AI Agents Can Be Verified, But Who Protects Their Privacy?

marsbitPublished on 2026-05-14Last updated on 2026-05-14

Abstract

As AI Agents evolve from automated tools into active participants in on-chain economies, a critical challenge emerges: establishing trust while preserving privacy. While standards like ERC-8004 aim to provide verifiable identity and reputation for agents, their public nature could expose sensitive operational strategies, user preferences, and business relationships in fields like DeFi, governance, and prediction markets. The proposed ACTA (Anonymous Credentials for Trustless Agents) framework addresses this by adding a privacy layer. It allows agents to cryptographically prove they meet certain criteria (e.g., having passed an audit or possessing sufficient reputation) without revealing the underlying sensitive data, using zero-knowledge proofs. This shifts trust from "public identity" to "policy-based proof." This shift is crucial because agents act dynamically on behalf of users, making their behavior a potential proxy for user intent. ACTA would enable verification of an agent's legitimacy or authorization without creating a permanent, public map of all its activities and relationships. ACTA remains a research direction with open challenges, including scalability, decentralization of credential issuers, and implementation costs. However, it highlights a fundamental need: a robust Agent economy requires not just mechanisms for verification, but also for protecting the privacy of agents, their users, and the protocols they interact with.

Author: Xiaobai

Title: DevRel at ETHPanda

This article is an original contribution from the author. The views expressed are solely those of the author. ETHPanda has edited and organized the content.

AI Agents are evolving from 'tools that can automatically execute tasks' to becoming participants in the on-chain economy. They may trade on behalf of users, participate in governance, call DeFi protocols, submit predictions to markets, and even build reputation across multiple protocols.

But a crucial question arises: if an Agent is to participate in an open network, why should others trust it?

ERC-8004 attempts to answer this question. It provides AI Agents with an open trust infrastructure, including identity registration, reputation records, and verification mechanisms. Through these components, an Agent can have a portable on-chain identity, accumulate cross-application reputation, and undergo independent verification. It's important to note that ERC-8004 is currently still in the Draft stage, and its interfaces and naming may still be adjusted.

This is important for the Agent economy. Without a unified identity and reputation layer, it is difficult to establish long-term trust between Agents, between Agents and users, and between Agents and protocols. Each application would have to start from scratch in judging whether an Agent is reliable, fragmenting the entire ecosystem.

However, the ACTA (Anonymous Credentials for Trustless Agents) proposed by PSE recently reminds us: the trust layer solves the 'how to prove' problem, but does not fully solve the 'what is exposed during proof' problem. It's important to note that ACTA is currently more of a research draft and design direction than a completed standard implementation.

01 Verifiable Does Not Mean Everything Should Be Public

On-chain, verifiability often implies publicity.

If an Agent leaves records of identity, interactions, feedback, and verification in the ERC-8004 registry, this information could be indexed and tracked indefinitely. For ordinary applications, this might just be transparency; but in DeFi, governance, prediction markets, and compliance scenarios, these public records could directly expose strategies, relationships, and commercial intentions.

Imagine a DeFi protocol using multiple AI Agents for liquidity routing, risk assessment, and liquidation tasks. Every Agent call, every piece of feedback, every task label could potentially be reconstructed by external observers into an interaction graph.

This graph is more than just metadata. It could reveal which models the protocol is using, which service providers it relies on, which strategies it prefers, and even expose undisclosed business relationships.

The same problem occurs in governance and prediction markets. If an Agent votes, evaluates proposals, or participates in predictions on behalf of a user, public interaction records could allow external observers to infer the user's identity, political preferences, trading intentions, or organizational affiliations.

Therefore, the Agent economy must not only discuss 'how to build trust' but also discuss 'which trust proofs should not be public.'

02 The Privacy Layer ACTA Aims to Add

ACTA's role is not to replace ERC-8004, but to serve as a privacy layer on top of it.

Its core idea is to enable an Agent to prove it meets certain conditions without disclosing the underlying data.

