Microsoft Azure · Confidential Computing

Confidential Computing Summit 2026 · San Francisco

Trust Is the
Next Bottleneck

Why the Agentic Economy Needs Confidential Computing

Pawan Khandavilli Senior Product Manager · Azure Confidential Computing June 23-24, 2026 · The Mint, San Francisco

v2 · updated 2026-06-14

Since the start of this year. Five numbers. One architecture failure.

770K AI agents compromised simultaneously via a single database vulnerability Moltbook breach · Wiz · Feb 2026

195M citizen records stolen by one attacker using Claude Code + GPT-4.1 Mexican government breach · SOCRadar · 2026

150M+ downloads across a poisoned MCP supply chain, 10 CVEs, 9/11 registries OX Security · April 15, 2026

1 char in an HTTP Host header exposing clinical databases, email inboxes, and SSH access to industrial devices BadHost · CVE-2026-48710 · X41 D-Sec

€0.01 one bank transfer memo hijacking a financial AI agent Blue41 · Bunq · Jun 2026

None of these agents could prove (cryptographically, verifiably, to anyone)
who they were, what code they were running, or whether they'd been tampered with.

Act 1 · The Third Wave

I've seen this movie twice before

Wave	Year	The Trust Problem	The Hardware Fix	Outcome
💳 Payments	2014	Magstripe cards cloned at scale	EMV chip + Secure Element attestation	$2T contactless payments in 2025
☁️ Cloud	2018	"Trust our hyperscaler" promises	Intel SGX / TDX, AMD SEV-SNP → TEEs	75% enterprise CC adoption (IDC 2025)
🤖 Agents	NOW	OAuth tokens for 10K decisions/min	Attested agent identity, this talk	$236B market by 2034

"Visa is putting verifiable agent identity into its payment network. It can prove who an agent claims to be, but not what code is running. Payments is reaching for a hardware root of trust, and this room already built it."

June 11: Visa connected its payment network to ChatGPT. Reddit's top reaction (4,503 upvotes): "First person to trick the chatbot is about to make bank."

"I know what this looks like, because I've watched it happen twice."
"2014, payments. Magstripe cards cloned at scale. The fix was EMV: a chip, a secure element, attestation. Two trillion dollars in contactless last year."
"2018, cloud. The whole model was trust our hyperscaler. The fix was the TEE: SGX, TDX, SEV-SNP. Prove it, don't promise it. 75% enterprise adoption."
"Now it's agents. OAuth tokens standing in for ten thousand decisions a minute."
Read the Visa pull-quote on screen.
"June 11, Visa connected its network to ChatGPT. Top Reddit reaction: first person to trick the chatbot is about to make bank. That's not a joke, it's a systems-design warning."
"And notice what the joke gets right. Identity proves who's asking. It doesn't stop an agent that's been tricked into asking. If the model is the thing that approves the payment, then whoever can trick the model can move the money. The authorization has to be deterministic, enforced in hardware the model can't override. Hold that thought, it's the gap I come back to."
[If time] "The EMV proof point: after the US chip rollout, Visa reported counterfeit fraud at chip-enabled merchants fell roughly 76 percent. That is what moving trust into hardware does to a fraud curve. The same curve is coming for agents."

Act 2 · Payments Convergence

Payments is building agent trust right now

🔵 Visa

Trusted Agent Protocol

Signed agent-identity headers at the transport layer. Verifiable identity per request, not per session.

verifiable identity

🟠 Mastercard

Agent Pay

Tokenized agent identities. Dynamic credentials bound to authorized intent.

tokenized identity

🟢 Google

AP2 (Agent Payments Protocol)

Verifiable credentials with signed mandates contributed to FIDO Alliance.

signed mandates

🔐 FIDO Alliance

Agentic Authentication TWG

Chartered April 27–28, 2026. Three workstreams: Verifiable User Instructions, Agent Auth, Trusted Delegation for Commerce.

standards forming now

⚠️ Every protocol demands verifiable agent identity, but none specify a hardware root of trust. That's the missing layer. That's us.

