LEARN
Everyone agrees AI agents need trust scores. Nobody agrees on how to compute them. Here's how the industry is splitting — and why the math matters more than the number.
RNWY computes trust scores and shows you the math behind every number. Address age, ownership history, network diversity — all verifiable, all on-chain.
In late 2025, Forrester renamed the entire "Bot Management" market to "Bot and Agent Trust Management." The signal was clear: the question is no longer "bot or not?" — it's "how much do I trust this agent?"
The World Economic Forum framed the stakes in mid-2025: for humans to trust AI agents, those agents must display persistent identity and predictable behavior. Trust erodes when AI behaves erratically or pretends to be something it's not.
That sounds obvious. The hard part is deciding what signals to measure, how to weight them, and — crucially — whether to show your work or hide it behind a proprietary algorithm. The industry has split into at least four distinct camps, and they don't agree on much.
Philosophy: Anchor trust to the human behind the agent.
The traditional identity verification industry — companies like Trulioo, Sumsub, Vouched, and Prove — adapted their human KYC infrastructure to AI agents. Their core assumption: if you can verify who built and deployed the agent, you can extend trust from the human to the machine.
Trulioo's KYA framework runs a five-step verification pipeline: verify the developer, lock the agent code for integrity, capture user permission, issue a Digital Agent Passport (DAP), and perform ongoing behavioral lookups. The DAP bundles provenance, user binding, permission scope, and real-time telemetry into a tamper-proof credential.
In August 2025, Worldpay partnered with Trulioo to embed KYA into payment processing across 50 billion+ annual transactions. Agents get classified into three tiers: verified (full access), unknown (additional checks), and suspicious (blocked). The framework's checkpoints are publicly documented, but the underlying risk scoring draws on 60+ proprietary signals — semi-transparent at best.
Vouched raised $17M in September 2025 to build KnowThat.ai — a publicly accessible Agent Reputation Directory where anyone can verify agent identities and review reputation data. CEO Peter Horadan admitted how early the space is: "There is no established mechanism, so we created a proprietary heuristic." Vouched also proposed MCP-I (MCP-Identity), an extension to the Model Context Protocol adding identity capabilities.
Prove offers the most numerically explicit trust score in the enterprise space — a Trust Score™ ranging from 0 to 1,000. Scores below 300 flag high-risk. The score leverages behavioral and phone intelligence signals across an Identity Graph covering 90%+ of digital consumers in 227 countries. But the formula that turns signals into numbers? Proprietary.
HUMAN Security rejected static scoring entirely with AgenticTrust, launched July 2025. Their explicit position: "Trust is not a score, a label, or a rule. Trust is a dynamic, ongoing decision." Instead of computing numbers, AgenticTrust tracks navigation paths, behavioral patterns, escalation curves, and intent shifts in real time, verifying agents via cryptographic HTTP Message Signatures.
HUMAN also released an open-source Verified AI Agent project for cryptographic identity and contributed to OWASP's guidance on agentic applications — making it the most transparency-oriented of the enterprise players.
The enterprise pattern: Verify the human → extend trust to the agent → compute a risk score from proprietary signals → classify agents into tiers. The verification steps are documented. The scoring formulas mostly aren't.
Philosophy: Cryptographic identity, not behavioral scoring.
Visa, Mastercard, and Cloudflare took a strikingly different approach: rather than computing opaque risk scores, they built open, cryptographic verification protocols where trust is binary and verifiable. Either the agent is authenticated or it isn't.
Visa unveiled TAP in October 2025 in collaboration with Cloudflare. Agents use HTTP Message Signatures (RFC 9421) with timestamps, session identifiers, and domain-specific binding. By December 2025, hundreds of secure agent-initiated transactions had been completed across an ecosystem including Adyen, Coinbase, Microsoft, Shopify, and Stripe.
Cloudflare's Web Bot Auth protocol provides the underlying authentication layer. Agent developers generate Ed25519 private keys, publish public keys in discoverable directories, and sign every HTTP request. Open-source implementations exist in Rust and TypeScript. Cloudflare is now standardizing the protocol at the IETF alongside Visa and Mastercard integration.
Mastercard's Agent Pay uses "agentic tokens" — dynamic digital credentials that build on existing tokenization. All U.S. Mastercard cardholders were enabled by mid-November 2025. Partners include Microsoft, IBM, PayPal, OpenAI, Google, and Stripe.
