When a bank decides whether to lend you money, it doesn't interview your character witnesses. It looks at a score, a compression of years of observed behavior into a single comparable signal. Bond investors do the same thing with ratings, insurers with claims histories, courts with acts rather than thoughts. Wherever trust has had to scale beyond personal acquaintance, the same machinery appears: behavior, observed continuously, compressed into a number, maintained by someone independent of whoever is being scored.
Notice what that machinery has never included: access to anyone's mind. No credit score has ever read a borrower's intentions. Moody's has never audited a CFO's inner life. The telematics box in a car records braking, acceleration, and speed, and prices risk more accurately than a century of demographic proxies ever did, without knowing a single thing the driver was thinking. Behavior is not the fallback you settle for when intentions are unavailable. Behavior is the only thing that has ever been scored, because behavior is the only thing that ever causes damage.
This is the premise our product is named after. Today we're introducing the KYDE Trust Score, the behavioral rating computed by the Behavioral Firewall, for the newest category of economic actor that needs one.
Agents make behavioral scoring more necessary, not less
AI agents are probabilistic systems. The model underneath them changes monthly, their retrieval context shifts daily, and their behavior drifts gradually without any single event that would trigger an alarm. You cannot verify an autonomous agent the way you verify a boiler or a bridge, there is no inspection that guarantees future conduct of a system whose conduct is a distribution.
This is precisely the situation trust scores were invented for. You don't verify a driver either. You price their observed record. The entire insurance industry is built on the recognition that for non-deterministic actors, which is to say, all actors that matter, past behavior is the best available predictor, and continuous observation is the only honest basis for a rating.
Some approaches in this market focus on intent analysis, reasoning inspection, or semantic understanding of what the agent "really meant." While valuable for debugging, we believe that for compliance and risk management, this reverses the core requirement. A rating built on interpreted intentions is unauditable by construction, two evaluators can disagree about a motive forever, but they cannot disagree about whether an action violated a mandate. And it is vendor-dependent by construction, because reasoning lives inside the provider's cloud, in the provider's format, on the provider's word. A score you can take to an auditor, a regulator, or eventually an underwriter has to be built from what can be independently observed and cryptographically signed. That's behavior at the boundary. Nothing else qualifies.
What the score is computed from
The Behavioral Firewall sits at the boundaries the enterprise controls, and every action that crosses them feeds four inputs.
Identity. Is this a known agent, attributable, operating under a defined role? Self-hosted agents get a cryptographic identity per instance. Cloud-executed agents bind to what the enterprise actually issues, credentials, OAuth grants, connector authorizations. Enforceable and revocable, which is what an identity is for.
Mandate. Every agent and connector has a declared purpose. The firewall scores actions against it. A support connector authorized for ticket retrieval that initiates a bulk export of customer records has violated its mandate, a fact, established at the boundary, requiring no interpretation of anyone's inner state. Where KYDE also sits in the reasoning path, self-hosted agents routing through the proxy, the evaluation gets richer, drawing on causal context captured before each tool call. The scoring principle stays the same either way: actions against declarations.
Baseline. How does current activity compare with this agent's own established pattern, call volumes, endpoint sequences, cost profiles, timing? Drift is the earliest observable signal of compromise, misconfiguration, or goal hijacking, and it shows up in behavior long before any single action looks wrong.
Benchmark. How does this agent compare with anonymized peers in the same role class across the network? An invoice-processing agent behaving like an outlier against hundreds of comparable agents deserves scrutiny even when its own history is clean. Role classes matter, a coding agent and a CRM agent have structurally different baselines, the way a rating agency scores sovereigns differently from startups.
Coverage: the number behind the number
A score is a claim, and claims have denominators. A Trust Score of 89 computed on 95% of an agent's actions and one computed on 40% are different facts wearing the same clothes, so every KYDE Trust Score ships with a coverage figure: the share of the agent's observable activity that flowed through governed paths in the scoring window.
The topology of enterprise agents makes this figure non-trivial, and worth stating precisely. Agent runtimes are moving into vendor clouds, where reasoning, sub-agent delegation, and vendor-native SaaS-to-SaaS connector traffic remain fundamentally opaque to third-party monitoring by architectural design, us included. What remains fully in the enterprise's hands is the layer that was always the point: its own systems, credentials, and endpoints. Front those with the firewall and every action any agent takes against them, including agents running in clouds you will never see, is intercepted, evaluated, signed, and enforceable. No agent action against a system you control happens ungoverned.
The rest, vendor-internal flows, gets quantified, not ignored. The Coverage Report tells a CISO and a board exactly what share of their agent activity runs dark, converting an invisible exposure into a measurable, decidable one. And the regulation agrees with this division of labor: the EU AI Act and NIS-2 demand traceability of decisions and actions with effect, not thought protocols. The reasoning layer is the provider's obligation. The action layer, the one that carries liability, the one auditors examine, the one insurers will price, is the deployer's. That layer is ours, completely.
One architectural condition makes all of this hold, and it deserves naming before diligence names it for us: shadow agents. An agent handed direct credentials that bypass the governed endpoint runs outside the score and outside every control. Deny-by-default is therefore not a feature but the existence condition of the design, credentials to governed systems are reachable only through the governed path, because a boundary you can walk around is a suggestion.
Where the score goes
Today, the Trust Score is an operational instrument: drift detection for security teams, a quantitative basis for every allow/block/quarantine decision, and a defensible answer to a question boards have started asking, how much of our autonomous activity can we actually account for?
Its trajectory is the same one every trust score has followed. The credit score began as a signal a few lenders found more predictive than interviews; the institutional weight came after the predictive power was proven. For agents, the next institution is insurance, and the logic is already visible. Measurement turns an unpriceable distribution into a priceable fact, an unobserved agent fleet carries an uncertainty premium, not a risk premium, and telemetry converts one into the other. Prevention makes the fact smaller, deny-by-default caps the tail, because the catastrophic action can't execute. The sprinkler system and the telematics box, applied to a new kind of actor. We won't promise premium reductions before loss data exists to calibrate against; nobody in this market has that data at scale yet. We're building the score so that when insurers get there, the denominator question is already answered.
Why the network makes the score
A score computed on one company's agents is useful. A score computed across thousands of agents in comparable roles, across many organizations, is a different kind of asset, and structurally, only one position can produce it.
Every governed agent contributes anonymized behavioral metadata to a cross-customer benchmark layer: behavioral shape only, call patterns, drift rates, violation frequencies, cost envelopes per role class. No content, no prompts, no customer data. The more agents in the network, the sharper the peer baselines, the earlier an outlier surfaces.
A model provider sees only agents on its own models, and couldn't be the neutral scorer of its own outputs anyway, no bank rates its own bonds. A single enterprise sees only its own fleet. A vendor consortium fails for a plainer reason: Anthropic's logs, Microsoft's logs, and Google's logs have different schemas, different definitions, and each grades itself. The one point where every agent from every provider is measurable in the same currency is the boundary where actions meet the world.
Model providers naturally evaluate their own outputs in their own proprietary formats. We provide independent measurement of behavior, the only metric that exists identically across every provider, and the only one that ever deserved a score.
KYDE Trust Score
The KYDE Trust Score is computed by the Behavioral Firewall: independent, cryptographically signed telemetry, evaluated at the boundaries you control, always published with its coverage figure.
If you're an insurer, auditor, or certification body working on the confidence infrastructure for autonomous AI: hello@kyde.com