Agentproof: Robust Verification for Autonomous Agents
- Agentproof is a research concept that defines mechanisms ensuring autonomous agents are robust, verifiable, and privacy-preserving through structural and cryptographic safeguards.
- It combines role-based argument tracking, receipt verification, and formal proofs to defend against prompt injection and validate agent workflows.
- Empirical studies demonstrate that Agentproof implementations greatly reduce attack success rates while maintaining high utility and efficient processing.
Searching arXiv for the cited papers and related "Agentproof" work to ground the article in current literature. Searching arXiv for "Agentproof" and the specific 2026 papers mentioned. Agentproof is a research term used across several recent lines of work on autonomous and tool-using agents to denote mechanisms that make agent behavior structurally robust, cryptographically verifiable, privacy-preserving, auditable, or formally constrained under explicit threat models. The term does not denote a single canonical architecture. Instead, it spans prompt-injection defenses in multitool agents, receipt-based verification of tool-grounded claims, TEE-attested reasoning over private corpora, device-native cryptographically private negotiation systems, static verification of agent workflow graphs, protocol-level conformance models, and theorem-proving agents whose outputs are machine-checked rather than merely asserted (Cheng et al., 13 Mar 2026, Xavier et al., 20 Mar 2026, Rowstron, 27 Apr 2026, Kadaboina, 19 May 2026).
1. Conceptual scope and recurring guarantees
Across the literature, Agentproof denotes a family of guarantees rather than a single property. In some papers, the emphasis is structural non-bypassability: dangerous tools are isolated from untrusted text, or actions are gated by symbolic verification so that unsafe operations become unexecutable regardless of model persuasion (Cheng et al., 13 Mar 2026, Wu et al., 28 May 2026). In other papers, the emphasis is external verifiability: the agent’s claims, tool calls, or outputs must be reconstructible by a third party from receipts, attestations, or protocol-layer artifacts instead of from self-reported logs (Basu, 9 Mar 2026, Figuera, 2 Jun 2026, Grigor et al., 17 Dec 2025). A third cluster centers privacy-preserving oversight, where an auditor can validate qualitative or quantitative properties of private data or private communication without disclosing the underlying corpus or messages (Rowstron, 27 Apr 2026, Jing et al., 11 Dec 2025). A fourth cluster uses Agentproof in a more formal-methods sense, where workflow graphs, protocol compositions, or proof objects are statically or mechanically verified before deployment or acceptance (Xavier et al., 20 Mar 2026, Zheng et al., 25 Mar 2026, Baba et al., 24 Jun 2025).
| Representative system | Core mechanism | Reported focus |
|---|---|---|
| OpenClaw | Privilege-separated Reader/Actor pipeline | Prompt-injection robustness |
| NabaOS | HMAC-signed tool receipts | Hallucination detection |
| Agentic Witnessing | TEE-attested reasoning | Private-data auditing |
| Agentproof workflow verifier | Graph checks + DFA product | Pre-deployment static safety |
| VET | AID + compositional proofs | Host-independent authentication |
The recurring guarantees are privacy, integrity, verifiability, accountability, least privilege, and compositional safety. One paper makes this triad explicit for autonomous negotiations, defining Agentproof as the conjunction of privacy, integrity, and verifiability, with sensitive constraints staying on-device, decisions anchored in tamper-evident audit trails, and counterparties able to verify constraint satisfaction without learning the underlying private data (Roy, 1 Jan 2026). Another frames the same objective at protocol level: agent protocols become agent-proof when their identity, capability, consent, audit, and composition properties are specified as invariants rather than left to ad hoc framework behavior (Zheng et al., 25 Mar 2026).
2. Structural robustness against prompt injection and authority misuse
A central Agentproof theme is that prompt injection is fundamentally an architectural problem rather than only a content-filtering problem. In OpenClaw, prompt injection is treated as the consequence of co-mingling privileged instructions and untrusted email or retrieval content in a single context window. The proposed defense uses a privilege-separated two-agent pipeline: a Reader that processes raw emails and RAG results but only holds store_summary, and an Actor that holds send_email, get_pending_summary, and store_result but never sees raw untrusted text. On the 649 LLMail-Inject attacks that still succeeded against the single-agent gpt-5-mini baseline in OpenClaw, JSON formatting alone reached 14.18% ASR, Two-Agent isolation alone reached 0.31% ASR, and the full pipeline reached 0% ASR; across the full 22,899 unique payloads, the single-agent baseline had ASR 2.83%, producing the 649 normalized attacks used for ablation (Cheng et al., 13 Mar 2026).
