{"slug": "how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt", "title": "How Do You Trust an AI Agent With Your Money? You Don't — You Check Its Receipt", "summary": "A developer built a cryptographically verifiable agent behavior system that produces tamper-proof receipts proving an AI agent followed approved rules. The demo uses standard hashing and signatures to catch rule swaps, edited steps, or forged receipts. The approach provides a safety net for increasingly autonomous agents without requiring trust in the agent itself.", "body_md": "*Cryptographically verifiable agent behavior: swap, edit, or forge a step and it's rejected.*\n\n**TL;DR:** As we let AI agents do real things (issue refunds, move data, call APIs), \"just trust it\" stops being good enough. The fix: the agent hands you a tamper-proof **receipt** that proves it followed the *approved* rules and didn't fake anything. I built a demo — change the rules, edit a step, or fake the signature, and the check fails every time. ~120 lines, normal everyday crypto, no API key.\n\nYou're about to let an agent issue refunds, move files, or hit your production APIs. How do you *actually know* it followed the rules you approved — and not some changed version? And how do you know the log it gives you afterward wasn't edited?\n\nRight now, the honest answer is usually: you don't. You trust the logs. But logs can be edited, the rules an agent runs can be quietly swapped, and a compromised agent can claim it did one thing while doing another.\n\nThe 2026 fix is called **verifiable agent behavior** (the research term is \"zkML\"): the agent produces a tamper-proof receipt that proves it ran *exactly* the approved process — and *anyone* can check that receipt without having to trust the agent.\n\n| What happened | Result |\n|---|---|\n| Agent ran the approved refund rules, honestly | ✅ ACCEPT\n|\n| Someone swapped in sneaky \"refund anything\" rules | 🚨 REJECT — rules don't match the approved ones |\n| Someone edited a step (turned a $40 refund into $5000) | 🚨 REJECT — receipt doesn't add up |\n| Someone faked the receipt without the secret key | 🚨 REJECT — signature is invalid |\n\nOnly the honest run passes. Every kind of cheating gets caught.\n\nThree normal building blocks, no magic:\n\n**A fingerprint of the approved rules.** Run the rules through a hashing function and you get a short, unique fingerprint. Anyone can fingerprint the *approved* rules and compare — if the agent used different rules, the fingerprints won't match.\n\n**A receipt you can't edit.** Every step the agent takes is chained together so each step depends on all the steps before it. Change any one step and the whole thing stops adding up — like a tamper-evident seal:\n\n```\nseal = fingerprint(rules)\nfor step in steps:\n    seal = hash(seal + step)   # each step folds into the seal\n```\n\nTo verify, you just redo all three and ask: *Did it use the approved rules? Is the receipt intact? Is the signature real?* All three have to pass.\n\nEvery other post in this series makes agents *more independent* — they rewrite their own code, sleep, model other people, get curious. This one is the safety net for all of that: **independence without a way to check up on it is a liability.**\n\nThe more power we hand to agents, the less we can afford to just trust them — and the more we need a way to\n\ncheckthem.\n\nThe end goal of the real research is even stronger: prove an agent followed the approved rules **without re-running it and without exposing any private data or secret model.** That lets two companies trust each other's agents — yours proves it behaved, mine checks the proof, and neither of us has to reveal our secrets.\n\n```\ngit clone https://github.com/Shridhar-2205/living-software\ncd living-software/05-verifiable-agent\npython demo.py\n```\n\nHonest note: the real research uses heavier cryptography so the checker doesn't have to re-run anything and never sees the secret model. My demo re-checks a signed, sealed receipt instead — much simpler, and it shows the same payoff (cheat in any way ⇒ rejected) so you can feel what \"verifiable behavior\" actually buys you. It uses only standard, modern hashing (SHA-256), and the \"secret key\" is an obvious fake, never a real credential.\n\n**Shridhar Shah** — Senior Software Engineer on the AI team at Cisco. Part 5 (the finale) of *Toward Living Software*.\n\nBackground:\"zkML\" / verifiable inference — proving an AI model ran exactly as claimed. See \"Verifiable evaluations of machine learning models using zkSNARKs\" ([arXiv:2402.02675]) and the survey \"Zero-Knowledge Proof Based Verifiable Machine Learning\" ([arXiv:2502.18535]). Tools like[EZKL]do this for real ONNX models today.", "url": "https://wpnews.pro/news/how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt", "canonical_source": "https://dev.to/shridhar_shah2297/how-do-you-trust-an-ai-agent-with-your-money-you-dont-you-check-its-receipt-38ff", "published_at": "2026-06-27 21:53:20+00:00", "updated_at": "2026-06-27 22:36:04.701755+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools", "machine-learning"], "entities": ["Shridhar Shah", "Cisco", "SHA-256", "zkML", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt", "markdown": "https://wpnews.pro/news/how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt.md", "text": "https://wpnews.pro/news/how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt.txt", "jsonld": "https://wpnews.pro/news/how-do-you-trust-an-ai-agent-with-your-money-you-don-t-you-check-its-receipt.jsonld"}}