What is HATI — Human-Agent Trust Infrastructure?

HATI — Human-Agent Trust Infrastructure — is the cryptographic layer that binds every AI agent to a verifiable, accountable human principal. It is to the agentic age what HTTPS was to the web: invisible when it works, catastrophic when it doesn't, and inevitable in either case. This is the complete 2026 reference.

If the term is new to you, that's the point. The category is twelve months old. By the end of next year it will be the most-cited acronym in enterprise AI procurement, and by the end of the decade it will be invisible — present in every login, every contract, every credential, every piece of work, and impossible to imagine the network without.

The 60-second definition

Human-Agent Trust Infrastructure is the mandatory bridge between two populations that have inverted in size. Eight billion humans now share networks with an exploding population of AI agents. The average enterprise manages over 250,000 non-human identities — service accounts, API keys, bot users, autonomous agents — and roughly 30% of large organisations now run agents that trigger transactions independently, on behalf of humans or other systems. The ratio of machine actors to human actors crossed 100:1 in 2025 and is heading toward 1,000:1 within the decade.

Every identity primitive in production today — DNS, OAuth, SSO, FIDO2, the entire enterprise IAM stack — was designed for the inverse ratio. The assumption baked into every login flow, every audit log schema, every role-based access policy is: the actor is, in the overwhelming majority of cases, a single accountable human at a keyboard. That assumption is now numerically false, and the systems built on top of it are failing in ways no version bump will fix.

HATI answers four questions that no current identity, security, or compliance stack can answer end-to-end:

• Authorisation. Which human authorised this agent to exist?
• Scope. What scope of authority did that human delegate, for how long, against which resources, with what magnitude limit, and with what right of further re-delegation?
• Oversight. Was a human in the loop for this specific action, or did the agent act alone?
• Verifiability. Can a third party — a regulator, an insurer, a counterparty, a court — verify the answers without trusting the platform that hosted the agent?

Answer all four cryptographically and you have HATI. Answer three of them with screenshots, affidavits, or "trust the vendor" and you have a marketing slide.

Why HATI is a new category, not a rename

The instinct of every CISO and every analyst is to file HATI under an existing bucket — IAM, NHI, PoP, VC, ZTA, agentic security. None of them fit, and the gaps are precisely the places where the agent economy is bleeding.

HATI is the union — and the completion — of all of them. It is what each becomes when you stop assuming "user" is shorthand for "human at a keyboard," and start treating human, agent, and action as three first-class objects whose relationships must be cryptographically constructable and independently verifiable.

The five layers

A complete HATI implementation has five layers. Skip any one and the stack collapses into a partial answer that fails its hardest test — the regulator's question, the insurer's audit, the court's discovery request — within six months of deployment.

Layer 1 — Verified human identity. The root of the tree: a persistent, biometrically-bound, device-attested, behaviourally-confirmed identity. No single signal is sufficient; a quorum of two-of-three is required, and the binding is continuously re-verified through ambient signals to detect compromise. Implementations span Worldcoin's iris scan, Apple Passkeys, government eID schemes, and the Manav reference implementation. Layer 1 alone is not HATI; it is necessary and far from sufficient. A passport tells you a person exists; it doesn't tell you what they did.

Layer 2 — Human → agent delegation. A cryptographic delegation token, issued by a Layer 1-verified human to a specific named agent, scoped along five orthogonal dimensions: permission (which actions), resource (which systems), magnitude (spending caps, rate limits), time (window of validity), and composition (whether this agent may further delegate). Implementations include Worldcoin's AgentKit (with Coinbase's x402), Microsoft's Entra Agent ID, and the Manav delegation chain. The two large platform-vendor implementations are platform-locked; HATI requires Layer 2 to be portable across every framework, every cloud, every jurisdiction.

Layer 3 — Work attestation. Every artefact a human or their agent produces — a code commit, a contract, a design, a decision, an email, a payment — carries a cryptographic stamp specifying whether the human authored, supervised, or merely directed the work. This is the layer that turns "verifiable humanity" from a binary checkbox into a continuously-earned currency, and it is the layer that makes regulator-grade audit trails machine-checkable instead of paper-based.

Layer 4 — Trust score and reputation. A dynamic, domain-specific, privacy-preserving score derived from Layer 3 attestations weighted by peer endorsements and the trust of attesting parties. Not LinkedIn endorsements — those are self-reported and unverifiable. Layer 4 scores are cryptographic, portable across employers, and presented via zero-knowledge range proofs ("my engineering trust score exceeds 80") without revealing the underlying work history.

Layer 5 — Settlement and incentives. The economic layer that pays humans for verified work, aligns every participant in the system, and makes the protocol self-sustaining at scale. Token-economic models are not optional ornament here; they are how a protocol that benefits eight billion humans funds itself without resorting to extractive surveillance. The $MANAV token is one implementation; others will follow.

HATI is the cryptographic answer to a question the agentic age cannot avoid: when a machine acts in your name, can the world prove it was you — and that what it did was within the bounds you set?

