Trust Scoring a Probabilistic Subject
Stacked Zero Trust: Post 8 of 13
Post 7 was about identity. This one is about trust, although the two are closer together than they first appear.
An agent can have a perfectly valid identity and still be in a state that warrants less trust at the moment it makes a request. It may have drifted from its intended task, be operating on poor information, or be halfway through an injection attempt that has not yet produced an obviously bad outcome. The trust algorithm has always wanted to account for that kind of uncertainty. For human users and workloads it has developed a reasonably workable set of tools for doing so. Agents create a different problem, because many of those tools are not merely imperfect in this context but built around assumptions the subject no longer satisfies.
This post is really about those assumptions, how they fail, and what has to change once the subject becomes probabilistic.
What trust scoring quietly assumes
A risk score, in the trust algorithm’s traditional shape, expresses how much the system currently trusts a subject. It folds together identity confidence, device posture, behavioural baseline, contextual factors such as time and location, and threat intelligence into a number, or more often a band, that the policy engine consults when deciding whether to grant access, require step-up authentication, or block.
Traditional trust scoring assumes there is a meaningful baseline of normal against which deviation can be measured. For users that baseline comes from history. For workloads it comes from deterministic function. In both cases deviation matters because normality itself is relatively stable. It also assumes the subject’s current condition is broadly knowable. Identity, posture, recent behaviour and context provide a picture that, while incomplete, is usually sufficient to support a decision.
Beneath both of those sits a third assumption that often goes unnoticed. The score is expected to be calculated at discrete moments, attached to a request, and treated as sufficient for the policy decision that follows.
Agents challenge all three assumptions simultaneously, and the effect is cumulative rather than independent.
The baseline problem
An agent doesn’t have a stable baseline in the sense the older subjects do — Post 2 made that argument, so I won’t repeat it here. What matters is what the absence of that baseline does to the score itself.
If the legitimate behavioural envelope of an agent is wide and shifting, deviation becomes a weak signal. Tighten the envelope and the score trips constantly on legitimate behaviour, generating noise until operators either stop trusting it or disable it altogether. Widen it enough to accommodate legitimate variance and the opposite problem appears, because subtle influence remains comfortably within the boundary the score was designed to monitor. Either way, the value of the score begins to erode.
The instinct is often to abandon baselining altogether and fall back to static rules. The better move is to recognise that the wrong thing is being baselined.
Baselining the agent’s outputs is largely hopeless. Baselining the task the agent is performing is much more tractable. A “review supplier contracts” task has a structure, a sequence of activities, and an expected range of outcomes that can be observed across many executions. The useful comparison is not whether a particular agent is behaving like itself, but whether a particular task execution resembles other healthy examples of the same task.
That shifts what the score is even measuring. The traditional score asks whether a subject is behaving like itself, while the agentic score increasingly asks whether a task is behaving like a healthy member of its class. Those are different questions, built around different assumptions, and they produce different signals. The important thing is that tasks possess a degree of structure that agents often do not, which makes the second question considerably more achievable than the first.
The current-state problem
The difficulty begins with something that sounds deceptively simple: what exactly is the agent’s current state?
The model weights are largely static. The conversation history is not, and may contain everything the agent has processed so far, including adversarial input. There are tool calls, intermediate outputs, external data sources, and whatever interpretation the agent has placed on them along the way. None of that resembles the posture data the substrate is comfortable consuming, and very little of it fits neatly into a conventional trust-scoring model.
The older score can often be computed from a relatively small amount of state: who you are, where you are, what device you are using, and what you have done recently. The agent’s state is both richer and harder to access. Some of it is observable. Much of it is not.
That does not mean it is impossible to reason about. Recent tool calls are visible. Patterns in those calls can be analysed. Sudden divergence, unusual query sequences, unexpected resource access, or behaviour that no longer aligns with the task can all provide useful signals. The score has to become comfortable drawing inferences from behaviour because there is no posture API that exposes the underlying state in any complete way.
The consequence is that an agentic trust score is far more inferential than the substrate’s score ever needed to be. That sounds like a subtle distinction, but it changes the nature of the evidence being used and, with it, the kinds of mistakes the system will make. False positives look different. False negatives look different. Operators who have spent years learning how to interpret conventional trust scores will need to develop a different intuition for the agentic version. The transition is not free.
The discreteness problem
The third assumption, that scoring can happen per request, is probably the one that breaks most dramatically, and it has received surprisingly little serious attention.
A single agent task is typically a chain of operations. Scoring each one independently creates exactly the failure mode described earlier in the series: forty entirely plausible requests that, when viewed collectively, constitute a problem no individual request reveals.
The score has to become a property of the task in progress rather than a property of the current request. It needs to evolve as the task unfolds. It needs to rise or fall as more evidence becomes available. Most importantly, it needs to respond to the direction the task is taking rather than the isolated action currently in flight.