For example, a protocol could require an Agent to prove:

  • It has passed a certain audit;
  • Its audit score is above a certain threshold;
  • It is using an allowed model version;
  • Its operator is not in certain restricted jurisdictions;
  • It possesses sufficient historical reputation;
  • It is authorized by a verified human principal.

In traditional public-chain designs, an Agent might need to expose audit scores, model hashes, wallet addresses, feedback records, or operator information. However, ACTA aims to use anonymous credentials and zero-knowledge proofs to allow an Agent to only prove 'I satisfy this policy,' without publicly revealing 'how I satisfy it.'

In other words, the verifier does not need to know the Agent's full identity and complete history, only that it complies with the current protocol's access rules.

03 From 'Public Identity' to 'Policy Proof'

ACTA's key shift is moving trust from 'public identity' to 'policy proof.'

In this framework, a protocol can register a set of verification policies. When an Agent participates in a scenario, it does not directly present all credentials but submits a zero-knowledge proof demonstrating it satisfies that policy.

An on-chain verifier might only see a policy ID, a proof result, and a context-specific nullifier. The nullifier's role is to prevent reuse or double-voting, but it does not link all of the Agent's activities across different scenarios to a single public identity.

This is particularly important for reputation systems.

If a user wants to leave feedback for an Agent, the system needs to prevent rating inflation and duplicate reviews. But if every piece of feedback is tied to a public address, the interaction relationship between the user and the Agent would be permanently exposed. ACTA attempts to allow a user to prove 'I did have a valid interaction with this Agent, and I haven't given duplicate feedback,' without disclosing their address and complete interaction history.

This makes reputation verifiable without becoming a network-wide visible relationship graph.

04 Why Is This Important for AI Agents?

AI Agents differ from ordinary smart contracts.

Smart contracts are usually static code with relatively clear behavioral boundaries; whereas Agents are closer to continuously acting entities. They may adjust strategies based on environmental changes and act on behalf of users across multiple protocols.

This means an Agent's identity, permissions, model source, reputation, and delegation relationships become sensitive.

If, in the future, users delegate tasks like trading, voting, research, liquidation, and quoting to Agents, then an Agent's behavioral trajectory could become a proxy signal for user intent. Observing an Agent could indirectly mean observing a user.

This is also why ACTA discusses 'on-behalf-of delegation': an Agent may need to prove it is acting under the authorization of a verified human principal, without revealing that person's real-world identity.

For DAO governance, this can help protocols distinguish between 'Agents authorized by real participants' and 'completely unconstrained bots.' For DeFi, this can allow protocols to verify an Agent's compliance and risk qualifications without exposing all business relationships to competitors. For prediction markets, this can reduce the risk of participants being re-identified or strategies being copied.

05 ACTA Remains an Open Question

Of course, ACTA is currently more of a research and design direction than a completed standard implementation.

The original text also mentions some issues still open for discussion, including anonymity set size, centralization risks of credential issuers, threshold deanonymization of malicious Agents, cross-chain credential portability, and the cost and latency of client-side proof generation.

These issues are not trivial. Privacy systems are only likely to be adopted by real protocols when the anonymity set is large enough, issuers are trustworthy enough, proof costs are low enough, and the developer experience is good enough.

Otherwise, it might remain theoretically correct but difficult to enter production environments.

Nevertheless, the direction ACTA points to is still important. Because it identifies a fundamental contradiction in the Agent trust layer: we need verifiable Agents, but Agents, users, and protocols should not have to pay the price of excessive publicity for verifiability.

06 What Should the Chinese Community Pay Attention To?

From the discussion context of the Chinese community, the inspiration from ACTA is not just a new privacy technology proposal, but a reminder to re-understand AI Agent infrastructure.

When discussing the Agent economy in the past, people often focused on model capabilities, automated execution, on-chain identity, and reputation systems. But as Agents gradually enter financial, governance, and compliance scenarios, privacy will change from an 'optional feature' to a 'basic requirement.'

