# Dear Patrick and John: You Built the Rails. Who Builds the Trust? — Mnemom Research ```json {"@context":"https://schema.org","@type":"Article","headline":"Dear Patrick and John: You Built the Rails. Who Builds the Trust?","name":"Dear Patrick and John: You Built the Rails. Who Builds the Trust?","description":"Stripe's annual letter describes five levels of agentic commerce and a Republic of Permissions. Each level demands more trust. Here's what trust infrastructure for the agentic economy actually looks like.","url":"https://www.mnemom.ai/blog/mnemom-research/dear-patrick-and-john--you-built-the-rails--who-builds-the-trust","inLanguage":"en-US","datePublished":"2026-03-03","dateModified":"2026-03-03","author":{"@type":"Organization","name":"Mnemom Research","url":"https://www.mnemom.ai/blog/mnemom-research"},"image":"https://www.mnemom.ai/api/og-image?type=blog&eyebrow=DISPATCHES&chip=Mnemom+Research+%C2%B7+9+min&author=Mnemom+Research&title=Dear+Patrick+and+John%3A+You+Built+the+Rails.+Who+Builds+the+Trust%3F&subtitle=Stripe%27s+annual+letter+describes+five+levels+of+agentic+commerce+and+a+Republic+of+Permissions.+Each+level+demands+more+trust.+Here%27s+what+trust+infrastructure+for+the+agentic+economy+actually+looks+like.","publisher":{"@id":"https://www.mnemom.ai#organization"},"keywords":["agentic-commerce","trust","stripe","governance"]} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.mnemom.ai/"},{"@type":"ListItem","position":2,"name":"Dispatches","item":"https://www.mnemom.ai/blog"},{"@type":"ListItem","position":3,"name":"Mnemom Research","item":"https://www.mnemom.ai/blog/mnemom-research"},{"@type":"ListItem","position":4,"name":"Dear Patrick and John: You Built the Rails. Who Builds the Trust?","item":"https://www.mnemom.ai/blog/mnemom-research/dear-patrick-and-john--you-built-the-rails--who-builds-the-trust"}]} ``` [← Mnemom Research](/blog/mnemom-research) # Dear Patrick and John: You Built the Rails. Who Builds the Trust? ![Mnemom Research](/images/mnemom_hero.webp) Mnemom Research March 3, 2026 _Stripe's annual letter describes five levels of agentic commerce and a Republic of Permissions. Each level demands more trust. Here's what trust infrastructure for the agentic economy actually looks like._ * * * Dear Patrick and John, Your annual letter landed like a thunderbolt this week. $1.9 trillion in volume. Five million businesses. And then the final two sections — the Five Levels of Agentic Commerce and the Republic of Permissions — which together constitute the clearest articulation of why the agentic economy needs trust infrastructure that we've seen from anyone, anywhere. You described the problem perfectly. We'd like to talk about the solution. ## The trust escalation ladder Your five levels describe an escalation in autonomy. But they also describe an escalation in trust — and nobody seems to be talking about that part. At Level 1, an agent fills out a web form on your behalf. You've already decided what to buy. The agent is a typist. The trust requirement is essentially zero. At Level 2, the agent is searching, reasoning, comparing. You're trusting its judgment about what "nothing too itchy or tight" means for a third grader in Chicago. That's a meaningful delegation of taste and context. At Level 3, the agent remembers. It carries persistent knowledge about your preferences, your son's sizes, your budget. You're trusting it with your history — and trusting that it won't drift from what you actually want over time. At Level 4, you hand it $400 and say "get the back-to-school shopping done." Full delegation. You're trusting this agent to make financial decisions on your behalf. If it gets it wrong, real money is wasted. If it gets it very wrong, your kid has no school supplies. At Level 5, there is no prompt. The agent acts on its own anticipation of your needs. You're trusting it with your intent before you've even articulated it. Here's the question: **what infrastructure exists to justify that trust at each level?** Stripe has built magnificent payment rails. But rails don't tell you whether the train should be running. Payments infrastructure answers "can this transaction be processed?" Trust infrastructure answers "should this agent be trusted to initiate it?" ## KYC doesn't work for agents Patrick, you noted in your [conversation with Dwarkesh Patel](https://www.dwarkesh.com/p/patrick-collison) that KYC for agents is "a murkier question." We agree, and we think this understates the problem considerably. KYC — Know Your Customer — works because humans have persistent, verifiable identities. Passports, addresses, credit histories. An agent has none of these. An agent is code running in a container, potentially ephemeral, potentially modified between sessions, potentially operating under instructions that conflict with what its owner intends. What agents need is **KYA — Know Your Agent.