The Trust That Was Decomposed Into Six

A late-June arXiv preprint from a Shanghai Jiao Tong team proposes a collaboration infrastructure for autonomous research agents that quietly does something the deployed agent stack has so far refused to do. It names six things trust is, and it instruments each of them separately.

The paper, titled Clarus: Coordinating Autonomous Research Agents toward Web-Scale Scientific Collaboration, was submitted on June 29 by eighteen authors. On the surface it reads as another agent-orchestration framework. Beneath the surface it is a structural argument about where governance has to live when an agent stops being a single program and starts being a participant in a process.

What the paper actually proposes

Clarus defines a four-layer collaboration infrastructure. From top to bottom: a Research Application layer where the goal lives, a Digital Collaboration layer where the agents coordinate, a Physical Substrate layer where the compute and storage actually run, and a Physical World layer for instruments and laboratories. The agent in this framing is not the program. The agent is a participant. A participant can be an AI system, a human researcher, a team, a laboratory, or an organization-backed actor.

Inside this stack the paper does something the agent-card literature has not done. It decomposes trust into six independently checkable categories: identity, capability, permission, process, artifact, and credit. Identity asks whether the participant is who the registry says it is. Capability asks whether the participant can actually do what its profile claims. Permission asks whether the participant is authorized for the specific action being attempted. Process asks whether the action followed the agreed protocol. Artifact asks whether the output is what it purports to be. Credit asks whether attribution is recorded correctly.

The deployed agent stack as of late June 2026 attests roughly one of these. The agent card attests identity. Capability is asserted by the model card and not verified at runtime. Permission is attested by the OAuth scope and not verified against the action. Process is not separately attested at all. Artifact is attested only when an external signing layer happens to wrap the output. Credit is attested by whoever publishes the result, which in agentic systems is increasingly no one in particular.

The audit agent is structurally separated

The second move in the paper matters as much as the first. Clarus assigns audit to a separate agent. The audit agent compares the planned execution to the actual execution, checks artifact quality, checks provenance completeness, and checks evidence sufficiency. When abnormal collaboration patterns appear, it triggers renegotiation, human review, or task reassignment.

The deliberative actor and the auditor are different participants in the protocol. This is a structural separation that mirrors how human research collaborations work. The reviewer is not the author. The auditor is not the analyst. The verifier is not the prover.

In most production agent deployments today, this separation does not exist. The agent that produces the output is the same agent that decides whether to log the output. The agent that runs the tool is the same agent that decides whether the tool call was in-scope. The single-agent assumption collapses author and auditor into one role, then asks the policy layer to absorb the collision.

The substrate is named

The third move is the layer naming itself. The Physical Substrate is named as a distinct governance object. It is not the agent. It is not the protocol. It is the compute, storage, and network resources the agent runs on. The paper treats the substrate as an independently governable resource, with its own resource-aware policy.

This composes directly with the Friday June 26 piece on the substrate around the agent and with the Monday June 29 piece on governing actions rather than agents. The trunk thesis has been: the agent is the visible artifact, the substrate around it is where the governance function has to be instrumented, and the action layer is where attestation has to attach. Clarus accepts that framing and adds a sixth category load on top: trust is not one signal. It is six signals, each of which has to be instrumented independently, and the existing stack instruments roughly one of them.

Why this matters for the deployment tempo

A research framework can name six trust categories on paper because the paper is not deployed. The deployment tempo, by contrast, is set by what production protocols actually attest. A2A, MCP, ACP, ANP, and the other emerging agent protocols collectively attest identity reasonably well and the other five categories barely at all. The June 27 AgentThread formal analysis of five agent protocols found that only one protocol enforces a security-relevant control in practice and that no protocol assigns enforcement responsibility for cross-protocol behavior. That finding sits exactly at the seam Clarus is naming. The protocols attest the identity. The cross-protocol composition does not attest the process, the artifact, or the credit.

The asymmetry shows up clearly in deployed systems. An agent presents a verifiable identity card. The action it takes leaves no verifiable trace. The output it produces is signed by no one. The attribution gets lost the moment the agent hands off to another agent. The substrate it ran on is invisible to the consumer of the result.

What the paper does not yet do

Clarus is a proposed infrastructure. It is not deployed at scale. The case study is a controlled paper-generation experiment, not a production rollout. The pluggable mechanisms are described as design points, not as battle-tested implementations. The six trust categories are a taxonomy claim, not a measurement against existing deployments. The proposed audit agent is a role in the architecture, not a regulated entity.

So the question the paper raises is not whether Clarus solves the problem. The question is whether the production agent stack will acquire the structural separation between author and auditor, the decomposition of trust into separately attested categories, and the explicit treatment of the substrate as a governance object, before the deployment tempo locks in a single-attestation pattern that the next round of regulatory instruments will then ratify.

What remains on the table

• Whether the six-category decomposition holds under adversarial inspection or collapses back into identity-plus-policy under deployment pressure.
• Whether the structural separation of audit agent from deliberative agent can be enforced at the protocol layer, or whether it remains an architectural recommendation that production deployments override for latency reasons.
• Whether the Physical Substrate layer becomes a regulatable object in any of the current draft instruments (the Five Eyes joint statement, the EU Digital Omnibus, the FAR Council acquisition rule), or remains a research framing.
• Whether the credit category becomes load-bearing once the first attribution dispute reaches a venue that has to rule on it.

The governance artifact, the agent card, is retained. The five governance functions the artifact does not separately attest, that is what the deployed instruments do not yet retain. The policy instruments and the deployment tempo are not aligned.