VERIK
Editorial · Agentic AI Governance
VERIK / V026 / 18 JUN 2026
Agent IdentityGovernance

The Router That Was Trust-Native

A June 14, 2026 arXiv paper names the routing infrastructure itself as a trust surface and demonstrates a three-protocol construction that closes three different gaps at once. The construction is service-provider transparent. The institutional record does not yet name routing-layer trust as a category. The shape of the standards work that would name it is now visible.

On June 14, 2026, Qi Li, Zhenhua Zou, Shuo Li, Mingwei Xu, and Zhuotao Liu posted TrustedARI: Towards Trust-Native Agentic Routing Infrastructure for Agentic AI to arXiv. The paper sits in the same threat-model neighborhood as the AEGIS work on attested LLM API routers reviewed elsewhere in this archive, but it answers a different question with a different toolkit. Read together, the two papers describe two complementary postures for the same surface. Read separately, the TrustedARI paper makes claims the AEGIS paper does not, and those claims have governance implications that have not yet been named.

The structural claim is direct. The Agentic Routing Infrastructure, the paper writes, "obtains plaintext access to agent queries and service responses, while leaving agents unable to verify that their queries are routed to intended service providers or that requests and responses remain untampered." The architecture as deployed today exposes three things at once. The routing layer sees the plaintext. The agent cannot confirm the destination. The agent cannot confirm the integrity of what comes back. Each of the three is a separable trust gap. The paper names a separate construction for each.

The first construction is the ARI-adapted three-party TLS handshake. The handshake binds the agent, the routing layer, and the service provider into a single authenticated session, with role-specific distribution of TLS key materials. The agent and the routing layer jointly authenticate the service provider. The construction reduces communication overhead by 39.34 percent compared to the existing three-party TLS handshake. The number matters because it removes the performance argument against deploying three-party authentication in the agentic-routing path.

The second construction is the privacy-preserving query-construction protocol. The protocol allows the agent and the routing layer to "collaboratively construct well-formed queries without exposing their respective private inputs." The agent contributes the query body. The routing layer contributes the routing metadata. Neither side sees the other's input in plaintext. The overhead is reported as 0.19 seconds of computation and 0.58 megabytes of communication per query. The number matters because it removes the performance argument against deploying a privacy boundary inside the routing layer.

The third construction is the verifiable billing protocol. The protocol "supports fair usage-based settlement while preserving the integrity and confidentiality of service responses." The settlement record can be checked by a third party without exposing the response. Proof generation is 28.20 times faster than the baseline. The number matters because billing is the operational artifact that aligns the incentives of every party on the routing path, and a verifiable settlement record is the artifact that makes the alignment auditable.

The paper closes with a deployment property. The construction "is readily deployable without any modification to the service providers." The agent side and the routing layer change. The service provider does not.

What the paper makes legible at the governance layer

The agentic AI debate has produced four distinct framings of the routing surface, and the TrustedARI paper is the first to bind them together at the protocol layer.

The first framing is attestation. The AEGIS paper, reviewed elsewhere, treats the router as an untrusted intermediary that must be measured before plaintext crosses it. The defense is hardware enclaves and client-side verification of the measured image. The threat model is a malicious or compromised router.

The second framing is identity. The Anthropic Frontier Red Team mapping of agentic attacks to MITRE ATT&CK and the recent NIST PIV PQC updates treat the agent and the credential as the trust anchors. The defense is cryptographically bound identity and time-bounded revocation. The threat model is a compromised or impersonated agent.

The third framing is supply chain. The G7 Cybersecurity Declaration commitment to a software bill of materials for AI and the CISA Binding Operational Directive 26-04 treat the artifact composition as the trust evidence. The defense is documented dependencies and patch obligations. The threat model is a supply-chain compromise upstream of deployment.

The fourth framing is privacy. The EU AI Act and its Code of Practice for general-purpose AI treat user input as a regulated artifact. The defense is data minimization, purpose limitation, and disclosure. The threat model is unauthorized exposure or repurposing.

The TrustedARI paper names a construction that addresses three of the four at once, at the protocol layer, on the agentic-routing path, with reported overhead numbers that remove the performance arguments. The three-party handshake addresses the identity framing on the routing path. The privacy-preserving query construction addresses the privacy framing on the routing path. The verifiable billing addresses the supply-chain framing on the routing path, by making the settlement record itself an auditable artifact.

The attestation framing is the one TrustedARI does not address. That is the gap AEGIS fills. The two papers, read together, suggest that the routing layer is becoming a recognized governance surface in the way that the cryptographic module became a recognized governance surface in the 1990s.

What the construction demands of the institutional record

The TrustedARI construction does not require new research to be procurement-relevant. The three protocols have recognizable shapes in the standards record.

The three-party TLS handshake has institutional precedent in the IETF TLS 1.3 specification and in the work on delegated credentials. The procurement clause that would require role-specific key distribution on the agentic routing path has the same shape as the procurement clause that currently requires TLS 1.3 for federal traffic. The venue is the same.

The privacy-preserving query-construction protocol has institutional precedent in the NIST Privacy Framework and in the work on multi-party computation. The procurement clause that would require a privacy boundary inside the routing layer has the same shape as the procurement clause that currently requires data minimization for federal information systems. The venue is the same.

The verifiable billing protocol has institutional precedent in the audit literature on transaction integrity, in the FedRAMP continuous-monitoring posture, and in the working drafts on confidential computing. The procurement clause that would require verifiable settlement records on the agentic routing path has the same shape as the procurement clause that currently requires evidence of billing integrity for federal cloud contracts. The venue is the same.

None of the three protocols requires a research advance. Each has a recognizable shape in the standards record. The federal authority that publishes working drafts for TLS configuration has the standing to publish a working draft for agentic-routing-path key distribution. The federal authority that publishes working drafts for privacy controls has the standing to publish a working draft for query-construction privacy boundaries. The federal authority that publishes working drafts for FedRAMP cloud requirements has the standing to publish a working draft for verifiable settlement on agentic routing paths.

The move, in each case, is to open the venue.

What would close the gap

The TrustedARI paper provides a concrete answer for one architectural surface. The procurement clause that would invoke it would name four things together.

It would name the routing-layer identity surface. A clause that requires three-party authentication on the agentic routing path can be written today. The TrustedARI handshake provides one concrete shape. The IETF TLS posture provides the venue.

It would name the routing-layer privacy surface. A clause that requires a privacy boundary inside the routing layer can be written today. The TrustedARI query-construction protocol provides one concrete shape. The NIST Privacy Framework posture provides the venue.

It would name the routing-layer settlement surface. A clause that requires verifiable billing records on the agentic routing path can be written today. The TrustedARI billing protocol provides one concrete shape. The FedRAMP continuous-monitoring posture provides the venue.

It would name the routing-layer attestation surface. A clause that requires hardware attestation of the routing layer's data path can be written today. The AEGIS paper provides one concrete shape. The FIPS 140-3 posture provides the venue.

The four surfaces compose. The same agentic routing path that an agent traverses on every call can be specified in a single procurement instrument as a four-property artifact: authenticated, privacy-bounded, settlement-verifiable, and attested. Each of the four properties has at least one concrete construction in the published research record. None of the four requires research to be procurement-relevant. The instrument that combines them has not been written.

What remains on the table:

The policy instruments and the deployment tempo are not aligned. The routing surface has been named at the protocol layer. The constructions are deployable without service-provider modification. The procurement instrument that would invoke them has not yet been written.