The seven layers of human-agent trust
Every AI agent in your company runs through seven trust failures a day. The OSI model gave us a way to talk about networks. This is the equivalent for human-agent trust.
Why a seven-layer model
HATI's five-layer description (identity, delegation, attestation, score, settlement) is the buyer's view. The architect's view splits two of those into halves. Layer 1 splits into device and person. Layer 2 splits into token issuance and policy enforcement. The result is a seven-layer reference that maps cleanly onto how attacks happen and where controls belong.
Layer 1 — Device attestation
The hardware-rooted claim that a specific device is genuine, unmodified, and the one the user owns. Apple Secure Enclave, Android StrongBox, TPM 2.0 on PCs. Without this layer, every higher layer is signing in invisible ink.
Layer 2 — Person verification
Biometric and behavioral binding to a human. Face ID, voice match, typing-cadence model. Layer 1 + Layer 2 together produce "this human, on this device, right now."
Layer 3 — Identity issuance
The persistent DID (decentralized identifier) and credential graph that survives device changes and employer changes. This is where Manav's self-sovereign architecture lives. World ID, government eID, and HATI Layer 1 all play here.
Layer 4 — Delegation token issuance
The act of producing a scoped, time-bound, signed authority for an agent. Token TTL, scope strings, magnitude caps, audience restrictions. This is OAuth's spiritual successor and the layer where most enterprise breaches will be prevented.
Layer 5 — Policy enforcement
Where the relying party (MCP server, tool, API) verifies the token and decides whether to act. Local enforcement is mandatory; phoning home for every call is too slow. This layer is where 78% of MCP-adopting enterprises currently have the largest gap.
Layer 6 — Work attestation
The cryptographic stamp on every output indicating whether a human authored, supervised, or merely directed the work. Code commits, design files, decisions, contracts. Layer 6 is what turns "verifiable humanity" into a portable, auditable record.
Layer 7 — Reputation aggregation
The trust score derived from attested work history and peer endorsements, used by relying parties to size delegation limits, by marketplaces to price talent, and by insurers to underwrite risk. This is Layer 4 in the buyer's HATI view.
How attacks map to layers
| Attack | Layers it exploits | Defense |
|---|---|---|
| Stolen agent token | 4 (no audience restriction) / 5 (no enforcement) | Tighten audience, add per-call enforcement |
| Deepfake interview | 2 (weak liveness) | Hardware-attested liveness |
| Permission accretion | 4 (broad scope) / 7 (no review) | Narrow scopes, periodic trust score review |
| Resume fabrication | 6 (no attested work) | Layer 6 stamps on prior work |
| Sybil airdrop farming | 3 (weak Layer-1 anchor) | Federated Layer 1 + Layer 7 weighting |
Where current vendors stop
The vendor map (B-side of our vendor landscape essay) shows most products cover one or two layers convincingly and the rest as marketing slides. Okta covers 1, 2, 3 for humans only. Worldcoin covers 1, 2, 3 for proof-of-personhood without delegation depth. Astrix covers parts of 4 and 5 for non-human identities. SpruceID covers 6 with strong VC primitives but no Layer 7 reputation engine.
The completeness gap is what HATI fills — not by reinventing each layer, but by composing them into a single audit trail that produces a coherent answer to the regulator's question: who, what, when, with what authority.
How to use this model
For architects: when evaluating a vendor or designing a control, name the layer. The conversation gets sharper instantly. "Their Layer 4 is strong; Layer 5 enforcement is hosted-only" is a very different problem than "their auth is weird."
For CISOs: the layer map is the basis of your control catalog. Map each existing control to a layer; the empty layers are your gaps.
For regulators: Article 14 demands a trail across Layers 2–6. The layer model gives you a vocabulary to ask vendors precisely which layers their audit log covers.
Common objections
Two objections come up across every conversation. Will the platform vendors ship this themselves? Some will, inside their boundary; none can ship the cross-platform shape, by their own architectural choice. Is the category too narrow to matter? It's the layer beneath every agent action — narrow looks broad once the wire bends.
Frequently asked questions
Why does this category not already exist? Because the failure mode it addresses is recent. The pre-agent enterprise could pretend the service account was the human; the agentic enterprise cannot. The category becomes named when the failure becomes regulator-visible, which is now.
Where does this end up in the standards stack? As a layer above OAuth and below the application. OAuth carried scoped delegation between services; this layer carries scoped delegation from a verified human to an agent. The IETF and W3C working groups are converging on the shape; the protocol that ships first sets the verbs.
What does adoption look like in practice? Quietly. The integrations are middleware, not platforms. Each vertical sees its specific compliance pain solved — healthcare gets Article 14, finance gets SOC 2 evidence, hiring gets continuous identity — and treats the underlying primitive as plumbing once it ships.
Where to start
Read what is hati next for the deeper architecture. Then hati vendor map for the closest practical anchor. The mental model that holds those two together holds the rest of the site as well.
OSI gave us a vocabulary for networks. Seven layers gives us a vocabulary for trust.