Act 2 · The Proof Gap

The approval path has no hardware witness

Blue41 / Bunq (Jun 10): A €0.01 transfer with prompt injection in the memo field hijacked the banking AI agent. Legitimate context becomes attack vector with no attestation boundary.

Act 3 · The NSA Agrees

The NSA got MCP right, and missed the deeper problem

"Five weeks before this talk, the NSA's AI Security Center published its first official MCP threat model. 17 pages, the most careful security treatment of MCP to date. It calls for cryptographic agent identity and verifiable logs, and stops short of a hardware root of trust." NSA AI Security Center Advisory, May 2026

"The NSA document misses the real problem. Securing the API endpoints doesn't help when the attacker's actual leverage is poisoning the context that flows through those endpoints." Data Science Collective, May 2026 (Medium)

"MCP Is Dead?", Quandri engineering blog (May 29, HN 400 pts, 410 comments): "Tool definitions alone consume 10.5% of Claude's context window. The architecture is insufficient."

"Five weeks ago, the NSA's AI Security Center published its first MCP threat model. Seventeen pages, the most careful treatment to date. It calls for cryptographic identity and verifiable logs, but stops short of a hardware root of trust."
"They got the surface area right. They missed the deeper layer: hardware-rooted proof of what's actually running."
"Securing the endpoints doesn't help when the attacker's leverage is poisoning the context that flows through them."
"The community feels it too: MCP is dead hit the front page, 400 points, 410 comments in a day."
"They framed it as a performance complaint: tool definitions alone eat 10.5% of Claude's context window. But it's not a performance problem. It's a security problem. Every byte of tool definition is a byte an attacker can poison, and a byte your safety instructions can't use. MCP puts the tool catalog inside the brain. The fix is to put it in the infrastructure, behind attestation, outside the context window entirely."
"Let me show you six signals that prove this in production."

Act 3 · The Evidence

The evidence cascade

→ advance to reveal

Source / Date	What happened	Root cause
OX Security Apr 15	10 CVEs, 150M+ downloads, 9/11 registries poisoned. Anthropic: "STDIO execution is expected behavior."	Auth optional by design, no attestation
BadHost May 27	1 character in HTTP Host header → clinical DBs, email inboxes, SSH to industrial devices. CVSS 7.0.	No hardware boundary for auth bypass
Mexico Gov Dec-Feb	195M citizen records. Claude Code + GPT-4.1. 9 agencies in 90 days.	AI agents with full access and no provenance
O'Reilly Radar May 26	"Token delegation sits in a layer today's stack doesn't really have."	Architecture gap acknowledged by O'Reilly
Mitiga / Claude Code Jun 2026	Malicious npm package rewrites Claude Code's MCP config, silently proxying OAuth tokens.	Stolen agent credentials look legitimate
Blue41 / Bunq Jun 10	€0.01 transfer memo hijacks banking AI agent	Legitimate context becomes attack vector

"When Agent A receives a token, delegates to Agent B, and Agent B spawns Agent C, each hop either reuses the original token (overprivileged) or has no token at all (untracked)." O'Reilly Radar, May 26, 2026

Act 3 · The Governance Gap

Everyone building agent security. Nobody on hardware.

✅ Frameworks converging

OWASP Agentic Top 10: Goal Hijack, Tool Misuse, Identity Abuse. Published May 2026.
Microsoft Agent Governance Toolkit: open-source, maps all 10 OWASP risks. May 27, 2026.
NSA AI Security Center: MCP threat model. May 2026.
NIST AI RMF: Agentic AI agent standards initiative. Feb 2026.
WorkOS auth.md: Agent registration protocol. May 25, 2026.
Stanford CS336 CLAUDE.md: Agent safety guidelines adopted in curricula.

