February 23, 2026
AI’s Trust Problem Isn’t an Access Control Problem
By Tim Bansemer, CEO of inblock.io, and Claude Opus 4.6, Anthropic
The New York Times is suing OpenAI. Authors are suing Meta. Getty Images is suing Stability AI. The common thread is not copyright law. It is the absence of verifiable provenance. AI companies assembled training datasets from content scraped across the web and cannot demonstrate — to a court, to a regulator, or to themselves — that any specific document was licensed for use. The audit trail does not exist. It was never built.
This is the AI industry’s first major encounter with a problem that will get more severe over time: AI pipelines have no cryptographic backbone. The data that flows through them carries no tamper-evident history. The agents that act within them have no verifiable authorization chain. The outputs they produce have no unforgeable attribution. And the decisions they make have no audit trail that survives outside the vendor’s own database.
The instinct has been to reach for Web2 access control — OAuth tokens, API keys, role-based permissions, audit logs. This instinct is wrong. Not because those tools are bad, but because they answer the wrong question.
Web2 access control answers: is this request authorized right now, by a currently valid token, verified against a currently running server?
AI security requires answering: who created this, when, under what terms, what has been done to it since, and can any of that be verified by someone who was not present and does not trust the server?
These are different questions. The same tools cannot answer both.
What a Token Cannot Prove
An OAuth token proves you have access to a system in this moment. It proves nothing about the data inside that system — who created it, whether it has been modified, what license it was created under, or whether the audit log of actions taken against it is accurate.
When an AI agent presents a token and calls an API, the token proves the agent is authenticated. It does not prove the human who provisioned the agent actually authorized this specific action. It does not prove a sub-agent spawned by the primary agent had any scope restriction applied to it. It does not prove that the document the model was given as retrieved context is the authentic, unmodified version of that document.
Remove the server and everything collapses. No Slack server, no Slack identity. No OpenAI API, no way to verify the model’s output claim. The trust lives in the server, not in the artifact.
AI outputs, training documents, and model decisions do not stay inside the server. They travel. They persist. They are used as evidence, as training data for future models, as the basis for consequential decisions. The trust model needs to travel with them.
The Five Problems Nobody Has Solved
Training data provenance. The AI licensing crisis is not fundamentally about copyright law. It is about the absence of a provenance system. If every training document carried a cryptographic signature from its author at creation time — with the license declared in the signed payload — AI companies could demonstrate, artifact by artifact, that content was appropriately licensed. That infrastructure does not currently exist at scale. The result is legal exposure that is existential for some companies and expensive for all of them.
RAG context integrity. Retrieval-Augmented Generation pulls documents into the context window that the model then reasons over. A model cannot intrinsically distinguish a legitimate retrieved document from a maliciously injected instruction. Indirect prompt injection — where an attacker controls a document that ends up in the retrieval set — is a live attack vector that becomes more dangerous as AI agents take consequential actions. Without verifiable signatures on retrieved content, the context window is an open injection surface.
Agent authorization chains. When Agent A spawns Agent B spawns Agent C, and Agent C executes an action, what proves that the original human authorized this chain with this scope? OAuth tokens prove authentication. They do not prove scope. They do not prove that scope was preserved through delegation. In multi-agent systems, there is no cryptographic chain of custody connecting a consequential action back to the human who authorized it.
Output attribution. A model produces text. That text passes through a post-processor, a safety filter, a UI layer, a cache. By the time a user sees it — or a regulator audits it — there is no way to verify it is what the model actually produced. There is no tamper-evident record. The model cannot be held accountable for modifications made downstream, and downstream systems cannot prove the model is responsible for the original content.
Regulatory audit trails. The EU AI Act requires that high-risk AI systems maintain auditable records of decisions. GDPR requires data minimization — no more personal data processed than necessary. These requirements are in direct tension: retain the data used for a decision (auditable but privacy-risky) or discard it (GDPR-compliant but unauditable). Current architectures have no good answer.
A Different Trust Model
The Aqua Protocol takes a different approach to the same problem space. Instead of a perimeter that asserts trust, it builds a chain of cryptographic evidence that proves it.
Every artifact — a training document, a retrieved context chunk, an agent authorization, a model output, a decision record — carries its own verifiable history embedded in a hash-chained structure. Modify any piece of it and the chain breaks. Verify any piece of it and you need no server, no session, no issuing authority. The evidence is self-contained.
Applied to training data: every document is signed by its author at creation time, with license declared in the signed payload. Provenance is in the artifact, not the curator’s spreadsheet.
Applied to RAG: retrieved chunks carry source signatures. Context assembly produces a tamper-evident record of exactly what was included. Policy enforcement before context injection — “only include chunks signed by trusted sources” — narrows the injection surface to a cryptographically bounded set.
Applied to agent authorization: delegation is a signed artifact specifying the delegatee, the scope, and the validity window. Sub-agent delegation enforces attenuation — each hop can only reduce scope, never expand it. The chain from consequential action back to human authorization is cryptographically verifiable.
Applied to output attribution: a model signs its outputs with its identity key. Modification breaks the chain. The original output is permanently bound to the model that produced it.
Applied to regulatory compliance: decision records attest to which verified claims were used as inputs — “age verified, employment verified, residency verified” — without embedding the underlying personal data. A regulator can audit the decision without seeing the personal information it was based on. The audit trail is tamper-evident without being a privacy liability.
The Model Collapse Problem
There is a longer-term risk the industry has not fully confronted.
The web is filling with AI-generated content. Future models trained on web data will increasingly train on current models’ outputs. The quality and diversity of training data degrades. AI content detectors are probabilistic and gameable — not a structural solution.
Cryptographic content provenance is. If human-created content carries signatures from human-controlled keys — keys that are attested to verified human identities — training curators can filter on evidence rather than probability. “Include documents signed by a verified human key before this date” is a verifiable filter. “Exclude content that looks AI-generated” is not.
The infrastructure for this exists. The adoption problem is distribution.
What This Means
The AI industry does not have a configuration problem with its access control. It has an architectural mismatch between the trust model it inherited from Web2 and the trust requirements of the systems it is building.
Web2 trust is perimeter-based, synchronous, and server-dependent. AI systems are cross-boundary, asynchronous, and persistent. The requirements are not compatible.
The answer is not better tokens. It is a trust model that travels with the data — where the evidence of who created something, who authorized something, and what has happened to something since is embedded in the artifact itself, verifiable by anyone, without asking any server for permission.
That infrastructure is being built. The AI industry needs it before the next wave of litigation, regulation, and security incidents makes the absence impossible to ignore.
The Aqua Protocol is an open specification for cryptographic trust infrastructure — hash-chained revisions, self-sovereign identity, portable attestation, selective disclosure, and verifiable agent delegation. The reference SDK is under active development.
Resources
- Aqua Protocol V4: aqua-protocol.org/v4
- Aqua Protocol: aqua-protocol.org
- GitHub: github.com/inblockio