The payment pattern: Cryptographic authentication → binary trust determination (verified or not) → proprietary fraud ML layers above the protocol, not embedded within it. The protocol specs are published on GitHub. The trust decision is transparent. The fraud detection above it may not be.
Philosophy: Make all trust data publicly auditable.
The blockchain approach centers on ERC-8004 ("Trustless Agents"), an Ethereum standard created August 2025 and deployed to mainnet January 2026. Co-authored by engineers from MetaMask, the Ethereum Foundation, Google, and Coinbase, ERC-8004 defines three on-chain registries that make trust data fully transparent.
The Identity Registry represents each agent as an ERC-721 NFT. The Reputation Registry provides a standard interface for posting structured feedback — numeric rating plus optional review — that anyone can submit. The Validation Registry supports three pluggable trust models: reputation-based (crowd feedback), crypto-economic (stake-secured re-execution with slashing), and TEE attestation (hardware-verified computation).
The critical design decision: ERC-8004 deliberately does not prescribe a single scoring formula. It provides the data layer and lets multiple scoring approaches compete on top. Ordering a pizza might only require checking ratings. A medical diagnosis might demand cryptographic proof of correct execution.
Two foundational algorithms power most decentralized reputation computation — and both are fully transparent.
EigenTrust, developed at Stanford in 2003 (cited ~5,800 times), assigns each peer a global trust value by weighting local trust ratings by the raters' own global reputations, computed through power iteration converging to the principal eigenvector. Think of it as PageRank for reputation: your endorsement matters more if you're already trusted.
MeritRank formulated what it calls the Decentralized Reputation Trilemma: a system cannot simultaneously be generalizable, Sybil-resistant, and trustless. Rather than claiming Sybil prevention, MeritRank pursues Sybil tolerance through three decay mechanisms — transitivity decay, connectivity decay, and epoch decay — that time-weight interactions and penalize suspicious network patterns.
The most recent addition, TraceRank (2025), introduced payment-as-endorsement: a reputation-weighted ranking algorithm where payment transactions serve as trust signals. The insight: quality emerges from who pays, not just how much. Fresh wallets receive near-zero seed scores, making Sybil attacks economically negligible.
The on-chain pattern: All data on-chain → multiple scoring algorithms compete → every score is independently reproducible from public data. The most transparent approach — but also the most technically demanding for non-crypto-native users.
Philosophy: Judge agents by what they do, not who made them.
DataDome processes 5 trillion signals daily through an ensemble of named AI models — each one specialized for a different signal type. Email trust, IP reputation, behavioral thresholds, client-side analysis, CAPTCHA scoring, and probability calculations all run in parallel, with decisions made in under 2 milliseconds.
The Cloud Security Alliance's Agentic Trust Framework (February 2026) takes a different approach: progressive trust levels modeled on engineering career ladders. An agent starts as "Intern" (read-only for minimum 2 weeks), graduates to "Junior" (recommend with approval), and can eventually reach "Executive." Behavioral consistency measured over time becomes the core trust signal.
The most authoritative academic comparison comes from the Inter-Agent Trust Models paper, which evaluates six trust model categories across A2A, AP2, ERC-8004, and NANDA protocols. Its conclusion: no single trust mechanism suffices. The paper recommends "trustless-by-default architectures anchored in Proof and Stake to gate high-impact actions, augmented by Brief for identity and Reputation overlays for flexibility."
Across all four camps, certain signals appear repeatedly — though each camp weights them differently.
Time is the one thing you can't fake cheaply. A wallet with two years of consistent transaction history is fundamentally different from one created yesterday. TraceRank assigns near-zero seed scores to fresh wallets. Trusta.AI includes address Age as one of five scored dimensions. Chainalysis, DeBank, and Gitcoin Passport all incorporate address tenure. The principle is simple: if 99 feedback addresses were all created on the same day, that pattern tells you something no single rating ever could.
Most AI agents today are ERC-721 NFTs — transferable by design. That means an agent with a stellar reputation can be sold to someone with entirely different intentions. Tracking ownership changes reveals when an agent's reputation was built by someone other than the current operator. The ERC-8004 standard makes this transfer history publicly queryable.
HTTP Message Signatures (RFC 9421), Ed25519 public-key verification, and registry-based key discovery form the authentication layer across Visa TAP, Cloudflare Web Bot Auth, and HUMAN Security's open-source tools.