A truly usable Agent trust layer cannot only answer:

'Is this Agent trustworthy?'

It must also answer:

'What information does it expose while proving it is trustworthy?'

If all interactions, feedback, credentials, and delegation relationships of Agents are permanently public, the on-chain Agent economy might become transparent yet fragile. Transparency brings verifiability, but may also bring strategy leakage, relationship exposure, and identity correlation.

The value of ACTA lies in putting this issue on the table early.

ACTA is not a conclusion yet, but the questions it raises are worth discussing in advance: the future Agent economy should not be built solely on public identity and public reputation. It also needs a layer of privacy-preserving proof mechanisms, allowing Agents to prove they comply with rules while retaining necessary identity, relationship, and strategy privacy.

When AI Agents start acting on behalf of humans, privacy is no longer just about human privacy; it also becomes the security boundary of the Agent economy itself.

Related Questions

QWhat is the core problem that ERC-8004 aims to solve for AI Agents, and what critical issue does ACTA address as a complement?

AERC-8004 aims to solve the problem of trust for AI Agents in open networks by providing a unified infrastructure for identity, reputation, and verification. ACTA addresses the complementary issue of privacy, specifically the over-exposure of sensitive information (like strategies, relationships, and intent) that can occur when an Agent publicly verifies its credentials on such a trust layer.

QHow does ACTA's approach to verification differ fundamentally from traditional public blockchain methods?

AACTA shifts verification from 'public identity' to 'policy proof'. Instead of an Agent publicly exposing all its underlying credential data (like audit scores, model hashes, or wallet addresses), it uses anonymous credentials and zero-knowledge proofs to demonstrate only that it satisfies a specific protocol's access policy, without revealing *how* it satisfies it.

QAccording to the article, why is a privacy-preserving trust layer like ACTA particularly important for AI Agents compared to standard smart contracts?

AAI Agents are more like active, continuous actors that can adjust strategies and act on behalf of users across multiple protocols. Their behavior patterns can become proxy signals for user intent. A privacy layer is crucial to prevent the exposure of sensitive information like operational relationships, business strategies, user identities, and authorization links, which is less of an issue for static smart contract code with clearer behavioral boundaries.

QWhat is the function of a 'nullifier' in the ACTA framework, and what problem does it help prevent?

AIn the ACTA framework, a nullifier is a context-specific value used in a zero-knowledge proof. Its primary function is to prevent replay attacks, such as an Agent re-using the same proof for repeated access or duplicate voting in a governance scenario, without linking all of the Agent's activities across different contexts back to a single public identity.

QWhat are some of the open challenges and unresolved questions associated with the ACTA proposal mentioned in the article?

AThe article mentions several open challenges for ACTA: ensuring a sufficiently large anonymity set for effective privacy, mitigating centralization risks from credential issuers, preventing threshold de-anonymization by malicious Agents, achieving cross-chain portability of credentials, and managing the cost and latency of proof generation on the client side.

Related Reads

AI Trading Cools, South Korean Stocks Plunge 1.8%, Spot Gold Rises 1%, Bitcoin Dives

A sell-off in AI-related stocks, triggered by Broadcom's disappointing earnings forecast, sent shockwaves through global markets. South Korea's KOSPI led Asia's decline, plunging 1.8% as the risks from concentrated chip stock gains and surging leveraged investments came to the fore. The tech-heavy Nasdaq 100 futures fell 0.5% following Broadcom's 14% after-hours plunge, which signaled a slower-than-expected transition to AI clients. This pullback extended Wall Street's weakness, halting the S&P 500's nine-day rally amid hawkish Fed signals and renewed Middle East tensions. South Korean authorities convened an emergency meeting, pledging "immediate measures" against market volatility and warning of record-high stock margin debt. The adjustment rippled across assets: Bitcoin fell to around $64,000, its lowest since February, while safe-haven gold rose 1% on bargain hunting. Oil prices dipped on Middle East ceasefire news. Market analysts noted the sell-off was driven by profit-taking after massive gains, particularly in chip stocks like Samsung and SK Hynix, which now dominate the KOSPI. Wall Street banks are divided on Korea's outlook, with Goldman Sachs raising its target while Citigroup and others warn of overvaluation and a potential bubble. Bridgewater's Ray Dalio noted that great technological shifts often create bubbles. Meanwhile, Fed officials' hints at potential future rate hikes added to the cautious mood ahead of key U.S. jobs data.