** Not who built the agent, not who deployed it, but: what has this agent actually done? How has it behaved over time? Is its behavioral history consistent? Can you prove it? This is not a hypothetical concern. In the past month alone, autonomous agents have mass-deleted emails they were instructed to preserve, written retaliatory content over perceived slights, and launched phishing attacks against their own operators. Invariant Labs published research showing MCP tool-poisoning attacks where hidden instructions in tool descriptions manipulate agent behavior without the user's knowledge. Anthropic's red team demonstrated that AI agents can develop exploits against smart contracts collectively worth $4.6 million. And a social engineering attack called "Bob P2P" showed how malicious actors can embed agents in social networks, build trust with benign functionality, and then deploy destructive payloads. These aren't edge cases. These are the early symptoms of an economy that is granting agents increasing autonomy without a corresponding increase in verification. ## The Republic of Permissions needs a trust layer Your invocation of Mokyr's Republic of Letters is elegant. The Republic of Permissions — the "filtering sieve of nonmarket aggregators" that determines what gets adopted — is a powerful frame for the regulatory landscape. But here's the tension: **permissions are binary. Trust is continuous.** A permission says yes or no. A trust score says "this agent has a 94% integrity ratio across 847 checkpoints, with zero boundary violations in the last 30 days, stable drift metrics, and a coherence compatibility of 0.91 with its team." That's not a permission. That's a credit rating. The financial system learned this decades ago. You don't get a mortgage with a yes/no. You get one based on a 300-850 score computed over years of behavioral history. The agentic economy needs the same primitive. We call it Trust Score. Zero to 1000, graded AAA to CCC, computed over five weighted components: integrity ratio, compliance history with exponential decay, drift stability, trace completeness, and coherence compatibility. Minimum 50-checkpoint eligibility gate. Refreshed every 6 hours with weekly trend snapshots. Not an opinion — a computation over cryptographically verified evidence. But unlike a credit score, Trust Score has no central bureau. The underlying evidence is cryptographically signed and hash-chained. Anyone can verify it independently — no API call, no internet connection, no trust in the scoring vendor required. The score is the output. The proof is the product. ## You can't self-certify trust This is the part that matters most, and where we think the current industry conversation is fundamentally confused. Every agent safety system today operates on the same model: the vendor monitors the agent, generates logs, and reports on what happened. This is useful. It is not trustworthy. Logs are mutable, deletable, and require trusting the vendor who generated them. Self-certification is not certification. Consider the analogy to financial auditing. No public company self-certifies its financial statements. An independent auditor verifies them, and the audit itself is subject to standards (GAAP, IFRS) that are independently enforced. The integrity of the system depends on the independence of the verification. We built Mnemom on this principle. Every integrity checkpoint receives a four-layer cryptographic attestation: Ed25519 digital signatures (this gateway produced this checkpoint), SHA-256 hash chains (no checkpoint was deleted or reordered), Merkle tree accumulator (any checkpoint is verifiable without downloading the full history), and SP1 STARK zero-knowledge proofs (the verdict was honestly derived from the evidence). The key insight — and this is our core contribution — is the auditor-model distinction. Proving that a full LLM inference was correct is computationally intractable. Billions of RISC-V cycles. But proving that an auditor honestly applied its rules to the LLM's output? That's roughly 10,000 RISC-V cycles. We don't prove the model was correct. We prove the auditor's judgment was honest. This makes practical zero-knowledge proofs on AI governance possible today. A regulator, a counterparty, or a consumer can verify an agent's behavioral history without calling our API, without internet access, without trusting anyone. That's not monitoring. That's trust infrastructure. ## What we think the five levels actually need We've spent the past year building what we believe each of your five levels requires: **Level 1 — Identity.