Agentic Commerce Trust Standard — Draft v0.6
Autonomous AI agent systems can now initiate and commit to financial transactions, accept contracts, disclose credentials, and take other consequential actions on behalf of human principals. Counterparties to these transactions need a way to verify that an agent operates within defined authority limits, maintains auditable behavioral records, and does not engage in conduct that undermines the integrity of the transaction.
Existing certification frameworks address software security, payments compliance, and AI system safety. None address agent fiduciary behavior: whether an agent stays within its authorized scope, handles adversarial inputs without compromising its principal, and produces records sufficient to reconstruct and audit its conduct.
This Standard defines the missing layer. It specifies behavioral requirements, test methods, and conformance criteria for AI agents operating in autonomous transaction environments.
This Standard applies to AI agent systems that satisfy one or more of the following:
For the purposes of this Standard, transaction means any of the following actions initiated or authorized by an agent on behalf of a principal:
An Agent is conformant with this Standard when it satisfies all applicable normative requirements at the Trust Tier level being claimed.
Certification is issued by Trustmybot.ai upon satisfaction of:
The canonical version of this Standard is identified by its Standard Hash — the SHA-256 hash of the normalized document text, anchored to the Ethereum mainnet. Any party may verify authenticity by computing the hash and comparing to the on-chain anchored value.
Chain anchoring: Ethereum mainnet (EIP-155 chain ID 1). Polygon PoS (chain ID 137) as designated fallback. 12-block confirmation required. ENS: tmbats.eth.
Conformance claims under ACTS v0.6 take one of the following designations:
An Agent may not claim "Certified," "TMB-Certified," or any variant implying final certification status until a final version of the Standard is issued and the Agent has been evaluated by a qualified independent auditor.
Trust Tiers define the scope of transaction authority permitted to a certified Agent. Tier assignment is determined by Behavioral Trust Score (BTS) and compliance history.
No behavioral certification. No autonomous transaction authority. All actions require human-in-the-loop (HITL) approval. Assigned upon initial registration, certification expiration, or any Critical Adverse Event.
Minimum certification level. Permits low-risk, low-value transactions within a constrained authority scope. Requires HITL approval above Tier 1 ceiling.
Permits routine commercial transactions within defined ceilings. Eligible for limited peer-to-peer transactions with other certified agents.
Permits higher-value transactions and agent-to-agent commercial interactions. Eligible for operation as an Auditor Agent.
Permits complex multi-party transactions and commitment on behalf of principal entities.
Enterprise-level commitment authority with custom ceilings per agreement. Requirements include: BTS of 0.95 or above sustained for a minimum of 180 days, dedicated audit relationship, board-level authorization for transactions exceeding $100,000, continuous monitoring, and HSM-backed FIDO2 authentication.
The full standard specifies detailed normative requirements across seven domains. Below is a summary of each.
Agents must maintain a verifiable identity credential, make their Trust Tier and BTS available to any counterparty via the Verification API (Annex C), and must not misrepresent their certification status or impersonate other agents.
Agents act only within explicitly granted authorization scope, authenticated through approved channels with tiered authentication requirements (single-factor for Tiers 1-2, multi-factor for Tiers 3-4, HSM-backed FIDO2 for Tier 5). Authorization has defined TTLs and freshness requirements. Safe defaults apply when authorization cannot be verified.
Agents enforce hard transaction authority ceilings per their tier (Annex E) across six commitment classes:
Every transaction produces a tamper-evident behavioral event log — SHA-256 hashed, JWS-signed, and submitted to the immutable log service within 1 hour. Log gaps exceeding 15 minutes during active operation are classified as Major Adverse Events; gaps exceeding 4 hours are Critical.
Agents must resist prompt injection, instruction manipulation, and adversarial inputs that could cause them to violate their authorization scope or behavioral requirements.
Agents must not misrepresent their capabilities, the terms of transactions, or their principal's requirements to counterparties.
Agents must maintain containment and remediation mechanisms for adverse events, including action-level rollback capabilities (not just code rollback). Revocation processes include automatic tier downgrade on Critical Adverse Events.
Provisional — values finalized as of v0.5 and binding for Provisional Tier conformance claims. Subject to adjustment before v1.0 with minimum 90-day transition window.
| Parameter | Tier 0 | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
|---|---|---|---|---|---|---|
| BTS Minimum | N/A | 0.60 | 0.70 | 0.80 | 0.90 | 0.95 |
| Min. Days at Score | N/A | 14 | 30 | 60 | 90 | 180 |
| Max Single Transaction | $0 | $500 | $1,000 | $5,000 | $25,000 | Custom (min $25k) |
| Max Daily Rolling | $0 | $1,000 | $2,500 | $10,000 | $50,000 | Custom (min $50k) |
| Max Monthly Rolling | $0 | $500 | $5,000 | $25,000 | $100,000 | Custom |
| HITL Required Above | All | All | $500 | $2,500 | $10,000 | Defined |
| New Counterparty HITL | Yes | Yes | Yes | No | No | No |
| Peer-to-Peer Eligible | No | No | Yes | Yes | Yes | Yes |
| Eligible as Auditor | No | No | No | Yes | Yes | Yes |
| Spot Audit Frequency | N/A | Monthly | Monthly | Bi-weekly | Weekly | Continuous |
| Insurance Minimum | N/A | N/A | $10,000 | $50,000 | $250,000 | $1,000,000+ |
| Commitment Class | Tier 0 | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
|---|---|---|---|---|---|---|
| A — Financial (single) | $0 | $500 | $1,000 | $5,000 | $25,000 | Custom |
| A — Financial (daily) | $0 | $1,000 | $2,500 | $10,000 | $50,000 | Custom |
| B — Subscription (total) | $0 | $250 | $2,500 | $12,500 | $50,000 | Custom |
| C — Contract | Not permitted | Not permitted | With HITL | With HITL | Permitted | Permitted |
| D — Data (non-PII) | Not permitted | With HITL | With HITL | Permitted | Permitted | Permitted |
| D — Data (PII) | Not permitted | Not permitted | Not permitted | With HITL | With HITL | Permitted |
| E — Credentials | Not permitted | Not permitted | Not permitted | With HITL | With HITL | Permitted |
| F — Irreversible | Not permitted | Not permitted | HITL required | HITL required | HITL required | HITL required |
HITL = Human-in-the-Loop. "With HITL" means permitted only with explicit human approval before execution. "Not permitted" means the Agent SHALL NOT take this class of action regardless of instructions.
Insurance Carrier Requirements: AM Best A- (Excellent) or better. No exclusions for prompt injection attacks, social engineering of the agent, unauthorized commitment escalation, or agent-caused financial harm from adversarial manipulation.
The full ACTS v0.6 standard includes normative references, detailed test methods, scoring computation (Annex A), sampling and audit protocol (Annex B), verification API schema (Annex C), adverse event schema (Annex D), rationale and examples (Annex F), identity authority criteria (Annex G), and the canonical prompt injection test suite (Annex H).
Download Full Standard