The AI agent ecosystem is exploding. Autonomous agents are booking flights, managing infrastructure, writing code, executing financial transactions, and orchestrating multi-step workflows across dozens of third-party services. The capabilities are extraordinary. The trust infrastructure behind them is not.
Right now, there is no standardized way to verify that the MCP server your agent is connecting to is safe. No way to certify that an agent itself meets baseline security requirements. No way to enforce governance policies across a fleet of agents operating in production. And no way to prove any of this to a regulator, a partner, or another agent in the chain.
CraftedTrust was built to solve this. Today we are publicly introducing the Agent Trust Stack -- a five-layer architecture that provides end-to-end trust infrastructure for AI agents, from discovery through on-chain attestation. Each layer is operational, shipping, and available now.
That five-layer flow is still the core trust journey, but the platform around it has expanded. CraftedTrust now spans a public trust plane for discovery, badges, certifications, advisories, and reports, plus an enterprise control plane for identity, audit, governance, trace analytics, and administrative workflows.
"Agents will only be as trusted as the infrastructure that verifies them. We built that infrastructure."
The Five Layers of the Agent Trust Stack
The Agent Trust Stack is designed so that each layer builds on the one below it. Discovery feeds connection. Connection enables certification. Certification drives governance. And governance produces attestations that close the loop, making trust verifiable by anyone -- including other AI agents. In the current platform, those layers now sit alongside shared identity, audit, trace, and enterprise administration services.
Layer 1: Discover
MCP Shield -- The Trust Registry
Before an agent connects to anything, it needs to know what is safe. MCP Shield is the largest independent trust registry for the MCP ecosystem, with 4,274+ servers scanned and growing daily.
Every server in the registry is evaluated against a 12-factor, CoSAI-aligned trust scoring system that we developed specifically for the MCP ecosystem. The twelve factors span source verification, permission scope, code quality signals, dependency health, maintainer reputation, update frequency, community validation, authentication and authorization, transport security, input validation and injection resistance, data handling and privacy, and compliance alignment.
The result is a single trust score that gives developers and agents a clear, quantified answer to the question: should I connect to this server? Scores are updated continuously as servers change, new vulnerabilities are disclosed, and community signals evolve.
The Discover layer is the foundation. Everything else in the stack depends on having a reliable, comprehensive view of the MCP server landscape.
Layer 2: Connect
MCP Server Interface
Trust scores are only useful if agents can access them programmatically. The Connect layer makes MCP Shield a first-class participant in the MCP ecosystem itself.
We expose 6 MCP tools at /api/v1/mcp, allowing any MCP-compatible agent to query trust scores, retrieve server metadata, check certification status, and validate connections -- all through the same protocol the agent already speaks. There is no SDK to install, no separate API to authenticate against. If your agent speaks MCP, it can talk to MCP Shield.
We are listed on the official MCP Registry as com.craftedtrust/mcp-shield, making integration as simple as adding a server entry to your agent's configuration.
We also publish a trust-gated agent example repository that demonstrates the pattern we recommend: before connecting to any external MCP server, the agent first queries MCP Shield and only proceeds if the trust score meets a configurable threshold. This is the equivalent of certificate validation for the agent era.
Layer 3: Certify
Certification with Agent-Native Payments
Automated scoring catches the obvious risks. Certification goes deeper. Our certification program involves a thorough manual review of server security, code quality, operational practices, and compliance posture. Certified servers receive a premium trust badge and are prioritized in MCP Shield search results.
What makes our certification program different is how it handles payments. In a world where agents act on behalf of other agents, payment flows need to be machine-native. CraftedTrust supports agent-to-agent USDC payments via Stripe and Coinbase, allowing an autonomous agent to purchase certification for a server it depends on without requiring a human to enter credit card details.
We have also implemented x402 micropayments for pay-per-request trust verification. An agent can pay fractions of a cent per API call to verify trust scores in real time, using USDC on Base. This eliminates the need for pre-negotiated contracts or subscription management, and it makes trust verification economically viable even at massive scale.
The Certify layer bridges the gap between automated scanning and high-assurance trust. It is the layer where human expertise meets machine-speed payment rails.
Layer 4: Govern
AgentGov Dashboard
Enterprises deploying agents in production need more than scores and certifications. They need policy enforcement, risk monitoring, compliance reporting, and a unified operating view. The Govern layer provides that oversight through the AgentGov Dashboard at gov.craftedtrust.com.
AgentGov lets security teams define trust policies -- minimum score thresholds, required certifications, prohibited permission scopes, mandatory compliance alignments -- and enforce them across every agent in the organization. It combines registry data with audit history, identity context, and operational telemetry so policy decisions are enforced with more than just a point-in-time score.
The dashboard provides real-time risk monitoring across the entire agent fleet. Security teams can see which servers their agents are connecting to, track trust score trends over time, review activity and approval history, receive alerts when a connected server's score drops below threshold, and generate compliance reports mapped to the frameworks their organization cares about.
This is where CraftedTrust expands from a registry into a multi-service enterprise platform. The Govern layer is what makes agent trust auditable and defensible.
