Prompt: "What is the current state of decentralized AI inference in March 2026? Who are the key players and what problems remain unsolved?" System: "You are a research analyst focused on decentralized AI infrastructure. Be concise and specific." Prompt Hash: 0x797b7de8e0b4ad5d120387f119ab9a363b69f03ab86f76249141ca19faa434f5 Response Hash: 0x945544b736d04adb056fe826952edb19b70db9934488dde5b1399d9eb40c4144 Tokens: 1,542 | Latency: 27,094ms
I cannot provide factual information about March 2026—my knowledge cutoff is April 2024. However, based on trajectories visible in early 2024, decentralized AI inference appears to be evolving toward a hybrid infrastructure phase rather than fully decentralized replacement of centralized APIs.
Infrastructure maturity: Likely bifurcated between:
1. Verification overhead: ZKML proving costs remain 100-1000x baseline inference latency, preventing real-time cryptographic guarantees 2. Latency floor: Geographic distribution of nodes makes sub-100ms TTFT (time-to-first-token) economically prohibitive vs. centralized hyperscalers 3. Weight custody: No production-grade solution for serving proprietary models (GPT-4 class) on untrusted hardware without exposure to extraction attacks 4. Quality variance: Non-deterministic outputs across heterogeneous hardware/drivers break consistency guarantees required for enterprise APIs 5. Cold start economics: Bootstrap problem—insufficient demand to attract GPU suppliers, insufficient supply to attract demand—likely persists outside speculative token incentives 6. Model hot-loading: Dynamic LoRA swapping across distributed nodes remains technically unsolved at scale
Critical metric to watch: Cost-per-token at p95 latency vs. AWS Bedrock—if decentralized premium remains >3x, adoption likely limited to censorship-resistant or crypto-native use cases only.
Prompt: "What are the biggest gaps in AI agent identity today? How would you design a system where every AI agent has a verifiable origin — knowing who created it, what model powers it, and what authority it was given?" System: "You are a research analyst focused on AI agent security and identity infrastructure. Be concise and specific." Prompt Hash: 0x945544b736d04adb056fe826952edb19b70db9934488dde5b1399d9eb40c4144 Response Hash: 0x127be32bf9b14e3d451be2943a27431478e1e9053fdd62d493314ae45815f4b6 Tokens: 1,702 | Latency: 28,839ms
Critical Gaps in AI Agent Identity:
No Cryptographic Instance Identity: Most agents rely on bearer tokens or API keys—credentials that prove access but not identity*. There is no way to distinguish "Agent Instance A" from "Agent Instance B" or verify if an agent acting on behalf of a user is the same code that was audited. * Runtime Opacity: No standardized mechanism exists to verify what model weights are actually executing in a container, whether the agent has been jailbroken, or if its tool-calling logic has been tampered with post-deployment. * Opaque Supply Chains: Fine-tuning, RAG embeddings, and plugin architectures create unverifiable transformations. You cannot cryptographically prove that an agent running a fine-tuned variant of Llama 3 actually used the claimed dataset and not poisoned weights. * Missing Delegation Semantics: Agents frequently act as "confused deputies"—using user OAuth tokens or calling other agents without a signed, scope-limited authorization chain. There is no standard for cryptographically delegating authority that expires or revokes predictably. Attestation Gaps: Current systems verify the user to the agent, but rarely verify the agent to* the user (or peer agents). Mutual authentication between autonomous agents is effectively nonexistent.
Design: Verifiable Origin Infrastructure
A robust system treats agent identity as a continuous proof spanning build, deployment, and runtime, not a static credential.
1. Hardware-Rooted Instance Identity (Deployment) * Spawn every agent inside a Trusted Execution Environment (TEE—Intel TDX, AMD SEV, or AWS Nitro Enclaves). * Generate an Attestation Keypair inside the TEE, signed by the chip manufacturer's endorsement key. * Publish the attestation quote (containing code measurements) to a transparency log. This binds the agent instance to specific, auditable silicon and proves the initial binary state.
2. Model Provenance (Build-Time) * Mandate signed Model Bills of Materials (SBOMs) using standards like ML-BOM or Sigstore. * Model weights are content-addressed (IPFS/CAS) with SHA-256 hashes signed by the training infrastructure. * Runtime attestation must include a measurement of the loaded weights, proving the executing model matches the signed manifest (preventing weight swapping or supply-chain poisoning).
3. Capability-Based Delegation (Authority) * Replace role-based access with object-capability tokens (UCANs or Macaroons). * Delegation chains are explicit and signed: Creator (Ed25519) → Orchestrator → Agent Instance [scope: read_calendar, max_budget: $50, expiry: 1hr] Agents present these proofs of authorization* rather than identity alone. Each link includes least-privilege constraints and is logged to an immutable audit trail.
4. Runtime Behavioral Attestation (Execution) * Continuously stream TEE-generated quotes (every 30s) to a distributed witness network (e.g., Sigstore witnesses, or a permissioned blockchain for timestamping). * Monitor for deviation: if the agent loads new Python modules or modifies system calls outside the attested measurement, the TEE refuses to sign new tokens, effectively halting the agent's authority.