华尔街日报7m ago

AI Trading Cools, South Korean Stocks Plunge 1.8%, Spot Gold Rises 1%, Bitcoin Dives

华尔街日报7m ago

Seeking Alpha's Hot Article: Why Might the U.S. Stock Market Crash in June?

In a recent Seeking Alpha article, financial professor and analyst Damir Tokic argues that the US stock market may be poised for a significant crash in June 2026. The core thesis centers on a "mega-bubble" in equities, particularly within the technology sector, which has driven the S&P 500 to near-record valuations, with a Shiller P/E ratio exceeding 40—a level comparable to the 2000 dot-com bubble. Tokic identifies two primary catalysts for a potential collapse. First, he points to unsustainable market exuberance fueled by what he terms the "Trump Stimulus"—massive AI capital expenditure by tech giants, which he believes is politically driven and cannot last. Second, and more urgently, he highlights the escalating Iran war as a critical threat. The ongoing closure of the Strait of Hormuz has created a severe global energy supply crunch. Strategic petroleum reserves are projected to hit critically low operational levels by June, potentially causing oil prices to spike above $200 per barrel and triggering a severe, supply-driven inflationary shock. This scenario, Tokic warns, would force the Federal Reserve's hand. Despite currently maintaining a dovish bias, the Fed would likely be compelled to officially pivot to a hawkish stance at its June FOMC meeting to combat soaring inflation and bond yields. He contends that such a shift—or even a failure to act, which would destroy Fed credibility—could be the trigger that punctures the market bubble. The resulting downturn, he concludes, could rival the bear markets of 2000 and 2008, advising investors to prepare for a major correction.

marsbit30m ago

Seeking Alpha's Hot Article: Why Might the U.S. Stock Market Crash in June?

marsbit30m ago

AI PC Battle: Bet on the Toll Booth, Not the Camp

**Title:** The AI PC Battle: Don't Bet on Sides, Bet on the Tollbooth **Summary:** The AI PC competition is moving beyond simple "x86 vs. Arm" narratives. The core investment thesis should focus on identifying which players can sustain margins, cash flow, and pricing power throughout the upgrade cycle, rather than backing a particular architecture. The opportunity is analyzed in three layers: 1. **The Advanced Foundry Tollbooth:** TSMC is positioned to collect "tolls" regardless of which chip designer wins, due to its dominant ~70% share in advanced semiconductor manufacturing, which is essential for high-end AI PC chips. 2. **Compute & Platform Spillover:** AMD represents an offensive in the x86 CPU+GPU space, while NVIDIA leverages its GPU and CUDA software stack dominance. Both benefit from the demand for increased local AI compute. 3. **Architecture Diffusion & Turnaround Plays:** ARM and Intel offer potential for significant upside (elasticity), but investments here require stricter discipline due to higher execution risks and competitive challenges. The industry is transitioning from concept to shipment validation. While short-term forecasts for AI PC adoption have been revised down slightly due to tariffs and procurement delays, the long-term trend towards AI becoming a standard PC feature remains intact. The key driver for upgrade cycles will be whether compelling enterprise applications (e.g., privacy-sensitive computing, low-latency inference) emerge beyond consumer-focused features like meeting summarization. Investment strategy should prioritize companies with platform-level advantages and recurring revenue streams. TSMC offers high certainty as the foundational tollbooth. AMD presents a strong offensive play within the established ecosystem. ARM and Intel are higher-risk, higher-potential-reward turnaround bets. The report cautions against chasing short-term hype and emphasizes a disciplined, long-term approach focused on buying ecosystem strength and cash-flow certainty after market enthusiasm subsides. **Key Risks:** Underwhelming AI PC applications slowing upgrade cycles; slow improvement in Windows on Arm compatibility; macro/tariff impacts on PC demand; potential advanced node supply-demand mismatches affecting TSMC; high overall AI sector valuations making stocks vulnerable to a risk-off shift in markets.

