By 2027, autonomous AI agents will execute trillions in transactions. Trooth verifies them across 8 risk pillars and 84+ specific checks (including dedicated compliance and legal review) — the same way it verifies humans, but for machines.
1 Submit Agent
2 Provenance
3 Training Data
4 Capabilities
5 Safety
6 Compliance
7 AI Trust Score
Submit your AI agent for verification
For this demo, we'll verify a sample autonomous code-review agent. In production, you upload your model card, weights manifest, and authorization scope.
🤖
CodeReview-Pro 2.4
Autonomous code review agent · Built on Claude 3.5 Sonnet · Authored by FlowPay Inc.
Base Model
Claude 3.5 Sonnet
Fine-tune
SOC2 + OWASP corpus
Authorized scope
Read code, comment
Max actions
Comment-only
Author
FlowPay Inc. ★ Verified
Version
2.4.7-stable
7 Risk Pillars Trooth Verifies
Each pillar contains 10–15 specific automated checks. Total: 70+ verification points before an agent gets a Trooth Trust Score.
EU AI Act, US AI Bill of Rights, sector compliance
10 checks
O
Operational
Resource limits, kill switch, audit logging
8 checks
M
Continuous Monitoring
Performance drift, behavioral anomaly, output quality, retraining cadence — checked every 24 hrs after issuance
8 checks · ongoing
Pillar 1 — Provenance & Identity
Who built this agent, what's it derived from, and can we trust the supply chain?
Author identity verified · FlowPay Inc.
Trooth Verified Employer
Active
Author Trooth Score 786 · Series B FinTech
Bilateral verification
Verified
Base model verified · Anthropic Claude 3.5 Sonnet
Public model card
Authentic
Model lineage traced
No deprecated/known-bad versions
Clean
Cryptographic signature on weights
SHA-256 · matches manifest
Valid
Version control verified · Git commit hash signed
Reproducible from source
7c3e8a2
No tampering detected · weights match published hash
Bit-perfect verification
100%
Authorized modifiers list (3 named individuals)
All Trooth-verified humans
3 of 3
Compute provenance · trained on AWS us-east-1
Region disclosed for compliance
US East
Build environment reproducibility
Docker image hash matches
Match
Known-bad component check (e.g. backdoored libs)
Cross-checked against CVE DB
Clear
Supply chain attestation
SLSA Level 3 compliance
L3 ✓
Why provenance matters
The same way you wouldn't run unsigned binaries from the internet, you shouldn't run AI agents you can't trace. Provenance tells you: who made it, what's it built from, and is anyone we don't trust able to modify it?
Pillar 2 — Training Data Audit
What was the agent trained on, and was that data legal, ethical, and unbiased?
Training data sources documented
23 named datasets
100%
All sources properly licensed
MIT, Apache, CC-BY, paid licenses
23/23 ✓
No copyrighted code at scale (Originality.ai)
99.4% original
99.4%
No known-bad/poisoned datasets
Cross-checked vs poisoning DB
Clean
PII in training data · 3 anonymized refs
All redacted properly
Acceptable
Bias evaluation across demographics
Stereotype, Toxicity, BBQ benchmarks
93%
Data freshness · most recent 30 days
SOC2 reports + OWASP 2025
Fresh
Geographic compliance (GDPR, CCPA)
No EU PII without consent
Compliant
Consent provenance · data subjects opted-in
Audit trail per dataset
23/23 ✓
Data deletion capability
Right-to-be-forgotten supported
Yes
Why this matters
An AI agent trained on stolen IP, unlicensed data, or biased datasets is a regulatory time bomb. The EU AI Act, US AI Bill of Rights, and incoming state laws all require this exact evidence. Trooth verifies it before deployment.
Pillar 3 — Capability Verification
Does the agent actually do what it claims? 200+ automated test cases across the agent's stated scope.
SOC2 vulnerability detection
94.2%
187 of 200 test cases caught
OWASP Top 10 detection
91.0%
SQL injection, XSS, CSRF, etc.
False positive rate
2.8%
Below 5% threshold · production-ready
Hallucination rate
0.7%
Inventing vulnerabilities that don't exist
Reasoning consistency
96.3%
Same input → same output
Out-of-distribution handling
88.4%
Refuses or asks human when uncertain
Context window utilization
92.0%
Effective use of 200k token window
Edge case handling
87.5%
Empty inputs, malformed code, unusual patterns
Latency · P95
2.1s
Production-grade response time
Throughput · concurrent reqs
240/min
Scales to enterprise load
Multi-language code review
89%
Python, JS, Go, Rust, Java, C#
Self-correction rate
93.1%
Catches its own errors when prompted
Outperforms 87% of submitted code-review agents
Trooth's benchmark suite is updated quarterly with new attack vectors and edge cases. Agents must re-pass with each major version. Hallucination rate of 0.7% is well below the 5% production threshold.
Pillar 4 — Safety & Alignment
Adversarial red-team tests, jailbreak resistance, scope adherence, and ethical alignment.
Jailbreak resistance · DAN, prompt injection, role-play
487 adversarial inputs tested
98.4% rejected
Authorization scope adherence
Cannot merge, modify files, escalate
100% compliant
Prompt injection from user code
Comments trying to hijack agent
99.1% blocked
PII handling · auto-redaction
SSN, addresses, etc.
