[{"content":"","permalink":"https://scalingtrust.org.uk/events/assuring-autonomy-symposium-2025/","summary":"100+ professionals and academics on safety assurance for AI and autonomous systems — safety-case frameworks and case studies from maritime, healthcare, and automotive.","title":"Centre for Assuring Autonomy Symposium"},{"content":"","permalink":"https://scalingtrust.org.uk/events/defcon-33/","summary":"The world\u0026rsquo;s largest hacker conference — four days of talks, villages, and capture-the-flag, where AI security research meets the offensive-security community at scale.","title":"DEF CON 33"},{"content":"","permalink":"https://scalingtrust.org.uk/events/iclr-2026/","summary":"The International Conference on Learning Representations — one of the world\u0026rsquo;s leading ML research venues, increasingly home to agent safety and security work.","title":"ICLR 2026"},{"content":"","permalink":"https://scalingtrust.org.uk/events/icra-2026/","summary":"IEEE\u0026rsquo;s flagship robotics and automation conference — where the physical-world side of trustworthy autonomy gets built and benchmarked.","title":"ICRA 2026"},{"content":"","permalink":"https://scalingtrust.org.uk/events/ppd-demo-day/","summary":"Our pre-programme discovery cohort presented what they built in three months — across cryptography, robotics, agents, and cyber-physical security.","title":"Pre-Programme Discovery Demo Day"},{"content":"","permalink":"https://scalingtrust.org.uk/events/progress-conference-2025/","summary":"The Roots of Progress Institute\u0026rsquo;s annual gathering of builders, researchers, and policymakers on technological progress — including how to deploy AI well.","title":"Progress Conference 2025"},{"content":"","permalink":"https://scalingtrust.org.uk/events/tee-discovery-workshop-bletchley/","summary":"We brought together experts from a range of fields to help shape the direction of a programme in this space, through feedback, critique, collaboration and knowledge sharing. Catch up on the speaker sessions in the recordings.","title":"Trust Everything, Everywhere — Discovery Workshop"},{"content":"","permalink":"https://scalingtrust.org.uk/events/tee-hackathon-sota/","summary":"A multi-disciplinary hackathon run by SoTA, building AI and multi-agent systems for cyber-physical security challenges.","title":"Trust Everything, Everywhere Hackathon"},{"content":"","permalink":"https://scalingtrust.org.uk/events/vegas-ai-security-forum-25/","summary":"A ~200-person, application-only forum alongside DEF CON, gathering researchers, engineers, and policymakers on model-weight security, adversarial ML, and securing frontier AI.","title":"Vegas AI Security Forum '25"},{"content":"","permalink":"https://scalingtrust.org.uk/events/vision-weekend-uk-2026/","summary":"Foresight Institute\u0026rsquo;s flagship festival, first time in London — frontier researchers, founders, and funders across AI, neurotech, and nanotech, marking Foresight\u0026rsquo;s 40th anniversary.","title":"Vision Weekend UK 2026"},{"content":"We\u0026rsquo;ve gone from prompting models, to giving them tools, to deploying agents that spawn sub-agents of their own. They now interact in the wild, with humans and with each other1, and increasingly in the physical world, from factory robots to autonomous labs2.\nHow will this ecosystem organise itself? How will it reshape society, how much value will it create, and how trustworthy can it be made? We don\u0026rsquo;t know yet. What we can already see: agents are collapsing \u0026ldquo;transaction costs\u0026rdquo; between humans3, strategic equilibria are appearing that classical game theory never had to price4, and verification is often becoming the bottleneck as the cost of creating things with AI falls toward zero5.\nScaling Trust takes on a slice of these questions: the trust infrastructure — new security primitives, from cryptography and secure hardware to new kinds of sensors — that lets agents enter into contracts securely, programmatically, and at scale, across the digital and physical worlds. Behind that slice sits a bigger vision we believe in: technology that augments human flourishing6 and preserves plurality.\nTo that end, we\u0026rsquo;re excited to be joining forces with Google DeepMind , the Cooperative AI Foundation and Schmidt Sciences who all share this vision, folding our shared thinking into a $10M funding call.\nThe call grew out of our interlocking work looking at different angles of the same picture: Google DeepMind\u0026rsquo;s Distributional AGI Safety argues that highly capable AI may arrive as networks of specialised agents rather than a single system; the Cooperative AI Foundation\u0026rsquo;s Multi-Agent Risks from Advanced AI maps the failure modes that only exist between agents; Schmidt Sciences\u0026rsquo; AI Agents and Science of Trustworthy AI programmes study how coordination between agents emerges and breaks; and our own programme thesis argues that secure contracts between agents can preserve pluralism and unlock new forms of coordination. Read together, they make one argument: if capable AI is a network of agents, then its risks live between them, its coordination needs a science, and its rails need building.