Building Trust Infrastructure for Agentic AI

Chris Riley is the executive director of the Data Transfer Initiative.

“Agentic” is unquestionably the buzzword of 2026. Startups and tech behemoths are racing to build the most hands-off technology futures possible, even as public and policymaker response remains muted where not overtly hostile. The result is a substantial governance debt—and the currency at stake is trust.

I have oriented my professional career around advancing the open internet. A formative portion of it was on net neutrality, ensuring that telecom operators do not discriminate in the quality of packet delivery based on the source or service of the data. I’ve also worked on intellectual property, internet censorship, competition, and a variety of other issues that relate to whether or not people are empowered to create and use technology and the internet as they see fit, without any undue friction.

But “open” can also mean “risky.” At the network layer, routers and other devices have security filters that can catch some harmful traffic, but not all. At the device layer, operating systems do their part as well, and within that, app stores and other pathways by which users select the software and the tools to which they trust their online experiences and their personal data. Privacy and security can absolutely go hand-in-hand with openness, but it takes a little of the right kind of friction, and a lot of behind-the-scenes work and infrastructure to establish and maintain trust.

The AI landscape today feels remarkably open, particularly when compared to many other technology paradigms at similar points in their history. Market shares are not set in stone, competition is intense, and the paradigms and value propositions change in the blink of an eye. Intermediaries allow multiple models to be used within the same frameworks and user-facing platforms, for a range of purposes. And while there’s still a hot news cycle whenever a frontier lab drops its latest model with updated leaderboard rankings on various performance metrics, the greater narrative has moved beyond the engine itself to the surrounding ecosystem: the agentic universe.

In November 2023, I predicted that the core engines of AI would increasingly become commoditized, and what would matter would be who had access to users’ personal data, increasingly the key to value generation. Three years later, I am certain this is the case. And the work of the organization I lead, DTI (Data Transfer Initiative), remains focused on empowering people to use their data safely and securely where they choose—in all contexts, including when using AI.

The agentic shift of the AI conversation has shined a spotlight on the value of personal data for an audience far bigger than the usual portability crowds. It’s technically and practically different from the original generative AI conversation, where bulk training data and massive models produced the key value. Now, what matters is less the model you run (though it still matters), and more whether your agent can manage your finances, your email, your digital life that determines whether it is useful to you, or whether it becomes just another icon on your phone that you tried once and abandoned.

One tool in particular, OpenClaw, blew the doors open on whether people would want to use agents in their day-to-day lives. The project started as a proactive digital assistant, a tool you run and give access to your services (and thus, crucially, your personal data) and ask to act on your behalf. It quickly became the most starred project in GitHub, and earned the backing of leading AI organizations OpenAI (which hired OpenClaw creator Peter Steinberger) and NVIDIA. Millions of people began using it, generating what many regarded as more tangible benefits from AI than any prior tool.

As significantly, OpenClaw’s emergence showed that incredible value can be created in the agentic AI ecosystem by anyone. Unlike many other technology contexts, vertical integration or deployment within a vertical stack run by an established, major company is simply not needed. The data is already accessible to the user through their machines, and the models are offered via APIs (not to mention the rich library of open weight models on Hugging Face). All it takes is handing over all your digital keys to a piece of software you just downloaded off the internet.

What we are beginning to learn today, and will continue to learn in the weeks and months to come, is that behind this wonderful open dynamic lies a broken governance system. It’s not a matter of a single weakness, although there are plenty of individual examples that can be cited. Rather, as the security platform Cyera put it: “What makes OpenClaw so dangerous is not a single exploit. It is the collapse of data governance boundaries across the entire AI agent lifecycle.” Or this compelling metaphor from Immersive: “Because OpenClaw requires deep integration into your messaging and file systems to be useful, you are essentially building a high-speed bridge for malware.”

It’s the combination of deep access to personal data and an open third-party ecosystem that makes this particularly alarming. Researchers looking at the ClawHub repository of OpenClaw skills and broader ecosystem agentic repositories have found between 12-20% of skills to be malicious—not merely insecure, but intentionally harmful. Little wonder security researchers at firms like Cisco call it “a security nightmare.”

And our legal system is not nearly equipped to step in. In several countries, including the European Union and United States, I see increasing awareness of security and safety considerations in models themselves. But agents are something else entirely. In the EU, the AI Act’s Article 73 requires incident reporting for high risk incidents; as a Tech Policy Press piece noted, agentic AI constitutes a big gap in the framework. Another article, “The EU AI Act is Not Ready for Agents,” articulates five dimensions of shortcomings in the AI Act facing the agentic future: performance, misuse, privacy, equity, and oversight.

The agentic floodwaters are rising, and water is leaking through. How can we build a durable dam of greater trust? If we can’t create powerful enough screens and filters to identify and tag the harmful parts of the ecosystem—which seems like more of a certainty than an ‘if’—then our alternative is to whitelist those that we can trust.

The concept of trust in the AI ecosystem is complex and nuanced. The George Washington University professor David A. Broniatowski articulates four separate views on trust: technocratic, in which trust is a metric to optimize; relational, emergent through social cohesion and structure; pragmatic, built on institutions and established practices; and critical, viewing trust through the lens of political and/or economic power. Through this lens, the trust gap in agentic AI I’ve been describing is pragmatic. After all, relational trust seems present with public willingness to try OpenClaw and similar technologies in the absence of metrics or infrastructures or laws that protect their interests.

What’s missing, therefore, is trust infrastructure: boring, ordinary, transparent, effective institutions that test and validate trust on behalf of people, and create a world where normal users of agents don’t have to think or worry about it, and can take advantage of the upsides of an ecosystem with a baseline of protection from the concomitant risks.

That takes a lot of pieces. And there are efforts working on some of them. For example, the ARIA protocol promises robust and unique identification of agents, and tools to ensure they are fully and validly authorized by users to take actions.

An occasional (though some might say persistent) myopia within the technology world is an assumption that the special circumstances of the present moment dilute, or defeat, lessons from past practice—that everything is new and a greenfield solution is called for. What, really, is different in the agentic AI context in terms of trust and the flow of personal data? Speed and reduced friction of development, deployment, and adoption is a clear change. But the abstract architectures and responsibilities are the same. Someone, person or entity, produces and ships a piece of software; that software communicates over the internet to a source of personal data; and a user authorizes the source of that data to make it available to the software, which uses it in some manner, including potentially passing it along to other software.

We need to be able to identify this processing software and ensure that it is properly authorized by a user. And we need to be able to ensure that the ways in which it handles that data once received are acceptable. We need to know the entity behind the software and how it built the software’s data processing—what its privacy policy is, what its security methods are, how it communicates through the software or otherwise to the user what it will do with the data.

These are the core questions behind DTI’s Data Trust Registry. We built DTR for the context of data portability, which is nominally orthogonal to the agentic AI ecosystem. But more and more, we are seeing in agentic AI emergence of the same challenges of trust as in any software or services that handle personal data at a user’s request. And we see the same need for public, open, transparent, accountable infrastructure to establish and maintain trust. So let’s build the dam we need, to protect people and to set agentic AI up for success or failure on its capabilities rather than its most obvious risks.