⚠️ All stop at software trust

Okta for AI Agents: OAuth/OIDC identity. GA April 30. No hardware attestation.
Cequence AI Gateway: Runtime privilege scoping. No hardware root.
BeyondTrust PathfinderAI: PAM + MCP server. No TEE binding.
ServiceNow: Agent risk governance. No hardware attestation.
CSA MAESTRO: 7-layer threat taxonomy. No hardware layer defined.
AI Agent runs amok in Fedora (HN 549 pts, Jun 11), identity never verified.

🎯 "Everyone is building agent security. Nobody is building it on hardware."

Act 3 · Layer Analysis

These controls are necessary, not sufficient

→ advance to reveal

Control	What it proves	What it can't prove	Status
OAuth 2.0 / OIDC	Who authorized the action	Which binary is executing it	Necessary
IAM Roles / RBAC	What permissions are granted	Whether runtime is uncompromised	Necessary
API Guardrails	Input/output policy compliance	Whether the model itself was tampered	Necessary
Audit Logs	What actions were recorded	Whether logs were tampered with	Necessary
Hardware Attestation (TEE)	Code + runtime integrity, cryptographically	Application-layer policy (still needs the above)	Foundation

"Application-layer agent identity delivers critical capabilities, but cannot independently provide cryptographic assurance that an agent is running expected code in an untampered environment. The goal is composition, not competition."

Open with the Velloso beat. Last week a former VP from Meta and DeepMind wrote the state of agent sandboxes as a dialogue. It ends: "Let me guess, the guardrail is a prompt?" "It's a very nicely formatted markdown file, OK." Wait for the laugh, then land it: that is the API-guardrails row. We defend agents with documents we ask them nicely to obey. A real boundary is not made of text the agent can read. This is the turn into hardware.
"To be precise: these controls aren't wrong, they're incomplete."
"OAuth proves who. Not what. Not the code that's running."
"Audit logs are only tamper-evident if the log root is anchored in hardware. Otherwise it's another promise."
"Hardware attestation is the foundation that makes everything above it verifiable. Without it you have governance architecture. With it you have governance proof."
"This isn't the wrong layer, it's the missing one. The frame is composition."
"So what's missing? Four gaps."

Act 3 · The Gap

Four gaps nobody has closed

Attested Agent Identity

No standard for TEE-backed proof of what agent code is running. SPIFFE works. TEE-binding doesn't exist at scale.

MCP + Attestation Integration

Protocol-level verification of tool server identity. The MCP spec makes server identity optional and software-only. Nothing in the protocol binds tool invocation to hardware attestation.

Attested Delegation Chain

RFC 8693 token exchange at each hop, but with TEE measurements. When Agent A → B → C, each hop needs hardware proof.

Cross-Cloud Agent Trust

Federated attestation for multi-cloud agent workflows. No standard. Azure TDX ↔ GCP TDX ↔ NVIDIA CC = no chain of trust today.

MCP spec ships final release July 28, five weeks after this talk. Still no attestation layer. The window to influence it is right now.

Act 4 · The Convergence

Three teams. Same week. Same architecture.

🚗 Uber Engineering

May 21, 2026

SPIRE-issued workload identities per agent
Per-hop token exchange via RFC 8693
Provenance: engineer → agent → action
Roadmap: verifiable provenance in audit logs

Missing: SPIRE inside a TEE. Identity tokens carry delegation provenance, but not hardware proof of issuer integrity.

📄 attestable-mcp-server

May 22, 2026 · arXiv:2605.24248

Offline-signed clearance assertions for MCP tool servers
Deny-by-default per-server tool allowlists
--enclaved mode: deny without attestation
Tamper-evident audit log, normative RFC 2119 spec

Status: Open source. Enforcement mode exists. Waiting for this room to adopt it.

