From Trust Us to Verify It Yourself
Every AI platform today makes the same claim: “We are secure. We are safe. We are trustworthy.”
And every one of them asks you to believe it.
This is the “Trust Us” model. The platform asserts its properties. The customer accepts or rejects the assertion. There is no mechanism to independently verify the claim. The evidence, if it exists, lives inside the platform — inaccessible, unqueryable, unverifiable from the outside.
The question is not whether the platform is trustworthy. The question is whether “trust us” is an adequate foundation for autonomous AI systems that make consequential decisions.
The Problem with Assertions
When a platform says “our models are safe,” what can you verify? You can read their documentation. You can review their certifications. You can examine their compliance reports. All of these are assertions — statements made by the party you are trying to evaluate.
Assertions are not evidence. They are testimony.
The distinction matters because autonomous agents create a new category of risk. When an agent acts on your behalf — spending money, accessing data, making infrastructure changes — you need more than the platform’s word that the action was authorized, constrained, and auditable.
You need evidence you can verify yourself, without trusting the platform that produced it.
The Attestation Chain
An attestation is a cryptographically signed claim about something that happened. Unlike a log entry, which can be modified, an attestation is tamper-evident — any change invalidates the signature.
But a single attestation is not enough. Autonomous agent decisions are chains of events: a user authorizes a mandate, the agent detects a trigger, the pipeline evaluates constraints, the action executes, the results are recorded. Each link in this chain must be attested, and the chain itself must be verifiable.
This is the chained ledger model:
- Input attestation — the user’s consent, cryptographically signed
- Context attestation — the information the agent used to make its decision
- Model attestation — the supply chain provenance of the model that generated the response
- Guardrail attestation — the policy evaluation verdict, signed
- Output attestation — the agent’s action, anchored to everything above
Each attestation is bound to the previous one. Compromise at any layer taints everything downstream. If the input attestation is invalid, the entire chain is suspect — not because we choose to distrust it, but because the cryptographic binding is broken.
What “Verify It Yourself” Means
The shift from “Trust Us” to “Verify It Yourself” is not a slogan. It is an architectural property.
A system that supports independent verification must provide three things:
1. Self-contained evidence. The attestation chain must include everything needed for verification. No callbacks to the platform. No shared state. No “check with us” — the evidence stands alone.
2. Standard cryptographic primitives. The verification must use standard algorithms (ES256, SHA-256) and standard key management. No proprietary verification protocols. Anyone with the public key can verify the signature.
3. Stateless verification. The verifier does not need an account, a session, or a relationship with the platform. They receive the attestation, they verify the signatures, they check the chain. The verification is a pure function of the evidence.
This is the difference:
| Trust Us | Verify It Yourself | |
|---|---|---|
| “Our models are safe” | Accept or reject | Here is the guardrail verdict with KMS signature |
| “We protect your data” | Read our policy | Here is the forensic ledger — query it yourself |
| “We verify our builds” | Check our certification | Here is the SLSA provenance + identity attestation |
| “We track agent behavior” | Trust our monitoring | Here are the forensic queries on validated events |
In every row, the shift is the same: from platform assertion to independently verifiable evidence.
Four Dimensions, Four Digests
Each attestation in the chain includes four dimension digests — one for each dimension of the trust model:
- Identity digest — who acted, provenance level, image hash
- Supply Chain digest — application context, user, session
- Behavioral digest — event type, content fingerprint, completion reason
- Association digest — agent name, model used, tools invoked
These digests serve two purposes. First, they enable targeted forensic queries — you can investigate along any single dimension without decrypting the entire attestation. Second, they make the trust evaluation itself verifiable — the four-dimensional trust score is not just computed, it is attested.
The Capstone
This series began with a question: how do you trust an autonomous AI agent?
The answer is: you don’t. You verify.
You verify identity through compositional credentials that bind the agent to its user, its model, and its tool chain. You verify the supply chain through provenance attestation that traces every component to its source. You verify behavior through continuous evaluation against declared anchors. You verify associations through tool binding attestation that proves which tools were available and which were used.
And then you verify the verification itself — through cryptographic attestation that makes every claim independently checkable.
The formula is Effective Trust = Identity x Supply Chain x Behavioral x Association. The word “Effective” is load-bearing. Whatever trust posture you have, its effectiveness is bounded by these four dimensions. A zero in any dimension collapses the product.
The mandate provides scoped authority. The pipeline provides structural enforcement. The attestation provides cryptographic proof. The observatory provides forensic reconstruction.
None of these ask you to trust the platform. All of them ask you to verify the evidence.
That is the shift. From “trust us” to “verify it yourself.”
This is Part 6 of the “Zero Trust for Agentic AI” series — the conclusion. The full model is grounded in a larger document corpus backed by a live implementation.
| *Previously: The Four Dimensions of Trust | Effective Trust and Your Existing Posture | Mandates Are Not Blank Checks* |