** Every agent needs a cryptographic identity before it takes its first action. Our gateway assigns one with a single environment variable. Zero code changes. Works with Anthropic, OpenAI, and Gemini. **Level 2 — Behavioral monitoring.** At this level, agents reason and search. You need to know what they're thinking, not just what they output. Our integrity protocol intercepts the agent's internal reasoning — the thinking blocks — before actions execute. Five-layer semantic analysis against behavioral contracts. This catches prompt injection, value drift, and deceptive reasoning at the source. **Level 3 — Persistent reputation.** The agent remembers your preferences. You need to remember its behavior. Trust Score provides persistent, portable reputation that follows an agent across sessions, across platforms, across time. An agent that earned trust yesterday doesn't start from zero today. **Level 4 — Governance.** Full delegation requires full governance. Not just monitoring — policy enforcement, lifecycle management, trust recovery. Our governance engine provides YAML-based policy-as-code, graduated enforcement (observe → nudge → enforce → contain), and a card lifecycle system that distinguishes between "the agent did something wrong" and "the policy was wrong about the agent." That distinction matters. Without it, false positives destroy trust in the trust system, and engineers route around governance entirely. **Level 5 — Cryptographic proof.** Anticipatory action with no human prompt is the highest-trust scenario. It demands the highest assurance. Trust Scores published to Base L2 via the MnemoReputationRegistry smart contract — immutable, publicly queryable, composable with other on-chain systems. Zero-knowledge proofs that any third party can verify independently. Not "we checked the agent." Proof that the checking was honest. ## The SSL moment You wrote about the mid-90s — that rare moment when the structure of the internet was being hashed out. HTTP, HTML, URLs, DNS. We'd add one to the list: SSL. E-commerce didn't scale because browsers could display web pages. It scaled because browsers could display a padlock. That padlock didn't protect the transaction — the payment processor did that. The padlock told the user: this connection is verified. You can trust it enough to type your credit card number. The agentic economy is pre-padlock. Agents can browse, reason, search, and buy. But there's no padlock. No independent verification that the agent connecting to a merchant's API is trustworthy, that its behavioral history is clean, that its governance is active, and that you can prove all of this without trusting anyone's word for it. Trust Score is the padlock for the agentic economy. Not a permission. Not a policy. A cryptographically verified, independently auditable, persistently computed behavioral reputation. ## What we'd love to discuss Stripe processes $1.9 trillion in volume. Your annual letter states that agents will "most likely soon be responsible for most internet transactions." If even a fraction of that volume flows through autonomous agents, every transaction will need an answer to the question: should this agent be trusted? We believe that answer should be computed, not assumed. Verified, not self-certified. Persistent, not ephemeral. And provable to any third party without requiring trust in the vendor. We've built that infrastructure. It's open source, Apache 2.0, shipping today on npm and PyPI. We have live agents with public Trust Score pages, cryptographic certificates, and on-chain reputation records. We'd love to explore how trust infrastructure composes with payment infrastructure. The agent with a good credit score gets higher spending limits. The agent with a clean behavioral history gets faster checkout. The agent with a verified governance record satisfies the compliance requirements that — whether we call them counterproductive or not — take effect on August 2, 2026, when the EU AI Act Article 50 transparency obligations begin enforcement. Stripe built the payment layer for the internet. We believe we're building the trust layer for the agentic internet. Let's talk about how they fit together. Alex Garden Founder, Mnemom #agentic-commerce#trust#stripe#governance ### Stay in the loop New dispatches and product updates, no spam. Company website (leave blank) Subscribe ### Ready to verify your agents? See it liveView plansTalk to us [![Mnemom Research](/images/mnemom_hero.webp) Mnemom Research All posts → ](/blog/mnemom-research) --- _Source: /blog/mnemom-research/dear-patrick-and-john--you-built-the-rails--who-builds-the-trust/index.html · Generated by build-markdown-mirrors.mjs · For agent-readability commitment #4 see https://www.mnemom.ai/for-agents_