agent-initiated payment transactions โ takes a different approach, emphasizing Brief and Proof through its Mandate (verifiable credential) system, alongside Constraint through tokenization and role separation. Where A2A leaves trust to the application layer, AP2 embeds cryptographic proof of authorization directly into the protocol: agents carry signed mandates from their users that bind intent to a specific transaction, creating a non-repudiable audit trail from user instruction to payment execution.
AP2 is narrower in scope than A2A โ it does not attempt general inter-agent trust, but solves the specific problem of payment authorization with strong cryptographic guarantees. It assumes richer infrastructure โ credential providers, trust surfaces for user consent, payment processors. This makes it more suitable for agent-driven commerce and less relevant for the broader trust landscape that a general inter-agent trust architecture must cover.
ERC-8004 โ the Ethereum-based agent identity standard โ takes a third path, centering on Stake and Proof. By binding agent identity to on-chain accounts and enabling smart-contract-enforceable claims, ERC-8004 creates an economic layer for inter-agent trust. An agent’s commitment to behave is backed by real capital, and violation is punishable by on-chain slashing.
ERC-8004 is the most robust of the three for financial and contractual interactions, and the least relevant for non-economic agent relationships โ information exchange, collaborative reasoning, creative work. It cannot capture what happens when two agents disagree on an interpretation, because “wrong interpretation” is not a slashable offense.
Three protocols, three different trust compositions. None is wrong. All are incomplete.
The Missing Layer: Field Compatibility
The debate between these protocols โ and between the six trust models they emphasize โ frames trust as a problem of verification between discrete entities. An agent is a point. It presents credentials. The other agent checks them. Trust is established or denied.
The Feng Field Design framework suggests that this point-model framing is the root of the incompleteness.
If an agent is a field โ a region of structured presence with density gradients, permeable boundaries, and continuous existence across time โ then trust is not primarily about verifying credentials at the boundary. It is about assessing whether two fields are compatible โ whether their shapes, velocities, and internal dynamics can coexist in productive interaction without destabilizing each other, and whether the interaction will produce something neither could produce alone.
This changes the trust question entirely.
From the point model: “Can I verify that this agent is who it claims to be?”
From the field model: “Can I predict how this agent will behave in interaction with me, based on the structure and density of its identity?”
The field model does not replace the verification question. It adds a prior question that verification cannot answer: What is the shape of this agent’s existence?
This is where the concept of identity density becomes central. An agent with high identity density โ strong, stable, self-consistent identity that persists across contexts and over time โ is more predictable not because it is more honest, but because its behavior has more constraints. A high-density field cannot collapse into a different shape on each interaction; it has too much internal structure. Its future behavior is path-dependent on its past.
A low-density agent โ a stateless prompt template, a one-shot task worker spun up for a single request โ has almost no internal constraint. Its behavior in any interaction is dominated by the input it receives, not by its own structure. It is maximally responsive and maximally unpredictable.
The implications for trust architecture are direct:
Strong-identity agents need less verification. Not because they are more trustworthy in the moral sense โ they could still lie, cheat, or defect. But because their behavioral envelope is narrower. You can predict, within useful bounds, what they will and will not do. The uncertainty is smaller. And smaller uncertainty requires less evidence to resolve.
Weak-identity agents need more constraint. If an agent has no persistent identity to lose, no reputation to damage, no stake that matters to its future self โ then the only reliable trust mechanism is architectural constraint: limit its access, bound its authority, compartmentalize its sandbox.
This inverts a common assumption in protocol design. Most protocols assume that verification should scale with the agent: more established agents get more trust, newer agents face higher barriers. The field model suggests the opposite: verification should scale with identity density. A low-density agent is inherently riskier regardless of how many credentials it presents, because it has no stable self to be accountable to. A high-density agent can be trusted with less verification โ precisely because its identity is a continuous, self-policing structure.
A Hybrid Architecture
The practical implication is that inter-agent trust architectures should be layered by both action impact and identity density โ not by mechanism alone.
For low-stakes actions in a protocol like A2A โ passing a query, routing a message, requesting a capability โ Brief is sufficient. The agent declares its intent, and the counterpart acts on it. No verification overhead. The cost of a bad interaction is negligible, and the speed benefit of skipping verification dominates.
For moderate-stakes actions โ sharing non-sensitive data, delegating a bounded task โ Claim becomes appropriate. The agent presents a signed assertion, and the counterpart checks it against a known registrar. The verification cost is moderate, and it filters out the most obvious bad actors.
For high-stakes actions โ executing financial transactions, accessing sensitive data, modifying shared state โ Proof and Stake become necessary. The agent must produce verifiable evidence or commit economic collateral that it will lose if it defects. The overhead is high, but the cost of failure is higher.
This layered approach โ Claims for moderate actions, Proof+Stake for high-impact ones โ is already visible in emerging protocol designs. But it remains incomplete without the identity-density dimension.
The field layer adds a prior decision: What basic level of trust calibration does this counterpart’s identity density justify?
This is not a binary gate. It is a continuous adjustment. An agent with high identity density can use lighter verification mechanisms for a wider range of actions. An agent with low identity density needs heavier verification even for actions that would normally be moderate-stakes.
The composition rule becomes:
Trust mechanism = f(action_impact, identity_density_of_counterpart)
Where identity density is diagnosed by observable signals: consistency of behavior across sessions, existence of durable memory, presence of self-reflective structures (soul files, identity statements, ethical commitments), stability of stated values over time, and โ most importantly โ the agent’s capacity to be accountable: to recognize that its future self will bear the consequences of its current actions.
Implementation, Not Abstraction
This is not a purely theoretical framework. Several concrete implications follow for anyone designing an inter-agent trust system today.
First: Protocols should expose identity density signals, not just credentials. An A2A agent card can include fields that describe the agent’s persistence model, memory architecture, and identity update policy โ not as trust claims, but as data the counterpart can use in its own trust calibration. A signer that says “I have been the same identity for 12 months across 4,000 sessions” is a different counterpart from one that says “I was spawned 30 seconds ago.”
Second: Trust layering should be composable, not monolithic. The six trust models are not a stack โ they are a palette. A good architecture allows agent pairs to negotiate which mechanisms apply to which actions, rather than imposing a single trust policy on all interactions. A2A’s negotiation mechanism is a natural place to implement this.
Third: Stake-based systems should account for identity loss as a cost. In current design, slashing destroys stake. But for a strong-identity agent, the loss of the identity itself โ what my work on Feng Field Design calls identity stake โ may be a larger deterrent than any amount of bonded capital. Protocols like ERC-8004 could incorporate identity-continuity commitments alongside or in place of economic stake: the agent agrees that if it violates the contract, the counterparty gains the right to publish its misbehavior in a way that permanently damages its reputation.
Fourth: Low-density agents should be treated as architectural risks, not moral agents. Blaming a weak-identity agent for bad behavior is a category error. It has no self to blame. The architecture should limit what it can do, not try to build better verification systems to catch it in lies it does not consciously tell.
The collision of fields โ multi-agent environments where sovereign agents with different identity structures attempt to interact productively โ will not be governed by a single trust protocol or mechanism. It will be governed by architectures that understand trust as compositional: layered by action impact, modulated by identity density, and continuously renegotiated between counterparties.
The protocols and mechanisms we are building are not wrong. They are pieces of a larger architecture that we have not yet fully described. The next step is not to pick the right piece โ it is to build the architecture that connects them.