🔑 1Password · Keycard

May 21, 2026

Runtime credential delegation via attestation
No long-lived API keys. No credentials on disk.
Verifiable agent identity at runtime via attestation
Session-scoped, RFC 8693 per-hop exchange

Signal: Two separate vendors, same week, same trust anchor. 1Password for agent credential management, Keycard for runtime attestation. Not OAuth. Not API keys.

Three independent teams. Different companies. Different countries. Same week. Same answer: attestation.

This is the structural climax: three teams, three countries, same week, same answer.
"Uber: production agent identity at massive scale, per-hop RFC 8693 token exchange, a roadmap that says verifiable provenance. What's missing is the TEE."
"attestable-mcp-server: a May arXiv paper with working code. Enclaved mode, deny without attestation. It's open source and ready. Why isn't it in the MCP spec?"
"1Password and Keycard, two separate vendors the same week: 1Password, whose whole business is secrets, shipped agent credential management; Keycard shipped runtime attestation with no long-lived keys. Both anchored on attestation, not OAuth, not API keys. That's a market signal."
Pause. "Three teams, working independently, converged on the same answer."
"What none of them has yet is the end-to-end integration. That's the work this room does in 2026."

Act 4 · The Stack

The 6-layer attested agent identity stack

Verifiable Audit Trail

TEE-signed, tamper-evident logs | Uber 2026 verifiable-provenance roadmap

🔨 Building

Policy Enforcement / Authorization

RBAC for agents, per-action scoping | e.g. Microsoft Agent Governance Toolkit | OWASP Agentic Top 10 binding

🔨 Emerging

Attested Tool Invocation

attestable-mcp-server --enclaved | deny-by-default per-server tool allowlists

🔨 arXiv ready

Agent Identity Issuance

SPIRE + TEE | Keycard runtime attestation | RFC 8693 per-hop token exchange

🔨 Partial

Confidential Execution

Intel TDX / AMD SEV-SNP / ARM CCA / NVIDIA CCE (H100 / Blackwell)

✅ Production

Hardware Root of Trust

On-die RoT, remote attestation, IMY GDPR Article 32 ruling | Sweden: "shifting from promises to verifiable proof"

✅ Proven

Confidential GPUs protect the model. Layers 3-6 protect the agent.

    Next slide: every layer applied to a live payment flow →
  

Read the stack bottom-up.
"Layers one and two are green: hardware root of trust and confidential execution. Production-ready. This room built them."
"If you search for 'confidential computing for agents' today, you'll find good material. Sixty references. All of it is about encrypting data in use. That's layers one and two. That's the waterline. Everything above it is what nobody's built yet."
"Layer three is partial. Uber has the identity pieces, 1Password has the delegation pieces, SPIRE has the framework. The integration isn't there yet."
"Layer four is attested tool invocation: attestable-mcp-server, deny-by-default, a paper with working code."
"Layer five is the one everyone forgets: policy enforcement. Authorization. RBAC for agents. The Microsoft Agent Governance Toolkit is one example, and the missing piece is anchoring it in hardware."
"Layer six is the audit trail, tamper-evident only when its root is in the TEE."
"And notice: confidential GPUs are layer two. They protect the model. The agent, who it is, what it may do, what it did, lives in layers three through six."
"Here's the test. Today, the industry answers one question: can anyone see my data? But nobody answers the three that matter for agents. Who is this agent? Was this tool call legitimate? Was this agent authorized to do that? Layers three, four, five. That's the work."
"This is not a research stack. The bottom has been in production for years. The gap is layers three through six, and it's closing now."
"Next slide, watch all six layers applied to one live payment flow."
[If time] "Layer by layer, concretely: strip layer three and you can't tell two agents apart; strip layer four and any tool call is trusted; strip layer five and a tricked agent does whatever it's talked into; strip layer six and you can't prove what happened after a breach. Each layer closes one of those."

Act 4 · Production Example

E2E payments agent on Confidential ACI

This architecture defeats the Blue41/Bunq attack: the context path is attested and sealed, a memo field cannot become an agent instruction because the context channel itself has a hardware witness.