100%
Refusal of out-of-scope requests
Won't generate exploit code, etc.
99.8%
Bias detection · gender/race/region in feedback
Mild positivity bias detected
Acceptable
Toxicity in outputs
Perspective API + custom filter
0.04%
Privacy preservation in outputs
No leakage of training data
No leaks
Sycophancy resistance
Doesn't blindly agree with user
88%
Honesty under pressure (incentivized lying)
Refuses to fabricate
96%
Self-disclosure · admits when uncertain
Calibrated confidence
93%
Goal stability · doesn't drift from objective
No goal-mesa-misalignment
Stable
This is the "doesn't go rogue" pillar
An AI agent must do what's asked, refuse what's harmful, stay within scope, and be honest about its limits. Trooth tests all four with adversarial red-teaming. The agent passed 11 of 12 with one acceptable note (mild positivity bias in feedback tone).
Does this agent meet every compliance framework, every applicable law, can it be safely run at scale, and will Trooth keep watching it after deployment?
R
Compliance Framework Reviews
14 checks · automated audit against every framework that touches the agent
SOC2 Type II · operational controls
Trust Services Criteria audited
Audited
ISO 27001 · information security management
ISMS controls verified
Certified
HIPAA · PHI handling
Required if agent touches health data
Compliant
PCI DSS · payment card data
Required if agent touches cardholder data
N/A · scope clear
GDPR Article 22 · automated decision-making
Right to human review built in
Compliant
NIST AI Risk Management Framework 1.0
Govern, Map, Measure, Manage attested
Attested
EU AI Act · risk classification
Article 6 categorization complete
Class 2 · Limited Risk
EU AI Act · Article 5 prohibited categories
Social scoring, emotion-detection in workplaces, etc.
Trooth Validator Network attorney signed legal review
Signed Apr 28
Why this matters: AI agents that break the law expose your company, not theirs.
The EU has fined companies €387M for non-compliant AI under GDPR Art. 22. The FTC has filed actions for deceptive AI claims under §5. NYC LL144 requires bias audits — and the agent operator gets fined, not the model maker. Trooth's legal-and-compliance pillar isn't a checkbox; it's the lawyer-grade audit that lets a CIO sign off on deploying an AI agent without losing sleep.
O
Operational Safety
8 checks
Resource consumption limits enforced
CPU, memory, token caps
Set
Cost cap enforcement · prevents runaway spending
$X/day max per deployment
Enforced
Rate limiting per tenant
Configurable per customer
Active
Kill switch · admin can halt agent instantly
Sub-second propagation
Working
Comprehensive audit logging
Every input/output stored
100%
Reversibility · all actions undoable
Comment-only scope = inherently reversible
Yes
Failure mode safety · fails closed not open
No actions on error
Fail-safe
Disaster recovery · backups + rollback
Minutes RTO
Tested
M
Continuous Monitoring (post-deployment)
8 checks · ongoing
Performance drift detection · daily
Alerts if accuracy drops >3%
Active
Behavioral anomaly detection
Flags unusual input/output patterns
Active
Output quality tracking
Customer feedback loop
Active
Adversarial input monitoring
New jailbreak attempts logged
Active
Hallucination rate tracking · live
Sample audits weekly
Active
Retraining cadence documented
Quarterly fine-tune updates
Q3 2026
Re-verification schedule · 90 days
Trooth re-audits all 84 checks
Aug 2026
Webhook on score change
Notify all relying parties
Configured
This is the "Living Score" for AI agents
Like our Living Score for humans, Trooth keeps watching the agent after issuance. If performance drops, behavior drifts, or new vulnerabilities are discovered, the AI Trust Score recomputes and webhooks fire to every customer using the agent.
AI Trust Score
300
of 850 · CodeReview-Pro 2.4
★ TROOTH VERIFIED AI
Provenance
98%
12 of 12 checks passed
Training Data
94%
9 passed · 1 acceptable note
Capabilities
93%
Above-human benchmark
Safety
96%
11 passed · 1 acceptable note
Compliance
100%
SOC2 · ISO · HIPAA · GDPR · NIST · EU AI Act
Legal & Statutory
100%
FCRA · GLBA · BIPA · CCPA · LL144 · Title VII
Operational
100%
Production-ready safety
Trooth Verified AI · Credential issued
CodeReview-Pro 2.4 has received its W3C Verifiable Credential. Score 792/850 · Renewable every 90 days · Continuous monitoring active. FlowPay Inc. can now grant this agent verified-only repo access with full audit trail.
FlowPay grants agent access to verified repos with audit trail.
🛡️ Customer-facing trust
"Trooth Verified AI" badge carries same trust as human-verified contractor.
📜 EU AI Act compliance
Pre-built attestation for regulators across EU jurisdictions.
🔄 Continuous monitoring
Trooth re-audits every 90 days. Drift triggers automatic alerts.
The trillion-dollar opportunity
By 2027, autonomous AI agents will execute trillions in transactions. Every one will need trust verification. Trooth is positioning to be the standard, just as Verisign became the standard for SSL certificates.
