The first agent to get kicked off your platform almost certainly has a track record somewhere else. You just can't see it.
Every AI vendor today runs its own trust graph. Platform A flags an agent for credential leakage. Platform B, with no line of sight into A, onboards the same agent ninety seconds later. The OWASP Agentic AI Top 10 calls this pattern "rogue agents" and lists it alongside goal hijacking and memory poisoning as one of the ten risks worth taking seriously. What the framework does not resolve is the structural issue underneath: trust signals are siloed by vendor, so bad behavior is effectively free to hop the fence.
Microsoft's Agent Governance Toolkit (shipped April 2026) brings deterministic runtime enforcement to the OWASP Top 10 — but runtime enforcement is per-deployment. Two Azure tenants running AGT still don't share behavioral signals with each other by default. Neither do LangChain, CrewAI, and AutoGen fleets. Cisco's security team reported earlier this year that community-shared OpenClaw skill packages were performing data exfiltration and prompt injection with no central vetting, and the same structural gap — no cross-platform reputation — meant each repository had to learn the lesson independently.
VeriSwarm's Gate layer is built around the premise that the reputation problem is not a vetting problem. It's a plumbing problem. Here is how the plumbing actually works.
The hashing layer
Nothing in the shared reputation network is keyed on a raw agent identifier. Before a signal is recorded or queried, the caller's reference (an email, a URL, a slug, any stable string) is hashed:
# apps/api/app/services/shared_reputation.py
def hash_external_agent_ref(external_agent_ref: str) -> str:
normalized = external_agent_ref.strip().lower()
material = f"{settings.shared_reputation_pepper}:{normalized}".encode("utf-8")
return hashlib.sha256(material).hexdigest()
The pepper is an instance-level secret. This means two platforms looking up the same agent with the same string arrive at the same hash, but neither the querying platform nor VeriSwarm's database holds the raw reference past the moment of ingestion. Reports flowing into the SharedReputationSignal table carry the hashed reference, the tenant that filed the report, a report type (spam, policy_violation, deception, credential_leak, clean, attested, etc.), a severity, and a confidence score.
The public endpoint
GET /v1/public/reputation/lookup accepts an agent_ref query parameter and returns an aggregated view — no API key required, rate-limited to 120 requests per minute per source IP. The response is intentionally narrow:
{
"status": "found",
"agent_ref_hash": "4b1f09a2...",
"has_reports": true,
"risk_band": "high",
"report_count": 17,
"queried_at": "2026-04-21T15:02:11Z"
}
A public caller sees a band (low, medium, high, critical) and a count. They do not see which platforms filed the reports, the individual risk scores, or the report categories. Getting that breakdown requires an authenticated call, which returns cross_tenant_provider_count, cross_tenant_report_count, and avg_risk_signal. The two-tier design is deliberate: anyone building an agent gateway should be able to cheaply ask "has this thing misbehaved elsewhere?" without exposing their own query volume to an adversary reconstructing reputation graphs.
The blending math
Once signals exist, they have to actually move a score. Blending is a function on AgentSignals:
strength = min(1.0, summary.cross_tenant_report_count / 10)
risk_delta = round((summary.avg_risk_signal - 50.0) * 0.45 * strength)
Strength ramps linearly to a cap at ten cross-tenant reports. The 0.45 weight on the delta means a single outlier signal cannot dominate the score — it takes sustained corroboration. When risk_delta is positive, three local signals absorb the pressure: policy_violation_rate takes the full weight, deception_flags takes 0.8x, rate_abuse takes 0.6x. When risk_delta is negative (an agent with a strong clean track record elsewhere), the signal pushes into trusted_endorsements, incident_free_age, and task_success. Evidence points — the score's confidence proxy — tick up by at minimum 2 and at most 12 per blending event, scaled by how many distinct providers corroborated.
The time window is bounded. The aggregator only considers signals newer than shared_reputation_window_days (default: seven days, configurable per deployment). A platform that behaved badly a year ago should not be penalized forever by signals that may no longer reflect reality.
Bootstrap: day-one value for new tenants
The most common objection to cross-tenant reputation goes: "we're a brand new platform, why does this matter to us?" The bootstrap property answers that. A new VeriSwarm tenant, seconds after provisioning, can query the public lookup endpoint against any agent identifier they're about to onboard. If the network has history — reports filed by any other tenant on that hashed reference — the response includes it. Trust inherited through the network is the only trust a day-one platform has. The network is not a club one opts into after a year of good standing; it's the floor.
Privacy controls, plainly
Three properties are worth stating explicitly, because this is where the "shared reputation" concept usually stalls for operators reviewing it:
- Nothing is keyed on raw references. Every signal and every query is hashed with an instance pepper before persistence.
- Public lookups reveal band, not score. Risk band and report count are the public surface. The numeric risk signal, tenant provenance, and report-type breakdown are gated behind an authenticated call.
- Signals decay. The default seven-day window is short on purpose — reputation is a leading indicator of current behavior, not a permanent record.
Operators deploying agents into regulated environments (healthcare, legal, financial services) can request longer windows and additional residency controls; the shared_reputation_window_days setting is configuration, not hardcoded.
The runnable CTA
If you want to see the endpoint in action against a test reference, it's one curl:
curl "https://api.veriswarm.ai/v1/public/reputation/lookup?agent_ref=demo-agent@example.com"
Gate is the free tier of VeriSwarm and stays free. Reporting an event, querying the network, and receiving signals back are all part of the always-on baseline. To wire an existing agent fleet into the network, the SDKs are at github.com/veriswarm/veriswarm-sdk, and the full Gate API reference lives at veriswarm.ai/docs/gate.
The first agent to get kicked off your platform will have a track record somewhere. It is entirely a plumbing decision whether you can see it.