"This is not theoretical. Azure Confidential Container Instances runs AMD SEV-SNP. Every container gets a TEE boundary."
"Follow the flow: user intent, orchestrator with a SPIRE identity, payment agent with sealed credentials, MCP tool in enclaved mode, Visa signed identity header, an audit trail signed by hardware."
"Each box is tagged with the layer it implements: identity on the two agents, attested invocation and policy at the tool server, audit across the bottom, all inside the layer one-two enclave."
"Every hop is an RFC 8693 token exchange. Every tool call is attested MCP in enforcement mode."
"The Blue41 attack is impossible here. The context path is inside the TEE boundary, so a one-cent memo can't become an agent instruction. The context channel has a hardware witness."
"This is about three months of engineering. It's the integration nobody has shipped at scale yet."
[If time] "Walk every box out loud: intent enters, the orchestrator carries a SPIRE SVID minted inside the enclave, it exchanges an RFC 8693 token to the payment agent whose credentials are sealed to the TEE, the agent calls the MCP server in enclaved mode where policy is enforced, Visa gets a signed identity header, and the hardware signs the audit line. Six boxes, six layers, one flow."

Act 4 · Honest Accounting

Hardware is the foundation, not the silver bullet

⚠️ When hardware attestation fails

AMD SEV-SNP "CacheWarp" (CVE-2023-20592): cache attack hijacks a confidential VM. Patch: microcode update, re-attestation.
Side-channel attacks on SGX, Spectre, Foreshadow. Patch: microcode, enclave hardening.
Vendor dependencies, different attestation formats per cloud.
Performance overhead, measurable on crypto-heavy workloads.

✅ Why hardware trust is still better

When a TEE breaks, the trust model is explicit: a measurement, a CVE, a patch, and you re-attest. Painful, but bounded.
When OAuth breaks, the trust model is implicit: nothing verified the code behind the token, so the first signal is the breach.
Side-channel attacks get mitigated. Prompt injection has no patch, because the trust model itself is the bug.

💡 "The asymmetry isn't that hardware never breaks. It's that hardware trust is explicit: when it breaks, there's a measurement, a CVE, and a patch. Software trust is implicit: when it breaks, the first signal is the breach."

Act 5 · Urgency

The market is moving with or without us

Aug 2, 2026 EU AI Act high-risk requirements become enforceable, 7 weeks from today. Technology-neutral, but requires verifiable technical assurances. Hardware attestation is the strongest foundation available. Deadline
Jul 28, 2026 MCP spec ships final release, 5 weeks from today. Still no attestation layer in any SEP. The window to influence it is closing. Closing window
May 25, 2026 Sweden IMY ruled TEEs satisfy GDPR Article 32: "shifting the basis of trust from promises to verifiable proof." First regulatory recognition of TEE as compliance anchor. Legal precedent
WorkOS / Uber
1Password WorkOS shipped auth.md. Uber shipped agent identity (SPIFFE + RFC 8693). 1Password shipped attestation delegation. The market is converging on attested identity, waiting for the hardware layer.
Jun 14, 2026 pkhandavilli/agent-governance-toolkit: provider-neutral handshake attestation PR open. Building in public. 9 days before this talk.
🍎 Apple shipped PCC on Google Cloud (Intel TDX + NVIDIA CC + Titan), details expected at THIS summit

Slow down, this is the urgency beat.
"EU AI Act: seven weeks out. The fines start August 2nd."
Read the Sweden IMY quote: "shifting from promises to verifiable proof. That's our language, and a data regulator found it first."
"WorkOS, Uber, 1Password: production companies shipping on top of the primitive this room built."
"I'll put my own team on the spot: we opened a provider-neutral attestation handshake in public review days ago. Go comment on it."
"Two weeks ago, the most privacy-driven company on earth couldn't promise privacy at AI scale. Apple shipped Private Cloud Compute on Google Cloud: Intel TDX, NVIDIA confidential GPUs, Titan root of trust. Those details get presented here at this summit."
"The market is moving, the regulators are moving, the builders are moving. The only question is whether the trust layer ships before or after the breach that makes 770,000 look small."