The three forcing functions

HATI is not an aspirational future. It is the natural conclusion of three forcing functions that all hit critical mass in 2026, and that every CISO is already feeling — even if they have not yet named the category.

Forcing function 1 — agent population. Agents on the ERC-8004 standard alone grew from 337 to nearly 130,000 in the first ten weeks of 2025 — a 385× increase in 70 days. Across MCP, 78% of enterprise AI teams now report at least one MCP-backed agent in production, up from 31% a year earlier. Each MCP-backed agent typically holds 3–7 separate credentials across the tools it integrates with. Multiply 250,000 NHIs by 5 credentials, divide by an attestable principal, and you have the size of the gap.

Forcing function 2 — regulation. The EU AI Act's Article 14 on human oversight became enforceable in August 2026. The statutory text is a HATI specification written in legalese: high-risk systems must be "effectively overseen by natural persons during the period in which they are in use," and certain critical systems require verification by "at least two natural persons with the necessary competence, training and authority." You cannot satisfy Article 14 without Layer 2 (delegation), Layer 3 (attestation), and Layer 4 (competence proof) working together. eIDAS 2.0, NIST AI-RMF, the UK's emerging AI safety framework, and India's DPDPA agent provisions all converge on the same requirement.

Forcing function 3 — the deepfake hiring crisis. A Greenhouse industry report found 91% of US hiring managers have encountered or suspected AI-generated interview answers. Recruitment scam losses hit $501M and counting. The first wave of detection-based defences — voice biometrics, video forensics, behavioural analytics — has lost. Detection cannot keep pace with generation; the synthetic side compounds faster than the analytic side. Provable humanity — Layer 1 + Layer 3 + Layer 4 — is the only remaining defensible posture, and it is the one major hiring platforms are already privately piloting.

How to evaluate a HATI vendor

Most vendors selling into this space in 2026 cover one or two layers and call it HATI. The seven questions below separate real HATI from IAM with a new logo.

1. Which of the five layers does the vendor cover natively, which do they integrate, and which do they skip?
2. Are delegation tokens portable across platforms, or vendor-locked? (If the vendor goes away, do your agents lose their authority chain?)
3. Which open standards does the implementation actually conform to: DID, VC 2.0, OAuth-AgentExt, MCP, x402, ERC-8004, BBS+?
4. What is the median revocation latency from "click revoke" to "every agent in the chain stops"? (Anything above five seconds is a 2018-era IAM bolt-on.)
5. Can the holder prove a claim — Layer 4 score above threshold, attestation count above N — without revealing the supporting data?
6. How specifically does the product support Article 14's two-natural-person rule for high-risk systems? (If they cannot produce a sample audit log on request, they have not implemented it.)
7. If the vendor disappears tomorrow, can the human keep using their identity, their handle, their work history? (This is the only question that distinguishes infrastructure from rent-seeking.)

A vendor scoring 7/7 is doing real HATI. A vendor scoring 5–6 is doing real work in the right direction. A vendor scoring under 4 is doing IAM with new vocabulary, and they will be repriced as such within 18 months.

The 90-day implementation plan

If you are a CISO, CTO, head of AI, or chief compliance officer, the next ninety days are not a "watch the space" period. They are the moment your peers are quietly running pilots, and the moment your regulators are quietly planning enforcement priorities. Five steps:

1. Count. Inventory every agent in your environment that takes consequential action on behalf of a human or another system. Most counts are wrong by an order of magnitude. The number you will find is shocking; that shock is the budget.
2. Map. For each agent, identify the human principal. Many will have none — those are your top-priority gaps and your highest-risk tickets, in that order.
3. Pilot. Stand up Layer 2 on one agent framework, ideally the one you depend on most. The integration is days, not months.
4. Audit. Run the Article 14 playbook against your high-risk systems. The two-natural-person rule will identify three or four classes of action that need explicit, machine-verifiable oversight.
5. Decide. Build, buy a single-layer point solution, or adopt a full-stack HATI vendor. The build path is real for a few extremely large organisations; for everyone else, the math has already broken in favour of buy.

The category is being built whether or not you participate. Participating early is cheaper than catching up — by a factor that compounds quarterly.

Frequently asked questions

Is HATI just another flavour of zero trust? No. Zero trust answers "should this packet pass?" HATI answers "did a real human authorise this action?" Zero trust is necessary and orthogonal; the two layers stack.

Does HATI require a blockchain? Not by definition. The trust anchor must be tamper-evident and independently verifiable, which a permissioned ledger or a public chain both satisfy. Layer 5 settlement benefits substantially from a public chain; Layers 1–4 do not strictly require one.

Where does Manav fit in the HATI stack? Manav is a reference implementation of the full five-layer stack, anchored at the manav.id handle namespace. It is open-source at the protocol layer (Apache 2.0) and commercial at the operations layer.

Will HATI become a standard? Yes. Expect IETF and W3C draft specifications within 18 months, paralleling how OAuth and the W3C VC Data Model emerged from a vendor consensus into a public standard.

The internet's identity assumptions have collapsed. HATI is what they get rebuilt as.