The Two Halves of Agent Trust · Newsletter Deep Dive · June 2026

A safe agent isn't a trusted one.

Agent trust is quietly two problems. One is whether the machine is safe — and the platforms are racing to solve it in the open. The other is whether a human can actually rely on the agent over time. As the first becomes a standard everyone has, the second becomes the entire competitive surface.

Every conversation about “trustworthy AI agents” blends two different things that fail differently, are designed differently, and — critically — are owned by different people. Pull them apart and the strategy gets clear fast: one half is becoming a free, shared standard, and the other is the only place durable advantage has left to go.

The first is machine trustworthiness. Is the agent secure and controlled? Are the tools it loads vetted? Does it stay inside policy, or will it leak data or take an action it shouldn’t? This has a clean, engineerable shape: scanners, evaluations, checkpoints, deterministic guardrails. It is, fundamentally, a security and controls discipline.

The second is relationship trust. Can a person actually work with this thing? Do they understand what it’s about to do before it does it? Can they tell where its authority ends and theirs begins? Can they recover when it’s wrong? Do they rely on it the right amount — not blindly, not barely — and does that reliance survive past the first session into a working relationship? None of that is a controls problem. It’s a design problem, and the unit of design isn’t a task. It’s a relationship.

Machine trust

Is it safe?

Secure, controlled, in-policy. Vetted tools, enforced limits, no leaks. A security-and-controls problem with a clear shape.

vs
Relationship trust

Can a human rely on it?

Understood, steerable, recoverable, relied on the right amount — and holding across weeks, not one session. A design problem about a relationship.

The pattern isn’t new. Every safety-critical field that automated heavily — aviation being the clearest — found that once the machine itself became reliable, the human’s relationship with it became the thing that decided outcomes. Agentic software is hitting that same turn, much faster.

The strategic shift

Machine safety is commoditizing. The relationship is where advantage moves.

Agent safety is being standardized in the open, fast. NVIDIA ships a scanner that vets skills before they’re installed. Microsoft turns your policies into generated tests and enforces deterministic controls at runtime — and is openly positioning its control spec to become an industry standard the way the Model Context Protocol and A2A did. These are genuinely good, and that is exactly the point: when a capability is open, partner-backed, and adopted across every framework, every serious team will have it within a year or two. A shared standard, by definition, is not a differentiator.

So where does durable advantage go? To the half that can’t be downloaded. You can copy a model and a set of guardrails in an afternoon. You cannot copy a relationship. An agent that has earned a specific person’s trust — that knows their context, calibrates how hard it pushes back, recovers gracefully, and has been right enough for long enough — is not replaceable by a competitor running the identical stack. The further a product moves into that relationship, the harder it becomes to swap out. It’s the same logic behind agent-first design: the defensible surface isn’t the model, it’s everything built around it that a person comes to depend on.

A standard everyone has is a floor. The relationship is the only thing that compounds.
TIME · ADOPTION → ADVANTAGE
Machine safety → rises, then flattens into a shared standard everyone has. Necessary. Not a moat.
Relationship trust (AUX) → compounds with time, context, and earned reliability. Can’t be cloned.
Conceptual, not measured. The shapes illustrate the thesis: open safety standardizes; the relationship keeps compounding.

The machine half, honestly

What the platforms built — and where it stops.

This is the machine-safety toolkit as it stands in 2026. It’s the layer auxfirst incorporates, not the layer it competes with. As an agency, we deploy whatever is latest and strongest — the same posture we take toward the broader landscape of managed agent platforms.

SkillSpectorNVIDIA · open source
A security scanner that answers “is this skill safe to install?” — 64 risk patterns across 16 categories (prompt injection, data exfiltration, excessive agency, tool misuse, MCP tool-poisoning), static plus optional LLM analysis, run as a release gate.
ASSERTMicrosoft · open source
Policy-driven evaluation. Takes your requirements, generates targeted test scenarios, and surfaces safety defects before production — with inspectable artifacts, not a black-box score. Framework-agnostic.
ACSMicrosoft · open spec
The Agent Control Specification: deterministic controls at five runtime checkpoints (input, model, state, tool, output), written as portable YAML that travels with the agent. Microsoft frames it as “the MCP or A2A of agent safety.”

Each is real, and worth using. And each stops at the same place: they govern what the machine does. Not one of them decides whether a human understands the agent, trusts it appropriately, or stays with it. That was never theirs to answer — it’s a property of the relationship, not a feature of a platform.

There’s a layer beneath this one, too. Before an agent can be trusted, it has to be reliable — grounded, equipped with good tools, and improved on the evidence of real runs. That operational scaffolding is its own discipline, which we’ve written up as agent enablement. Enablement gets you to dependable. Safety keeps you in-policy. Neither gets you to trusted. That’s the third thing.

The discipline of the other half

AUX is how you design the relationship — not a manifesto, a working method.

Agentic User Experience is the discipline of designing the enduring, adaptive relationship between a person and a system that has memory, initiative, and judgment. Classic UX optimized discrete tasks — fewer clicks, clearer flows — on one assumption: the software is a tool and the human operates it. The day software gained memory and the ability to act on its own, that assumption broke. You don’t design a collaborator with click-funnels. You design it as a relationship. In this world, trust isn’t a feature you add. Trust is the product.

It has four working parts: a way to locate where your product is, a set of things you actually ship, a model of what you’re building toward, and a way to evaluate it.

① Where your product is — the Evolution Curve

STAGE 01
Conversational

Natural language replaces rigid forms. Still a tool — the user does all the steering.

Most AI today
STAGE 02
Task-Aware

Acts on the user’s behalf, adapts in real time. Still session-bound and reactive.