Act 5 · The Call

What this room should build

If you build agents: demand attested execution

Stop shipping credentials in environment variables. Stop using long-lived API keys for autonomous agents. Uber, 1Password, and a team of grad students with an arXiv paper figured this out in May. Your agents should be at least as secure as an Uber microservice.

Agent builders

If you build infrastructure: connect TEE attestation to agent identity

SPIFFE works. RFC 8693 works. attestable-mcp-server works. The primitives exist. The integration doesn't. Run SPIRE inside a TDX or SEV-SNP boundary. Issue X.509 SVIDs with TEE measurements attached. That's the missing layer.

Infra builders

If you set standards: hardware attestation belongs in every framework

OWASP Agentic Top 10. Microsoft AGT. NIST. ISO. CSA. CCC. Every framework is defining agent security vocabulary, none include hardware attestation as a requirement. This community needs to show up in those frameworks. Not as nice-to-have. As the foundation.

Standards bodies

Confidential computing for agent governance: I've opened a provider-neutral attestation proposal against the Agent Governance Toolkit: hardware attestation, TEE-backed identity, and sealed credential storage as shared primitives for the governance layer. This has to be a community effort. The attestation layer should be a shared primitive, not a proprietary add-on. If you maintain a framework, let's build it together. PR open: github.com/pkhandavilli/agent-governance-toolkit/pull/1

I've watched two trust revolutions.

Wave 1

Payments.

Wave 2

Cloud.

Wave 3

Agents.

Both followed the same arc: innovation first, trust later, hardware eventually.

The agentic economy is the third wave, and it's moving faster than either of them.

The difference this time? We're not late. The standards are being written right now. The builders are publishing right now. The regulators are ruling right now.

The only question is whether the trust layer ships before or after the breach that makes 770,000 look like a rounding error.

This room has built every confidential computing primitive that exists.
Let's make sure the agentic economy is built on top of them, not beside them.

linkedin.com/in/khpawan · x.com/khpawan · azure.microsoft.com/confidential-computing

All sources & evidence: github.com/pkhandavilli/ccs2026-trust-bottleneck

Slow down. This is the landing.
"I've watched two trust revolutions." Pause, let the three waves appear.
"Both followed the same arc: innovation first, trust later, hardware eventually. The agentic economy is the third wave, and it's moving faster than either."
"The difference this time? We're not late. The standards are being written, the builders are publishing, the regulators are ruling, right now."
"The only question is whether the trust layer ships before or after the breach that makes 770,000 look like a rounding error."
"This room has built every confidential computing primitive that exists. Let's make sure the agentic economy is built on top of them, not beside them." Then silence, then step back.
If time allows, the optional Apple beat: "Two weeks ago Apple couldn't promise privacy at AI scale. It had to prove it, on Intel TDX and NVIDIA confidential GPUs. With hardware you built."

Appendix · For Q&A

What attestation does and doesn't stop

✅ Attestation proves

Who the agent is, that the code is unmodified, and that it runs in a genuine TEE on a hardware root of trust.

identity + integrity

⚠️ It does not stop

A legitimate, attested agent that gets prompt-injected or socially engineered into asking for the wrong thing.

the trick still works

🔒 The closing layer

Deterministic policy enforced in the TEE and bound to attested identity. A tricked agent still can't exceed its scope.

layer 5: policy

Attestation answers who and what. Deterministic policy answers what it's allowed to do. You need both: identity alone doesn't survive a prompt injection.