A more fine-grained structural argument appears in PACT, which treats the decisive security boundary as lying inside the tool call rather than at the whole invocation. PACT assigns semantic roles such as target, command, credential, content, selector, and control, tracks provenance across replanning steps, and checks whether each argument’s origin satisfies its role-specific trust contract. Under oracle provenance on 17 mixed-trust scenarios, PACT L2 achieved 100% utility and 100% security, whereas invocation-level baselines incurred false positives or false negatives. In full AgentDojo deployments across five models, PACT reached 100% security on the three strongest models while recovering 38.1–46.4% utility, 8–16 percentage points above CaMeL at the same security level; ablations showed that removing roles collapsed utility and removing cross-step provenance reduced security to 80% (Fan et al., 11 May 2026).
AuthGraph generalizes the same principle from argument provenance to authorization provenance. It constructs an injected reasoning graph from the actual trajectory and an authorization graph derived from the user’s intent in a clean context using only the user prompt and tool catalog. The authorization graph is therefore information-theoretically independent of injected observations, and the checker compares the two graphs at both tool level and parameter-source level. On AgentDojo with GPT-4o, AuthGraph reduced ASR from 40% to 1% while maintaining 76% task completion rate; on AgentDyn it reduced ASR from 39% to 2% while preserving 51% utility, outperforming CaMeL, DRIFT, and Progent (Wang et al., 26 May 2026).
The strongest version of structural gating is ePCA, which abandons semantic trust in natural language entirely. Under executable Proof-Constrained Action, the agent must emit a strictly typed payload, this payload is compiled into first-order logical constraints, and an isolated Z3-based verifier checks satisfiability of the joint formula s ∧ ⟦j⟧SMT ∧ Φsafe. Execution occurs only on SAT; UNSAT becomes an algebraic deadlock. In the reported financial-transfer and enterprise-sandbox scenarios, ePCA achieved zero attack success rate and zero false positive rate, with mean verification latency about 0.44 ms and P95 about 1.72 ms (Wu et al., 28 May 2026).
These results collectively suggest that Agentproof prompt-injection defense is strongest when it is enforced by privilege boundaries, argument roles, provenance constraints, or solver-mediated action gating, rather than by keyword filtering or model-side obedience alone.
3. Receipts, attestations, and host-independent verification
A second major interpretation of Agentproof concerns the production of verifiable artifacts for claims and actions. NabaOS addresses hallucination in tool-using agents by interposing a trustworthy runtime that executes tools, emits HMAC-signed receipts, and classifies every claim by pramāṇa: pratyaksha, anumana, shabda, abhava, or ungrounded. Each receipt records id, tool_name, input_hash, output_hash, result_count, facts, timestamp_ms, duration_ms, and an HMAC-SHA256 signature that the model cannot forge. On NyayaVerifyBench, which contains 1,800 scenarios across English, Hindi, Mandarin Chinese, and Spanish, NabaOS detected 94.2% of fabricated tool references, 87.6% of count misstatements, 91.3% of false absence claims, 89.1% of fact mismatches, and 82.3% of inference-as-fact errors, with 91% aggregate detection, 4% false positive rate, and \<15 ms verification overhead per response (Basu, 9 Mar 2026).
Sello inverts the trust boundary for agent observability. Instead of trusting the agent or operator to narrate what happened, the receiving service signs a receipt over what it observed, encrypts the receipt to the owner via HPKE, and publishes it to a witness-cosigned Merkle transparency log. Its four properties are receiver-side signing, encryption to owner, public transparency logging, and owner-side discovery by token reference. In the reference implementation, service-side receipt creation had median ~0.45 ms CPU per call, owner-side single-receipt verification had median ~0.28 ms, and batch verification averaged ~0.32 ms per receipt, with per-receipt confidentiality carried by HPKE over X25519/HKDF-SHA256/ChaCha20-Poly1305 and integrity by Ed25519-signed COSE envelopes (Figuera, 2 Jun 2026).
VET takes the same external-verifiability objective to the level of the whole execution trace. Its Agent Identity Document specifies the agent’s configuration together with the proof systems required for each component. The resulting Prove and Verify procedures aim at host-independent authentication: a verifier can check that an output or tool input belongs to a valid execution trace of the declared agent even if the host was malicious. The paper argues that Web Proofs are presently the most practical choice for black-box, secret-bearing API calls, with overhead typically under 3× compared to direct calls, while public API calls can often use a lower-overhead TEE Proxy with overhead around 1–20%; the VeriTrade case study composes Web Proofs for the LLM core with a TEE Proxy for public market data (Grigor et al., 17 Dec 2025).
Pramana standardizes the verification artifact itself. Every consequential output is wrapped in a typed ClaimAttestation with one of four variants—Measurement, Inference, Analogy, or Citation—each paired with a verify() operation. Measurement and Citation claims are deterministic by construction; Inference and Analogy claims are deterministic only if their oracle is deterministic, otherwise they are audit-replayable rather than bit-identical. The lifecycle was specified in TLA+ and exhaustively checked under TLC over 38,563 distinct reachable states with zero invariant violations, and the Python reference implementation passed 84 tests (Kadaboina, 19 May 2026).
