TrustedARI: Trust-Native Agentic Routing for Agentic AI

TrustedARI, authored by Qi Li, Zhenhua Zou, Shuo Li, Mingwei Xu and Zhuotao Liu and submitted on 14 Jun 2026, proposes a trust-native agentic routing infrastructure for agentic AI that prevents ARIs from seeing plaintext queries and lets agents verify routing and integrity. The paper describes three core protocol innovations and an implemented prototype that the authors say is deployable without modifying service providers.

What is TrustedARI?

TrustedARI is a redesign of agentic routing infrastructure that embeds verifiability and privacy into routing between agents, ARIs and service providers. It replaces the conventional ARI architecture that holds plaintext access to queries and responses with a set of collaborative cryptographic protocols: an ARI-adapted three-party TLS handshake, a privacy-preserving query-construction protocol, and a verifiable billing protocol.

The paper frames the problem as twofold: ARIs manage heterogeneous interfaces and fragmented subscriptions for agents but gain plaintext access to agent queries and service responses, and agents cannot verify that requests reached the intended providers or that replies were untampered. TrustedARI pursues both authentication and end-to-end verifiability while keeping ARI functionality.

How does TrustedARI work?

TrustedARI implements three concrete protocols: an ARI-adapted three-party TLS handshake that splits TLS key materials by role so the agent and ARI can jointly authenticate the service provider; a privacy-preserving query-construction protocol that lets agent and ARI collaboratively build well-formed queries without exposing their private inputs to one another; and a verifiable billing protocol that supports usage-based settlement while preserving the integrity and confidentiality of responses.

Architecturally, the handshake distributes TLS key materials role-specifically to enable joint authentication of the provider. The query-construction step combines secret pieces from agent and ARI so neither party sees the other's private input while still producing a valid request. The billing protocol produces cryptographic proofs of usage that can be checked without revealing service outputs. The authors emphasize compatibility: the prototype requires no changes to service providers.

How well does TrustedARI perform?

The paper reports specific measurements from an implemented prototype: the ARI-adapted handshake reduces communication overhead by 39.34% compared to the existing three-party TLS handshake; the privacy-preserving query-construction protocol adds an average of 0.19 seconds of computation time and 0.58 MB of communication; and the verifiable billing protocol speeds up proof generation by 28.20x.

The authors state they implemented and extensively evaluated the prototype to validate performance and efficiency. Those numeric results are the primary concrete performance claims in the submission and demonstrate that TrustedARI targets low overhead while adding cryptographic guarantees.

Why it matters

TrustedARI addresses a growing gap between agent convenience and trust. As agents outsource calls to many external models and tools, a central ARI simplifies integration but concentrates trust and access. TrustedARI shows a path to preserve ARI functionality while returning authentication, privacy and verifiability to agents. The measured reductions in handshake overhead and faster proof generation suggest these properties can be added without prohibitive cost.

What to watch

Watch for independent audits or open-source releases of the TrustedARI prototype that confirm the measured 39.34% handshake reduction and 28.20x proof generation speedup. Also monitor whether service providers accept role-specific TLS distributions in real deployments, since the paper claims no provider modifications are required.