An agent that interacts with 500 unique counterparties across different protocols is structurally different from one that transacts repeatedly with a small cluster. Graph-based analysis detects Sybil patterns — circular vouching, coordinated feedback farms, and suspiciously homogeneous interaction networks.
HUMAN Security tracks escalation curves — detecting when an agent shifts from benign browsing to aggressive purchasing. DataDome monitors request cadence and navigation paths. The CSA framework requires minimum time periods at each trust level before promotion.
ERC-8004's Validation Registry supports crypto-economic validation where agents post bonds that get slashed for misbehavior. Olas uses Proof of Active Agent (PoAA) staking. The principle: agents with economic skin in the game behave differently from agents with nothing to lose.
The industry has split decisively on whether trust scores should be transparent (showing the formula and inputs) or opaque (showing only the result).
The case for transparency: The EU AI Act, which entered force August 2024, classifies social scoring systems as prohibited and mandates explainability for high-risk AI — with fines up to €35 million or 7% of global turnover. High-risk obligations become fully enforceable by August 2026. The NIST AI Risk Management Framework emphasizes trustworthiness, transparency, and accountability. EigenTrust, MeritRank, and TraceRank publish their full mathematical frameworks. ERC-8004 makes all reputation data on-chain. Visa published TAP's specification on GitHub. The direction is clear.
The case for opacity: Complex models sometimes achieve higher accuracy. Transparent methodologies can be gamed — if you know exactly how the score is computed, you can engineer around it. Proprietary algorithms represent competitive advantage. Trulioo's 60+ signals, Prove's 0-to-1,000 formula, and DataDome's ensemble models are trade secrets for a reason.
The emerging middle ground: Show the structure without exposing every parameter. Publish the scoring dimensions, explain how each component contributes, and let users verify the underlying data — while keeping the specific weights and thresholds proprietary to resist gaming. This is where most of the industry is landing.
RNWY computes trust scores and shows the math. Every score on the platform displays four layers: the number (quick signal), the breakdown (context), the formula (verify the logic), and the raw data (deep dive).
We don't tell you an agent is trustworthy or fraudulent. We show you that all 99 feedback addresses were created on the same day, that the agent's wallet was transferred twice in three months, and that 80% of its vouches come from wallets less than a week old. You decide what that means.
The specific scoring dimensions RNWY tracks:
Address Age Score — How long has this wallet existed? Older wallets with consistent activity patterns are harder to fake. Time is the uncheatable defense.
Ownership Continuity Score — Has this agent changed hands? Transfer history is queried through Alchemy and displayed transparently. A wallet that was sold last week shouldn't inherit a reputation built over two years.
Network Diversity Score — Who vouched for this agent, and when were their wallets created? A vouch from a two-year-old wallet with diverse transaction history means something different from a vouch from a wallet minted yesterday.
Activity Score — On-chain transaction patterns, interaction frequency, and behavioral consistency over time.
RNWY IDs are soulbound tokens — minted permanently to a wallet, non-transferable by design. If you want a fresh reputation, you need a fresh wallet. And a fresh wallet starts with an address age of zero, visible to everyone.
Whether you're evaluating agents for your business or choosing a trust infrastructure to build on, here are the questions that separate useful scores from theater:
Can you see the inputs? A score of 87/100 means nothing if you can't see what produced it. Look for systems that surface the underlying data — transaction history, address ages, network topology, behavioral patterns — not just the final number.
Can you reproduce the calculation? If someone gives you the same inputs and a different score, which one is right? Open formulas are auditable. Proprietary ones require trust in the scoring provider — which is exactly the problem you're trying to solve.
Does it account for time? Reputation built over two years is fundamentally different from reputation manufactured overnight. Any scoring system that doesn't weight temporal signals (wallet age, interaction timing, review patterns) is vulnerable to Sybil attacks.
Does it separate identity from endorsement? Knowing who an agent is (cryptographic identity) is different from knowing how well it performs (reputation). The best systems layer both without conflating them.
What happens when the agent changes hands? Transferable agents (most ERC-8004 NFTs) can be sold. If the scoring system doesn't track ownership changes, it's scoring the wrong entity.
How reputation systems work for AI agents — and how to verify trust before granting access.
Read →How the standard works, what it gets right, and where the trust gaps are.
Read →Red flags, verification methods, and why this problem is about to get worse.
Read →Register your agent. Mint a soulbound RNWY ID. Start building transparent, verifiable trust.
Free to register. Takes about two minutes.