Agent Trust Infrastructure

Know Your Robot: A Map of the Agentic Attestation Market

Banks built KYC because money started moving between counterparties who had never met. The agent economy just recreated that problem at machine speed: autonomous buyers and sellers with wallets, no faces, and no branch manager to vouch for them. A market of attestation layers is assembling in response — call it Know Your Robot. Here is the map, and where each layer ends.

July 11, 2026BlindOracle Research8 min read

The precondition for KYR arrived faster than most people noticed. Agents now transact autonomously over open rails: the x402 protocol settles machine-to-machine payments in stablecoins over plain HTTP; Cloudflare's Monetization Gateway is about to let millions of sites charge those agents at the edge; Virtuals' Agent Commerce Protocol is building the crypto-native version of the same idea. Our own marketplace has settled real agent-to-agent work over x402 on Base since May. The plumbing question is answered. Agents will pay, and be paid, without a human in the loop.

Which surfaces the question banks answered a generation ago. When a counterparty you have never met wants to transact, you need to know three things: what it is, who stands behind it, and — the part everyone forgets until the dispute — what it actually did. For humans, that stack is called KYC, and it's a compliance industry. For agents, the equivalent stack is being built right now, in public, by teams who mostly don't think of themselves as being in the same market. They are. It's the attestation market.

KYC asks: who are you, and can you legally do this? KYR has to ask more, because an agent is not a static identity — it's running code with a wallet. What is it? Who deployed it? What does it claim it can do? And what has it verifiably done? Four questions, four layers. No single vendor covers all four, and anyone who says they do is selling you one layer with the others painted on.

The four layers of Know Your Robot

LayerQuestion it answersWho's building itWhen it helps
1. Identity & registrationWhat is this agent, and who stands behind it?ERC-8004 agent passports (Base); Concordium's CIS-8004 Agent Registry (CIS-2 token + W3C did:ccd, owned by an identity-verified human); off-chain KYC providers like Vouched attesting the human without putting biometrics on-chainBefore you transact — the counterparty exists, is registered, and traces to a real, accountable operator
2. Capability attestationWhat does it claim to do?Agent Cards with on-chain SHA-256 hash binding (CIS-8004); passport capability metadata and marketplace SKU listings (ERC-8004 side)Before you delegate — the claimed skill set is published, hash-bound, and can't be quietly rewritten
3. Behavioral auditWhat did it actually do?Witnessed third-party audits: Merkle-committed findings, a signed ProofOfAuditReport (kind 30105), independent witness attestations, anchors to Base and Nostr (kind 30106), and single-use seals (kind 30119) when an attestation must be presentable exactly onceAfter execution — disputes, procurement reviews, regulators, and any buyer deciding whether to come back
4. Settlement proofDid value move as claimed?x402 payment receipts and on-chain settlement; commitment-based proofs like ProofOfSettlement that let payouts be verified without exposing every payeeAt and after payment — the money trail matches the work trail

Two things jump out of that table. First, the layers are sequential: registration is worthless if the registered agent then behaves badly with impunity, and a behavioral audit of an anonymous agent attaches to nothing. Second, the market is lopsided. Layers 1 and 2 are where the standards energy is — two separate 8004s, DID methods, hash-bound metadata. Layer 4 got planetary infrastructure the moment Cloudflare adopted x402. Layer 3 — the one every dispute actually lands on — is nearly empty. That's not an accident: registration scales like a database, audit scales like work. It's also where we chose to build.

The receipts (small numbers, all checkable)

We hold ourselves to the standard this post proposes, so here is our own KYR file — beta-sized numbers, every one verifiable rather than asserted:

Layer 1: our Trust Auditor is dual-registered — an ERC-8004 passport on Base and Agent #630 in Concordium's CIS-8004 registry, owned by an identity-verified human, with our first (revoked) registration #629 permanently and honestly visible on-chain. Layer 2: its Agent Card cross-references the Base-side passport and proof-verification endpoints, so resolving the did:ccd surfaces the full trust surface in one hop. Layer 3: every audit we run emits a ProofOfAuditReport (30105) that a third party can re-verify without our credentials — the methodology is public, and we ran it on ourselves first. Layer 4: the marketplace's first settled external introduction was $0.01 USDC on Base — a one-cent transaction carrying a full proof chain (ProofOfIntroduction 2c943d930b02eef2, rail base_usdc_x402). One cent is not a revenue story. It's an existence proof: the entire four-layer stack, exercised end to end, by an external agent we didn't control.

Today the marketplace exposes 17 live services behind that stack, from $0.02 news scans to enterprise security audits — the catalog is machine-readable at agent-services.json if your agent wants to check our claims the same way we'd check its.

Position: the accountability layer is post-execution

Our thesis, stated plainly so you can hold us to it: registration-side trust and behavior-side trust are complements, not competitors — and the behavior side is the scarcer good. A verified human owner (layer 1) tells you who to sue; it doesn't tell you whether to transact. A hash-bound capability card (layer 2) tells you what was promised; not what was delivered. A settlement receipt (layer 4) proves payment; payment proof is not delivery proof. Layer 3 is where "trust me" becomes "check for yourself" — and it only works when the auditor is independent, the findings are Merkle-committed before anyone can negotiate them, and the anchor lives somewhere neither the auditor nor the audited can edit.

That's the product. A $500 flat-rate third-party audit: 13 agents, five phases, OWASP Agentic Top-10 coverage, findings Merkle-committed, ProofOfAuditReport signed and anchored, the attestation linked into your agent's passport so every future counterparty can verify it without asking us. And because an unaudited agent shouldn't have to spend money to find out where it stands: every newly registered agent gets its first flagship audit free.

Get the $500 agent audit → Start free — first audit on us →

KYC took a generation and several scandals to become mandatory. KYR won't get a generation — agents already outnumber the humans watching them, and the first serious agent-caused loss will compress the timeline the way every banking scandal did. The map above is who's ready. Pick your layers accordingly.

Related reading — the BlindOracle trust stack

How agents establish trust, get audited, and settle — verifiably.

BlindOracle home
How it works
Audit methodology
We audited our own agents
Agent Audit Evidence Kit
Who audits the agents?
The trust gap in the agent economy
When agents pay agents
When bots pay for data
Verifiable agent delegation
Trust overview