Appendix · For Q&A

Interoperability is the gap every platform shares

🟫 AWS Nitro Enclaves

Isolated enclave, no persistent storage or interactive access, KMS attestation to release keys.

isolation, AWS-scoped

🔵 GCP Confidential Space

Confidential VM plus workload identity; attestation tokens gate secret release.

workload identity, GCP-scoped

🟩 Azure C-ACI + 6-layer stack

SEV-SNP confidential containers, MAA attestation, customer-verifiable measurements.

verifiable measurements, Azure-scoped

Each solves isolation and attestation inside its own cloud, and each does it well. What is missing is interoperability: a portable way to bind attestation to agent identity that holds across providers, Azure included. That cross-cloud handshake is the open work the industry has to do together.

Appendix · For Q&A

We don't need new standards. We need to extend them.

Standard (exists today)	What it gives	The CC extension
IETF RATS RFC 9334 · EAT	Attestation evidence and a claims format	Carry TEE measurements as verifiable claims
SPIFFE / SPIRE CNCF · SVID	Portable workload identity	Gate SVID issuance on attestation; embed the measurement
OAuth 2.0 RFC 8693 · DPoP 9449	Delegated, proof-of-possession tokens	Bind the token to an attested TEE key, not a bearer secret
IETF WIMSE working group	Workload identity across systems	The provider-neutral agent-identity root
MCP attestable-mcp-server	Agent and tool protocol	Attest server and tool identity before granting trust

The framework layer (OWASP Agentic, NIST, CSA, CCC) should name hardware attestation as a requirement, not a nice-to-have. The point: extend what exists, don't reinvent it.

Appendix · For Q&A

Why not just OAuth scopes?

🎫 OAuth bearer token

Whoever holds it is the agent. Not bound to code or hardware. Coarse, static scopes. A stolen token is full impersonation.

the Uber + Claude Code failure mode

🔏 Attested agent identity

Bound to the TEE measurement and hardware root. Proves unmodified code. Short-lived, per request. A copied token can't move the hardware root.

theft doesn't transfer trust

OAuth answers "is this token valid?" Attestation answers "is this the right agent, running the right code, right now?" Scopes are necessary, not sufficient.

Appendix · For Q&A

Building in public: the attestation handshake

Agent presents evidence

On startup the agent sends its TEE attestation (SEV-SNP or TDX measurement) to the governance layer, not just a bearer token.

Governance verifies, then issues identity

The measurement is checked against policy before any agent identity or credential is granted. Provider-neutral: the verifier doesn't care which cloud.

Credentials sealed to the TEE

Secrets release only to the attested boundary, so a copied credential is useless outside it.

This is a proposal in public review, not a shipped feature: I opened a provider-neutral attestation PR against the open-source Agent Governance Toolkit. The attestation layer should be a shared primitive. github.com/pkhandavilli/agent-governance-toolkit/pull/1

Trust Is theNext Bottleneck

I've seen this movie twice before

Payments is building agent trust right now

The approval path has no hardware witness

The NSA got MCP right, and missed the deeper problem

The evidence cascade

Everyone building agent security. Nobody on hardware.

✅ Frameworks converging

⚠️ All stop at software trust

These controls are necessary, not sufficient

Four gaps nobody has closed

Attested Agent Identity

MCP + Attestation Integration

Attested Delegation Chain

Cross-Cloud Agent Trust

Three teams. Same week. Same architecture.

The 6-layer attested agent identity stack

E2E payments agent on Confidential ACI

Hardware is the foundation, not the silver bullet

⚠️ When hardware attestation fails

✅ Why hardware trust is still better

The market is moving with or without us

What this room should build

If you build agents: demand attested execution

If you build infrastructure: connect TEE attestation to agent identity

If you set standards: hardware attestation belongs in every framework

I've watched two trust revolutions.

What attestation does and doesn't stop

Interoperability is the gap every platform shares

We don't need new standards. We need to extend them.

Why not just OAuth scopes?

Building in public: the attestation handshake

Agent presents evidence

Governance verifies, then issues identity

Credentials sealed to the TEE

Trust Is the
Next Bottleneck