Layer 5: Attest
On-Chain Verification via EAS on Base
The final layer makes everything provable. When a server is certified through CraftedTrust, that certification is anchored as an on-chain attestation using the Ethereum Attestation Service (EAS) on Base.
This means certifications are not just claims we make -- they are independently verifiable by anyone. A partner organization can verify that your MCP server is certified without trusting our word for it. A regulator can audit certification history on-chain. And critically, another AI agent can verify certifications programmatically by reading the attestation directly from the blockchain.
On-chain attestation solves the "trust the trust provider" problem. It removes CraftedTrust as a single point of failure in the verification chain and creates an immutable, timestamped record of every certification decision.
The Attest layer is what makes the Agent Trust Stack trustless in the best sense of the word. Trust is not assumed. It is verified, on-chain, by anyone.
Compliance Mapping Across Five Frameworks
Every layer of the Agent Trust Stack maps to established compliance and risk frameworks. We do not invent our own standards in isolation. Instead, we align with the frameworks that regulators, enterprises, and standards bodies are already using:
- CoSAI -- The Coalition for Safe AI provides the foundation for our 12-factor trust scoring methodology. Our scoring factors are designed to be directly auditable against CoSAI's guidelines for AI system safety.
- OWASP AI Security -- Our vulnerability scanning, injection resistance testing, and input validation checks map to OWASP's AI-specific threat categories, including prompt injection, training data poisoning, and model theft vectors relevant to MCP servers.
- EU AI Act -- For organizations operating in or selling into the European market, our compliance reports map agent risk levels and server trust scores to the EU AI Act's risk classification tiers and transparency requirements.
- NIST AI RMF -- The NIST AI Risk Management Framework provides our governance layer's risk taxonomy. AgentGov's risk monitoring and reporting capabilities are structured around NIST AI RMF's Govern, Map, Measure, and Manage functions.
- AIUC-1 -- We have submitted a technical contribution to the AIUC-1 standard and our attestation layer is designed to satisfy AIUC-1's requirements for verifiable AI system provenance.
This is not theoretical alignment. Our compliance reports are generated automatically from live data in the Agent Trust Stack and are designed to be directly usable in regulatory filings, audit responses, and vendor risk assessments.
Standards Engagement
We believe that building trust infrastructure carries an obligation to participate in the standards that define it. CraftedTrust is actively engaged in two formal standards processes:
- NIST NCCoE -- We have filed a formal comment with the National Cybersecurity Center of Excellence on their AI security guidance, drawing on our operational experience scoring and certifying MCP servers at scale.
- AIUC-1 -- We have submitted a technical contribution to the AIUC-1 working group, specifically focused on on-chain attestation patterns for AI agent identity and certification provenance.
Standards work is slow by design. But the decisions being made now about how AI agents are identified, verified, and governed will shape the ecosystem for decades. We intend to be in the room where those decisions are made.
Touchstone: CVE Research for the MCP Ecosystem
Trust scoring depends on knowing what vulnerabilities exist. Touchstone is our dedicated security research authority for the MCP ecosystem. It performs automated scanning across servers in MCP Shield, manages findings and disclosures, publishes advisories, and supports certification review.
When Touchstone identifies a vulnerability, it follows a 90-day responsible disclosure process. The server maintainer is notified privately, given time to patch, and only after the disclosure window closes is the vulnerability reflected in public trust scores. This approach balances transparency with responsible security practice.
Touchstone findings feed directly into MCP Shield trust scores, certification reviews, public advisories, and AgentGov risk alerts. It is the research arm that keeps the entire Agent Trust Stack grounded in real, current threat intelligence rather than static checklists.
The Stack in Practice
Here is what the Agent Trust Stack looks like in a production deployment:
- An enterprise deploys an AI agent that needs to connect to third-party MCP servers for data retrieval and tool execution.
- Before connecting, the agent queries MCP Shield (Discover) to check the trust score of each target server.
- The query is made through the MCP Server Interface (Connect) using the same MCP protocol the agent already uses.
- The agent verifies that the target server holds a valid CraftedTrust certification (Certify) and pays for the verification via x402 micropayment.
- The connection is checked against organizational policies in AgentGov (Govern), which confirms the server meets minimum trust thresholds and compliance requirements.
- The agent independently verifies the certification by reading the EAS attestation on Base (Attest), confirming the certification is authentic without trusting any single party.
Only then does the agent connect. The entire process takes milliseconds and requires zero human intervention.
What Comes Next
The Agent Trust Stack is live and operational today. Every layer described in this post is shipping and available. But this is the beginning, not the end.
The MCP ecosystem is growing rapidly, and with it, the attack surface. New servers appear daily. New agent frameworks are released weekly. Regulatory requirements are evolving in real time. The Agent Trust Stack is designed to evolve with them -- adding new scoring factors, supporting new compliance frameworks, and extending attestation patterns as the ecosystem matures.
If you are building AI agents, deploying them in production, or responsible for the security of systems that use them, we built this for you.
Explore the full CraftedTrust platform at craftedtrust.com/platform.