Taken together, these systems redefine Agentproof as artifact production: not merely that an agent “was likely correct,” but that a third party can reconstruct, verify, or cryptographically validate what the agent claimed, what tools it actually used, and what external service or verifier attested to the event.
4. Privacy-preserving oversight, confidential interaction, and prompt confidentiality
Another use of Agentproof concerns preserving confidentiality while still enabling oversight. Agentic Witnessing addresses verification over proprietary data by moving from attested execution to attested reasoning. A Prover commits to a dataset via per-file hashes, an Auditor runs inside a TEE and answers only Boolean queries from a Verifier, and the reasoning process is committed through a signed hash chain rooted in the dataset commitment and the session ticket. The evaluation automated artifact review over 21 peer-reviewed computer-science codebases, verifying five high-level properties such as implementation fidelity and engineering quality while treating the codebases as private; audits took roughly ~20–85 minutes, with cryptographic overhead negligible relative to model inference and network latency (Rowstron, 27 Apr 2026).
In device-native autonomous negotiations, Agentproof is framed as private, auditable bargaining under zero-knowledge proofs and local execution. The system operates on user hardware, uses Groth16 zk-SNARKs to prove that offers satisfy private constraints, maintains Merkle-tree audit trails anchored to a public blockchain, and combines these with selective state transfer, world-model distillation, model-aware offloading, and a simulation critic. Reported results include average success rate 87%, 2.4× latency improvement over cloud baselines, empirical cryptographic leakage averaging 14 bits versus 256 bits on cloud baselines, feasibility pre-check overhead 120 ms with +8% success rate, Groth16 proof generation ≈80 ms on high-end devices, and +27% trust score when cryptographic decision trails were available (Roy, 1 Jan 2026).
zk-MCP extends privacy-preserving audit to inter-agent communication. It integrates zero-knowledge proofs with MCP so that message schema, type distribution, and usage metrics can be audited without exposing contents. The framework was implemented with Circom and snarkjs, uses Poseidon commitments, and supports asynchronous verification through the MCP lifecycle. The reported verification overhead was below 4.14% of total communication costs, while preserving mutual auditing: one side can verify content and quality, and the other can verify usage metrics without revealing message content (Jing et al., 11 Dec 2025).
A different confidentiality objective appears in PragLocker, which treats agent prompts themselves as deployable intellectual property. The method first rewrites the prompt into a code-symbol DSL that preserves semantics on the target model, then uses target-model feedback and black-box random search to inject printable-ASCII noise until the prompt remains usable on the target model but becomes non-portable across others. Across the evaluated systems, PragLocker achieved a Cross-LLM Portability Ratio of 0.20× relative to the unprotected 1.00× baseline while preserving target performance at 1.01× on average; DSL-only obfuscation left portability near 0.99×, and optimization-only protection reached 0.82×, indicating that both phases were required (Li et al., 7 May 2026).
This branch of the literature treats Agentproof as confidentiality-preserving verifiability: an agent can be audited, negotiated with, or deployed in untrusted settings without exposing either the underlying private data or the prompt artifact that implements the agent’s capability.
5. Formal verification, workflow analysis, and proof-producing agents
A more formal-methods interpretation of Agentproof focuses on analyzable structure and mechanically checked outputs. The workflow-graph verifier titled Agentproof extracts a unified AgentGraph from LangGraph, CrewAI, AutoGen, and Google ADK, performs six structural checks, and compiles a seven-form temporal-policy DSL to DFAs for both static graph×DFA product checking and runtime monitoring. On a curated benchmark of 18 workflows, 27% contained structural defects such as dead ends or unreachable exits, 55% violated a human-gate policy when enforced, all 15 temporal policies fit within the DSL fragment, and verification remained sub-second for graphs up to 5,000 nodes (Xavier et al., 20 Mar 2026).
AgentRFC moves the same logic to protocol design. It defines the six-layer Agent Protocol Stack, formalizes 11 agent-agnostic security principles as TLA+ invariants, and implements AgentConform, a two-phase conformance checker that extracts normative clauses into a typed Protocol IR, compiles them into TLA+ models, model-checks them against the invariants, and then replays counterexample traces against live SDKs. The paper reports 37 normative clauses extracted across 8 MCP documents, 33 spec-level violations across 5 protocols × 11 principles in Phase 1, 20 composition-safety violations across five composed models, and 42 replay tests against SDKs and servers (Zheng et al., 25 Mar 2026).