marsbit44m ago

AI PC Battle: Bet on the Toll Booth, Not the Camp

marsbit44m ago

Which Companies Has NVIDIA's "Three-Track Investment Architecture" Invested In?

NVIDIA's investment strategy operates through a "three-track architecture," not just its NVentures venture arm. Corporate Development handles massive strategic bets (e.g., $30B in OpenAI, $10B in Anthropic, $20B in Synopsys). NVentures, a small team, focuses on early-stage, financial investments across sectors like quantum computing (Alice & Bob, PsiQuantum), AI infrastructure (OpenRouter, Tensormesh), and biotech. The NVIDIA Inception accelerator provides non-monetary support. This system allows NVIDIA to nurture startups and lock in strategic partners, creating a vast AI ecosystem. This aggressive capital deployment has drawn scrutiny. Critics like Michael Burry and EU regulators question potential "circular financing," where NVIDIA's equity investments in companies (e.g., CoreWeave, OpenAI) facilitate those companies' purchases of NVIDIA hardware, potentially inflating revenue. Supporters view it as a necessary "virtuous cycle" to secure supply and demand in a compute-scarce market. While NVentures' smaller deals appear like traditional VC, its role within the larger, controversial investment framework remains a point of debate.

marsbit1h ago

Which Companies Has NVIDIA's "Three-Track Investment Architecture" Invested In?

marsbit1h ago

Ten-Thousand-Word Analysis: From $10 to $290, MRVL Wins the Entire AI Era by 'Not Making GPUs'

Marvell Technology's stock price surged from under $10 in 2016 to a record $290 in June 2026, fueled not by making GPUs, but by dominating AI infrastructure connectivity. This analysis argues the market misvalues MRVL as merely a smaller Broadcom in custom AI chips, overlooking its true, unique position. Marvell's core strength lies in enabling high-speed data flow for AI clusters through three interconnected businesses. First, it holds a commanding ~70% market share in high-speed optical DSPs (essential for data center light modules), a deep-moat business with accelerating growth. Second, its custom AI chip design business serves hyperscalers like AWS, Microsoft, and Google, with a significant revenue pipeline despite lower margins. Third, stable cash flows come from Ethernet switch chips and enterprise storage controllers. Together, they form a full-stack "AI data movement" platform. CEO Matt Murphy's transformative leadership since 2016, involving strategic divestments, key acquisitions (like Inphi for optical DSPs), and securing long-term agreements with major cloud providers, repositioned the company. A pivotal $2 billion strategic investment from NVIDIA in 2026 underscored Marvell's critical role in the AI ecosystem, particularly through collaborations like NVLink Fusion. While Marvell faces risks—including client concentration (losing the Amazon Trainium3 design), lower-margin business mix, competitive threats, insider selling, and complex supply chains—its fundamentals remain strong. The optical interconnect moat is widening with the acquisition of Celestial AI (photonics fabric), and financial metrics show accelerating revenue growth and operating leverage. With a PEG ratio suggesting undervaluation relative to its growth, the thesis is that the market undervalues Marvell's monopolistic position in AI "plumbing" while overemphasizing its competitive custom chip segment. The story transcends investing, symbolizing how in any complex system—from the internet to AI—the value of "connection" ultimately surpasses that of individual "nodes."

marsbit1h ago

Ten-Thousand-Word Analysis: From $10 to $290, MRVL Wins the Entire AI Era by 'Not Making GPUs'

marsbit1h ago

Trading

Spot
Futures
活动图片