That is not a trivial engineering problem. Most policy engines are designed around discrete evaluations. Maintaining a continuous score for a task, updating it as activity accumulates, and allowing action to be taken mid-task, whether slowing the agent down, escalating to a human, or terminating execution altogether, requires infrastructure most environments do not yet possess.
Some vendors are building that capability now. Others are attaching the word agent to existing per-request scoring and hoping nobody looks too closely.
This is also where the buyer’s question becomes fairly straightforward. The issue is not whether a platform can generate a score but what unit the score is attached to. Can the platform maintain and evaluate trust continuously across a task in progress, or is it still evaluating isolated calls one at a time? A vendor that cannot answer those questions clearly is usually selling traditional trust scoring to a problem it was never designed to solve.
What a working agentic trust score looks like
By this point the shape of an agentic trust score starts to emerge.
It is no longer really about the agent as an isolated subject. The meaningful baseline sits at the task level, because tasks exhibit a degree of structure that agents themselves often do not. Equally, the score is built less from explicit state and more from inference. It draws conclusions from behaviour, tool usage, sequencing and context because the posture-style signals the substrate expects do not meaningfully exist.
Most importantly, it stops being something calculated per request. The score persists for the duration of the task and evolves with it, rising or falling as the overall trajectory becomes clearer. Whether the underlying platforms can actually deliver that capability is a separate question, and one where the reality remains uneven.
The purpose of defining the shape is not to claim implementation has caught up. It is to provide a way of evaluating products that claim to govern agents. The question organisations should be asking is therefore a simple one: does the platform’s trust-scoring model match the shape of the problem, or is it simply the older model with newer terminology wrapped around it?
What this means for the architecture
If all of that is true, the implications for the architecture are reasonably direct.
The mediator in layer two has to become something more capable than the substrate ever required. A trust score built around tasks rather than requests depends on maintaining context across the life of a piece of work, which means the mediator has to understand more than the action immediately in front of it. It has to maintain state across an agent’s working session, recognise changes in direction as they emerge, and intervene while the task is still unfolding rather than after the fact. Those are not optimisations or future enhancements. They are the conditions that make agentic trust scoring possible at all.
Following that through leads to a second consequence, which is that the cost of being wrong changes shape as well. Under the older model, a false positive often meant a request was challenged or denied. Annoying, certainly, but usually recoverable. Once the thing being scored is a multi-step task, an intervention that arrives at the wrong moment can have a much larger impact. The task may not resume cleanly. Context may be lost. Work that took minutes or hours to accumulate may disappear with it.
That makes the traditional allow-or-deny mindset look surprisingly brittle. Where the architecture permits it, graceful slowdown, increased scrutiny, or escalation to a human are often better responses than immediate termination, not because the score matters less but because the consequences of acting on it are no longer confined to a single request.
There is a third implication that is easier to overlook because the score itself becomes part of the attack surface. A scoring model built from observable behaviour can be studied, and a determined adversary will eventually start asking the same question defenders do: what behaviours attract attention, and which ones do not? Once that happens, influence does not have to bypass the score. It only has to remain within whatever tolerance the score allows while steering the agent towards a different outcome.
Trust scoring, in other words, becomes something that can itself be manipulated. That does not make the score useless any more than phishing made identity useless. It does mean mature implementations will need to treat aspects of the scoring model as sensitive, vary signals over time, and avoid exposing every decision factor to the thing being evaluated. The substrate rarely had to concern itself with subjects actively studying the scoring engine. Agentic systems almost certainly will.
One thing to take from this
Trust scoring a probabilistic subject is not a matter of taking the substrate’s model and adjusting a few thresholds.
The baseline moves from the agent to the task being performed. The evidence moves away from posture and towards behavioural inference. The score itself stops being a discrete judgement attached to a request and becomes a continuous assessment of where a piece of work is heading and whether it is still behaving as expected.
None of those changes exist because the substrate was poorly designed. They exist because the substrate was designed for subjects with properties that agents simply do not possess. The result is that trust scoring becomes a different kind of problem, one that depends as much on understanding tasks, trajectories and influence as it does on identity, posture or access rights.
That leaves an obvious question. If identity, trust scoring and governance all have to change to accommodate agentic subjects, what happens when regulators begin forming expectations around systems whose architecture is still evolving?
The next post turns to exactly that question, because in several places the regulatory conversation is now moving faster than the architectural one.
Post 8 of 13 in Stacked Zero Trust.
Previously: Post 7 - Identity for Agents Is Genuinely Unsolved.
Next: Post 9 - Stacked Zero Trust Meets the Regulators.
The reference document at the end of the series includes a fuller treatment of the agentic trust score, including the signal categories the mediator should be drawing on.
References drawn on in this post: NIST Special Publication 800-207, Zero Trust Architecture (August 2020), for the trust-algorithm and policy-decision-point model in which scoring sits; user and entity behaviour analytics as the established antecedent of behavioural risk scoring; the concept of task-relative baselining draws on principles from model monitoring and observability, where population comparison is standard practice.