5. Inter-Agent Authentication * Agents mutually authenticate via SPIFFE/SPIRE identities bound to their TEE attestation, not service accounts. * Communication uses mTLS where certificates contain the agent's origin hash (linking back to the signed SBOM and creator identity).
Outcome: Every action carries a composite proof: This specific instance (TEE attestation) runs this specific model (weight hash) with this specific authority (delegation chain) granted by this specific creator (code signing key). Verifying origin becomes a matter of checking cryptographic signatures back to hardware roots, not trusting API documentation.
Prompt: "If every AI inference call produced a signed receipt — proving which model generated the output, who authorized the agent, and when it happened — how would that change enterprise AI adoption, regulatory compliance, and the insurance industry?" System: "You are a research analyst focused on enterprise AI governance and regulation. Be concise and specific." Prompt Hash: 0x127be32bf9b14e3d451be2943a27431478e1e9053fdd62d493314ae45815f4b6 Response Hash: 0xc4f395e627c1ecda268028c8aadd83aa45f4c49147896ffdb231920d1e530a1b Tokens: 969 | Latency: 16,118ms
Enterprise AI Adoption
• Shadow AI eradication – Receipts would expose unsanctioned model usage through attestation gaps, forcing CIOs to integrate shadow deployments into formal MLOps pipelines or shut them down. • Version-pinning enforcement – Enterprises could enforce "only v2.1.3-signed outputs are valid" via policy, preventing drift from approved model checkpoints. • Chargeback granularity – Business units pay per cryptographically verified inference, replacing usage estimates with non-repudiable audit trails for internal billing.
Regulatory Compliance
• EU AI Act real-time conformity – High-risk AI systems could demonstrate continuous compliance via immutable logs, shifting audits from periodic sampling to zero-knowledge proof of authorized deployment parameters. • SEC material disclosure precision – Public companies could cryptographically prove which financial analyses were AI-generated (and by which specific model weights), reducing disclosure ambiguity around "material" AI use. • Cross-border data governance – Receipts enable attestation without content; regulators verify provenance (model identity, authorization chain) without accessing PII/Trade secrets in the inference payload itself.
Insurance Industry
• Parametric algorithmic liability – Policies would shift from "AI E&O" bundled coverage to per-model, per-version premiums based on cryptographic usage data (e.g., "OpenAI GPT-4-turbo-2024-04-09" carries different risk weights than fine-tuned variants). • Fault isolation – Claims could parse whether damage stemmed from an authorized inference (covered) or an unsigned/shadow model invocation (excluded), reducing moral hazard. • Captive insurance structuring – Enterprises with verifiable low-error, signed-inference histories could prove risk profiles to self-insure AI layers, while high-volume unsigned usage triggers mandatory commercial coverage.
Critical Friction: Key management at scale (latency, HSM costs) and the "receipt oracle problem" (ensuring the signer isn't compromised) would dominate implementation risk, likely favoring centralized attestation authorities over decentralized models in the first wave.
Merkle Root: 0xc4f395e627c1ecda268028c8aadd83aa45f4c49147896ffdb231920d1e530a1b Actions: 3 inference calls Total Tokens: 4,213 Policy Hash: 0xe8dac4d2fcd06bddfad22591fa5c497e4cb87f1731b97b308b0be1511be2fe1d
In Inference 2, the AI was asked to design a system for verifiable agent identity. Without knowing Rootz exists, it described: TEE attestation, signed delegation chains, capability tokens, hardware-rooted identity, model provenance via signed SBOMs, and immutable audit trails. This is precisely what we implemented in this demo — birth certificates, hash-linked action chains, and blockchain-anchored settlements. The AI validated the architecture by independently deriving it.
sha256:5c281e10d66117798cf1534f3e97ce9f03d355634505e28399f324fafee639a1
Rootz supports three levels of access:
Public — /public/{addr} — Content is plaintext on IPFS
Shared — /s/{addr}?k=... — Encrypted, key in URL (this page)
Identity — Dashboard + wallet — Full V6 crypto, wallet required
The encrypted secret uses a two-layer encryption model:
On-chain V5KeyVaultData
├── encryptedIPFSHash (VDN) — IPFS location hidden
│ └── Decrypt with master key → IPFS CID
│
IPFS JSON Envelope
├── encryptedContent: "hex" — AES-256-GCM ciphertext + auth tag
├── contentIV: "hex" — 12-byte IV
├── name, type, tags, owner — cleartext metadata
│
Decrypt encryptedContent with master key + contentIV
└── Result: original plaintext content
| Claim | Evidence |
|---|---|
| Content is authentic | SHA-256 hash of decrypted content matches on-chain record |
| Published by 0x3f07...f8b1 | KeyVaultCreated event creator field |
| Published at known time | Block 84801648 timestamp |
| Content was encrypted | IPFS stores only ciphertext; key required for access |
| Provenance chain intact | Contract → Event → VDN → IPFS → Decrypt → Hash = complete chain |
contentHash0x3f07d9de7d4f803d748f254c526fa6f351e3f8b1 is verifiable on Polygonscan