In a distinct but related sense, proof-producing agents are Agentproof because their outputs are accepted only after mechanical verification by a proof assistant. Prover Agent coordinates an informal reasoning LLM, a Lean formal prover, and an autoformalizer that turns natural-language lemmas into Lean declarations. On MiniF2F-test it achieved 86.1% with 2000 samples, corresponding to 210/244 problems, with lower-budget results of 84.0% at 400 samples, 80.7% at 100 samples, and 61.5% at 1 sample; the key mechanism is verified auxiliary lemma generation followed by Lean-checked synthesis (Baba et al., 24 Jun 2025).
AutoRocq applies the same agentic-prover pattern to program verification with Rocq. It models proof search as iterative interaction with the theorem prover, using Search/Print/Locate/About/Check queries, proof-tree management, and error-driven repair. Reported results were 319/625 proofs on CoqGym and 198/641 on SV-COMP lemmas, with average successful-proof time on SV-COMP of 21.3s; the paper positions this as a route toward a generate-and-validate loop for trusted automatic programming (Tu et al., 21 Nov 2025).
These systems differ in target—workflow topology, protocol semantics, mathematical theorems, or program obligations—but they share the same Agentproof move: unsafe or incorrect behavior is shifted from an empirical judgment problem into a formal verification problem over graphs, invariants, or proof terms.
6. Evaluation infrastructures, operational detection, and unresolved limits
Agentproof research is accompanied by a parallel effort to make evaluation itself auditable and adversarial. ProofAgent Harness does not define the term Agentproof, but it operationalizes a closely related objective: scalable, evidence-backed assessment of multi-turn agent behavior under pressure. Its Adversarial Multi-Juror Scoring with Turn-Level Audit combines a Planner, a Conductor that generates adversarial turns, multiple juror personas, consensus strategies, and evidence-linked reporting. In the reported experiments, each run used 25 adversarial turns; for GPT 5.5 agents, the asymmetric local-harness regime differed from the symmetric large-harness regime by +0.50 median across domains, while customer support showed a +2.40 calibration outlier that required symmetric rescoring; the paper argues that evaluation capability emerged from the full harness pipeline rather than from model scale alone (Bousetouane, 22 May 2026).
At enterprise scale, ADR treats Agentproof as observability plus detection-and-response over MCP ecosystems. It combines high-fidelity telemetry reconstruction, offline evolutionary red teaming, and a two-tier online detector. Deployed at Uber for over 10 months, ADR processed \>10,000 agent sessions daily across 7,200+ unique hosts, uncovered hundreds of credential exposures across 26 categories, and achieved 97.2% precision in a shift-left prevention layer with 206 true positives and 6 false positives. On ADR-Bench it reported Precision 1.000, Recall 0.667, F1 0.800, and false positive rate 0.000; on AgentDojo it detected all attacks with Precision 0.927, Recall 1.000, and three false alarms out of 93 tasks (Li et al., 17 May 2026).
Despite these advances, the literature repeatedly states limits that bound what Agentproof can mean in practice. Structural prompt-injection defenses do not automatically solve same-observation pollution, content-channel harms in permitted content fields, or tool-selection attacks that use trusted constants (Wang et al., 26 May 2026, Fan et al., 11 May 2026). PACT identifies the remaining bottleneck as provenance inference and contract synthesis, reporting 87.1% role accuracy and 77.4% provenance accuracy on 20 MCP tools for the automatic pipeline rather than at oracle level (Fan et al., 11 May 2026). Sello explicitly leaves suppression attacks, service collusion, and completeness of log query results unresolved (Figuera, 2 Jun 2026). Agentic Witnessing inherits TEE side-channel risks and, in remote-LLM mode, a privacy trade-off in which selected artifacts are shared with the model provider (Rowstron, 27 Apr 2026). ePCA proves only that no action violating the encoded axioms executes; omitted invariants or an environment model that fails to capture a safety-critical attribute remain out of scope (Wu et al., 28 May 2026). VET achieves host-independent authentication of outputs, but not yet full host-independent autonomy against suppression, timing, or side-channel influence (Grigor et al., 17 Dec 2025).
A plausible implication is that Agentproof is converging toward a layered doctrine rather than a single defense. Structural isolation constrains what untrusted content can influence; provenance and authorization alignment constrain where values may come from; receipts and attestations make claims externally checkable; TEEs and zero-knowledge systems preserve confidentiality; static analysis and theorem provers supply mechanically checked guarantees; and adversarial evaluation plus protocol conformance testing measure the residual attack surface before deployment. The literature therefore treats Agentproof not as an absolute state, but as a design program for converting agent security and accountability from informal trust into enforceable architecture, replayable artifacts, and formal invariants (Cheng et al., 13 Mar 2026, Kadaboina, 19 May 2026, Zheng et al., 25 Mar 2026, Xavier et al., 20 Mar 2026).