Concept exploration · sovereign AI agents

Making invisible trust legible

A sovereign agent is about to move $42,000 of your money inside a confidential enclave you can't see into. The hardware protections are real, but you can't see them working. This is the gap I wanted to design for: taking cryptographic attestation and an agent's background activity and making them something a person can actually read and check.

Atlas runs on its own › it pauses on a high-stakes move › you review the proof and decide

1 action needs your approval — Atlas is holding a $42,000 rebalance above your trust threshold.

Atlas portfolio agent

Mandate · keep stablecoin ratio at 60% · rebalance when drift > 5%

Running

Attestation Shield

Verified enclave Attested 4s ago

This agent is provably running the exact published code, inside sealed hardware. The host platform cannot read its memory, and neither can the machine's owner.

EnclaveIntel TDX · NVIDIA H100 CC
Code hashmatches build atlas‑v2.3.1
Root of trusthardware-signed quote
Computeattestable GPU · confidential pool

TEE attestation quote — TDX_QUOTE v4 · the status quo a user is handed today

04 00 02 00 81 00 00 00 00 00 00 00 939a72 5c8b...
mr_enclave : 7f3a9c2e1b8d4f6a05e7c9b2a14d8e6f3c0b9a7d
mr_signer  : c1d2e3f4a5b60718293a4b5c6d7e8f90a1b2c3d4
report_data: e9f8a7b6c5d4e3f201928374655a6b7c8d9e0f1a
tcb_status : UpToDate    debug_flag : 0    xfam : 0xe7
qe_vendor  : 939a7259-4c8b-...-NVIDIA-CC-H100-attest
sig (ecdsa-p256): 3045022100b8...0220431c...  [VALID]

This is technically complete, but no person can read it. The Shield is what you see by default, and this raw proof stays one click away for an engineer who wants to verify it.

Note 2 · Attestation Shield

Decision: Lead with a simple verdict that the agent is verified, and keep the raw cryptographic proof (the TEE attestation quote) one click away.
Why: The hardware guarantee is real but invisible. Most people just need to know it checks out. An engineer wants to read the actual proof. The same data serves both.
Trade-off: Simplify too much and people stop believing the simple version. So the real proof stays one click away and never gets buried.

What Atlas is doing

09:42

Holding for your approval — high-stakes intent

Swap $42,000 USDC → ETH to correct a 7% drift. Above your trust threshold, so Atlas paused itself.
09:41

Sourced the best route

Put the intent to 3 competing solvers; best quote 0.21% slippage, gas abstracted.
Intent
09:41

Detected drift

USDC ratio climbed to 67% — past your 5% rebalance band.
08:15

Paid for its own inference

Spent $4.10 on confidential inference. Below threshold — auto-approved, logged for you.
Ambient

09:42:07.331 INFO  intent.submit id=0x9af… kind=SWAP in=USDC out=ETH amt=42000.00 maxSlip=0.003
09:42:07.332 WARN  policy.gate THRESHOLD_EXCEEDED limit=1000.00 → state=AWAIT_HUMAN
09:41:58.004 INFO  solver.bid n=3 best=0xsolv2 quote.slip=0.0021 gas=ABSTRACTED
09:41:57.991 INFO  intent.route candidates=[0xsolv1,0xsolv2,0xsolv7]
09:41:55.120 INFO  rebalance.trigger ratio=0.67 band=0.05 drift=0.07
08:15:02.778 INFO  billing.charge svc=inference amt=4.10 enclave=tdx attest=OK auto_approve=1
08:15:02.001 INFO  attest.verify mr_enclave=7f3a… tcb=UpToDate sig=VALID

Note 3 · Activity

Decision: Show what the agent is doing in plain language, its intent, instead of raw logs. The technical trace is one toggle away.
Why: The hard part of agentic UX is letting someone follow what their agent did without burying them in output. Plain language matches how people think. Logs are for machines.
Trade-off: A plain summary can skip edge cases, so the raw-log toggle stays available for power users and debugging.

Trust Dial

per-action

Trust is earned per action, not per app. You set where ambient autonomy ends and a human-in-the-loop pre-flight begins.

Ambient Pre-flight

Try a scenario

Note 1 · Trust Dial

Decision: You set trust one action at a time, using a dial, instead of giving an app one blanket permission when you install it.
Why: People approve everything at setup and then never check again. A dial you can see and adjust keeps you in control as the stakes change.
Trade-off: One dial for everything is blunt. A later version would let you set separate limits for trading, sharing data, and buying compute.

Where this fits the stack

Agent monitor + pre-flight approval
Agent runtime · provision, monitor, trust agents
Attestation Shield
Confidential cloud + GPU market · TEEs, attestable compute
Legible timeline · declarative pre-flight
Agentic UI & Intents · solvers, gas abstraction
Built on token contract
Design system · brand change re-flows everywhere

Design stance

Plain language first. Show what the agent is doing, and keep the raw trace one click away instead of in your face.
Let a human step in. You can pause, cap, or override the agent while it is mid-action.
Quick to read, but you can verify. The trust signal is easy to scan, and the full proof is there if you want to check it.
Web2 ease without losing Web3 ownership. Your keys stay yours, and the friction goes up as the stakes go up.