## Weekly signal

Human-agent trust moved from a soft adoption concern to an operational control problem this week. The useful signal was not “make agents nicer.” It was: prove what the agent is, constrain what it can do, independently verify whether it succeeded, and keep a human accountable for high-stakes outcomes.

## What changed

1. Security agencies set a higher bar for agent deployments. Organizations spent the week digesting joint Five Eyes guidance on agentic AI services, first published May 1 by agencies including Australia’s ASD, U.S. CISA/NSA, Canada, New Zealand, and the UK. The guidance treats agents as systems that can act across tools, data, memory, and other agents, creating risks around opacity, cascading failure, spoofed components, privilege misuse, and hard-to-audit delegation chains. Its practical recommendations are concrete: sandboxing, red teaming, rollback, unified audit logs, trusted tool registries, allow-listed tools, separation of duties, multi-agent approval for moderate-risk actions, and human-in-the-loop approval for high-risk actions.

2. Frontier model trust gained another pre-release checkpoint. On May 5, NIST’s Center for AI Standards and Innovation announced agreements with Google DeepMind, Microsoft, and xAI for pre-deployment evaluations and targeted research, building on prior partnerships. For agent builders, this matters because agent reliability and misuse risk depend heavily on the underlying model’s tool-use, cyber, planning, and evasion capabilities. Independent evaluation will not certify an agent workflow, but it gives enterprises a stronger input into model selection and release-risk reviews.

3. GitHub proposed a more useful way to test agent behavior. On May 6, GitHub published a “Trust Layer” approach for Copilot-style coding/computer-use agents. The core insight: agent correctness is not a fixed click path. It is whether essential milestones were reached. GitHub’s dominator-tree method validates structured outcomes instead of relying on brittle scripts or the agent’s own self-report. In its experiment, the structural method outperformed agent self-assessment and exposed the gap in agents “grading their own homework.”

4. Enterprise identity teams are reframing agents as accountable non-human actors. IBM’s Think 2026 identity recap emphasized that agents can make decisions, execute tasks, and call tools with minimal human oversight, so they need identity governance similar to — but stricter than — non-human identities. The key builder takeaway is that every agent needs ownership, scope, traceability, and lifecycle controls before it moves across systems.

5. Regulated workflows are adopting agents, but with human judgment embedded. Amalgamated Bank announced a pilot with FIS and Anthropic for a Financial Crimes AI Agent to support AML alert investigations. The design language is notable: the agent assembles evidence and surfaces high-risk cases, while compliance experts shape the workflow and investigators remain in the review loop.

## What to do with it

Treat trust as architecture, not messaging. For any production agent, define: named human owner, allowed tools, credential scope, approval thresholds, rollback path, audit log schema, and post-incident evidence package.

Do not rely on agent self-evaluation. Add external checks for task completion, policy compliance, and tool effects. For coding or computer-use agents, test essential outcomes rather than exact action traces.

For customer-facing and regulated agents, design reversibility up front: pause, override, refund, correct, escalate, and explain. Trust rises when users and operators can stop an agent and recover from its mistakes.