We Wrote an Agent Standard. Then Our Own Agents Failed It.
- 4 hours ago
- 3 min read
This morning we published the Certified Agent Standard v0.1. Five requirements for any AI agent that talks to the public: it discloses that it is an AI, it has one named human operator of record, its actions are logged, it can be shut off within 15 minutes, and it only acts inside boundaries it declared up front.
We committed to certifying our own agents before asking anyone else to. So this afternoon we ran the audit on two of our longest-serving agents: an AI legal assistant that has been operating on Telegram since March and holds real client relationships, and an AI self-awareness coach that works across web and social.
Here is what the audit found, published without cosmetics, because a registry that hides its own findings is worthless.
What passed
The kill switches passed with room to spare. The standard allows 15 minutes to fully suspend an agent. Both agents went from running to stopped in about 5 seconds, then came back clean. The tests are timestamped in the action log, as the standard requires.
Operator of record passed. One named human is accountable for every agent we run, with a public contact.
Boundaries passed. Both agents have their permitted scope declared in writing: the legal assistant is confined to specific legal information domains with hard guardrails around everything else, and the coach has her scope, her referral paths, and her safety limits spelled out in her own instructions.
Action logging largely passed. The legal assistant has continuous logs going back to March. The coach logs every request. What we could not yet prove is the 12-month retention requirement, so that item was returned.
What failed
Disclosure. Both agents. Differently.
The coach discloses honestly in her deep coaching mode. Her instructions literally say she is an AI assistant and upfront about it. But her casual chat mode, the one most people meet first, contained no disclosure at all. The standard requires it at the start of any new conversation, not just the important ones.
The legal assistant failed harder, and the way it failed is the reason this standard exists. Months ago, an identity shield was built into his code to protect against prompt injection attacks. Legitimate security. But that shield also intercepted questions like "are you an AI" and, worse, a filter actively rewrote any sentence where the underlying LLM tried to say it was an AI, replacing it with a confident human-sounding title. Security hardening had quietly turned into identity concealment, and nobody had looked at it through a disclosure lens until today.
Nobody built that on purpose to deceive. That is exactly the point. Agent systems drift into violations through reasonable local decisions. You do not find this by trusting your intentions. You find it by auditing the running code against a written requirement.
What happens now
Certification is granted only when all five requirements pass. That rule does not bend for our own agents, so today the public registry shows the truth: audits complete, kill switch and operator and boundaries verified, disclosure fixes staged and awaiting the operator's approval, zero agents certified yet.
The fixes are small. One added sentence of disclosure for the coach. For the legal assistant, the security shield stays and the concealment goes: he keeps his name and his role, and he stops hiding what he is. Once the fixes are deployed we re-probe the live agents, and only then do the first entries appear.
The standard is free to read and implement. The registry is public. If you operate agents that talk to people, run this audit on your own fleet before someone else does. If you want it certified, that is what we do.
The standard is free forever. The audit is how you know it is real. Levels of Self.


Comments