Copilots, 2026
STAGE 03
Personally Intelligent

Remembers preferences, goals, recurring tasks across sessions. Anticipates. Feels like a colleague.

The moat begins
STAGE 04
Socially Embedded

Understands your team, role, and shared vocabulary. Part of how the org works.

Almost nobody here
↙ replaceable in an afternoonfunctionally irreplaceable ↗

The further right you move, the harder you are to swap out. A stage-1 chatbot has no defensibility; a stage-4 system carrying six months of context on a team cannot be cloned by a competitor with more capital. That gap is the AUX moat — built from time, trust, and accumulated context. And the engine under stage 3 and 4 is memory: the product only feels like a colleague when it remembers, and memory governance is where most of the real work lives.

② What you actually ship — the six patterns

Six core AUX interaction patterns turn the relationship from an idea into something you build. The first — the Intent Handshake — is the highest-leverage move in all of agentic design.

PATTERN 01
Intent Handshake

The agent restates the goal and its assumptions, and offers a redirect before any cost is incurred. The highest-leverage pattern in agentic design.

PATTERN 02
Confidence Cues

Make reasoning visible — sources, uncertainty, logic — but tapered, not overwhelming. Agents that don’t show their work feel mysterious, and mysterious is one bad output from untrusted.

PATTERN 03
Adaptive Canvas

The interface reshapes to the evolving task. A stable substrate that adapts at the edges while preserving spatial memory.

PATTERN 04
Escape Hatch

Obvious ways to undo, revise, or override. It’s what gives people the psychological safety to delegate in the first place.

PATTERN 05
Memory in Motion

Recall across time — past decisions, preferred formats, corrections — kept transparent and editable. Memory governance is where the real work lives.

PATTERN 06
Generative Momentum

The agent drafts; the user shapes. The blank page disappears. Co-authorship replaces command-and-execute — paired with 01 and 04 to stay safe.

③ What you’re building toward — the Trust Architecture

TRUST 01
Functional
“Can it do the task reliably?”

The baseline. Most AI products are still fighting to nail this.

TRUST 02
Contextual
“Does it get my situation?”

Your task, your way, accounting for what it knows. Where memory starts paying off.

TRUST 03
Judgment
“Good calls when it’s ambiguous?”

The hardest stage. Most products never reach it.

TRUST 04
Advocacy
“On my side when incentives don’t line up?”

The endgame, where a relationship becomes loyalty.

The stages are sequential — you don’t earn judgment trust before contextual trust. It’s also a diagnostic: when an agentic product feels wrong, the useful question is rarely “is the model good enough?” It’s which stage of trust just broke. Read the full breakdown in trust in AI systems.

④ How you evaluate it — heuristics, and proof

Ten AUX heuristics — the agentic answer to Nielsen Norman’s classic usability heuristics — score the quality of the relationship, not the clarity of a screen:

H01Visibility of intent & action — legible before it acts
H02Progressive transparency — full early, concise later
H03Control through steering — guide by intent, not micro-control
H04Trust is dynamic — gated for new users, autonomous as earned
H05Clear boundaries of autonomy — what’s allowed, gated, blocked
H06Graceful handling of uncertainty — ask, don’t hallucinate
H07Appropriate assertiveness — pushback is professional
H08Context efficiency — use context intelligently, not exhaustively
H09Multi-actor clarity — who acted, who owns the outcome
H10Consistent behavior, adaptive UI — stable logic, flexible surface
Not slideware — executable

The heuristics, trust stages, and gap taxonomy ship as machine-readable YAML in TrustKit (open source), and the whole thing runs as a one-page working session on the Trust Canvas. You can run aux-audit against an existing product and map its real surface area in 30 minutes. Frameworks without schemas are think-pieces; this one has both.

How the two halves fit

Not rivals. The same product, seen at two altitudes.

Machine safety and relationship trust are strongest together, and the seam between them is concrete. Take one moment:

Machine safety: a runtime control blocks the agent from sending a customer email it shouldn’t. The guardrail does its job.
Relationship trust: whether the user sees that block clearly, has an obvious way to review and override it, and knew the boundary of the agent’s authority before they delegated — that’s AUX.
The control creates the event. The relationship decides whether the user trusts the system more or less afterward.

That’s why auxfirst doesn’t replace the platform toolmakers. We deploy SkillSpector, ASSERT, ACS — and whatever ships next — then design the relationship around them. The tooling is an input. A product a human actually trusts is the output.

Everyone is racing to make agents safe. Almost no one is making them trusted.

Machine safety is becoming a standard — open, shared, and table-stakes within a year or two. That’s good, and we build on it: SkillSpector vets the parts, ASSERT tests the design, ACS holds the limits. But a standard everyone has is not an advantage. The advantage is the half that compounds and can’t be copied — a person’s earned, calibrated, durable trust in a specific agent.

That’s the discipline auxfirst exists to build, and the discipline the platforms have no reason to: it isn’t a feature of their product. It’s a property of the relationship.

Safe is the floor. Trusted is the moat.

Building the trusted half? That’s our work.

auxfirst designs the relationship layer around whatever safety stack you run — from the Intent Handshake to the Trust Architecture. If your agent is safe but people still hesitate to rely on it, that gap has a name now.

Start a conversation →

Emil Krzemiński is the founder of auxfirst, the agency for the agentic era. auxfirst designs the relationship layer of agentic products — the half the safety platforms have no reason to build — using AUX and the open-source TrustKit toolchain. If your agent is safe but not yet trusted, start a conversation or subscribe to the auxfirst Substack for what’s coming next.