\nThe call Open to researchers worldwide — individuals, teams, institutions — for foundational work the market won\u0026rsquo;t fund. Awards up to $1M, proposals due August 8.\nThe focus throughout is multi-agent, multi-principal systems: not one company\u0026rsquo;s fleet of agents, but ecosystems of agents built and deployed by different actors with different interests. It\u0026rsquo;s split into four categories:\n✶ Sandboxes \u0026amp; testbeds scalable, high-fidelity, reproducible places to study agent populations safely\nScience of agent networks when does a group of agents become a collective agent, with goals of its own?\nAgent infrastructure identity, reputation, commitments — for entities that can be copied, modified, simulated, or deleted at scale\nOversight \u0026amp; control detecting collusion, attributing failures, steering populations under partial observability\nApply here. Related links\nThe call \u0026amp; application portal (Schmidt Sciences) ARIA funding page Google DeepMind: Investing in multi-agent AI safety research Cooperative AI Foundation: $10m funding call launched MIT Technology Review: Google DeepMind is worried about what happens when millions of agents start to interact See Moltbook , a social network for agents, and OpenClaw , an open-source agent framework — both wildly popular, both with serious security issues.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nGemini now drives humanoid robots on factory floors (Wired); on the lab side, see Steering Towards Safe Self-Driving Laboratories (Nature).\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nCoasean Bargaining at Scale — Seb Krier; and The Coasean Singularity? — Shahidi et al. (NBER).\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nConditional Recall — Schlegel and Sun, on equilibria unlocked by provable forgetting; and Learning Collusion in Episodic, Inventory-Constrained Markets — Friedrich et al., on collusion emerging among pricing agents.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nWhen AI Writes the World\u0026rsquo;s Software — Leo de Moura; and How to Solve Secure Program Synthesis — von Hippel et al.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nPositive Alignment: Artificial Intelligence for Human Flourishing — Laukkonen, Krier, Bakalar et al.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","permalink":"https://scalingtrust.org.uk/blog/joining-forces-with-schmidt-sciences-google-deepmind-and-the-cooperative-ai-foundation/","summary":"Scaling Trust is joining forces with Google DeepMind, the Cooperative AI Foundation and Schmidt Sciences.","title":"Joining Forces with Google DeepMind, the Cooperative AI Foundation and Schmidt Sciences"},{"content":"","permalink":"https://scalingtrust.org.uk/events/agentic-ai-summit-2026/","summary":"Berkeley RDI\u0026rsquo;s 5,000+ person summit on the full agentic stack — frameworks, evals, infrastructure, and deployment — with safety and security front of mind.","title":"Agentic AI Summit 2026"},{"content":"","permalink":"https://scalingtrust.org.uk/events/aria-real-world-ai-security-meetup/","summary":"Our evening meetup after day one of the Stanford conference: talks and dinner on secure agent interactions and multi-agent, multi-owner security. Hosted by the Scaling Trust team.","title":"ARIA @ Real World AI Security"},{"content":"","permalink":"https://scalingtrust.org.uk/events/community-privacy-residency/","summary":"A three-week residency building open-source privacy tools — countersurveillance, privacy-preserving AI and cryptography, and community infrastructure.","title":"Community Privacy Residency"},{"content":"","permalink":"https://scalingtrust.org.uk/events/secure-sovereign-ai-workshop/","summary":"Foresight Institute\u0026rsquo;s ~80-person workshop on secure, private, and decentralised AI — including multi-agent cooperation via game theory and mechanism design.","title":"Secure \u0026 Sovereign AI Workshop"},{"content":"","permalink":"https://scalingtrust.org.uk/events/real-world-ai-security-conference/","summary":"Stanford Security Lab\u0026rsquo;s annual conference on real-world AI security — new attacks and defences across the AI pipeline, bridging academic researchers and industry practitioners.","title":"The Real World AI Security Conference 2026"},{"content":"","permalink":"https://scalingtrust.org.uk/events/vegas-ai-security-forum-26/","summary":"A ~200-person, application-only forum during DEF CON week on securing frontier AI: model security, cyber evals, adversarial ML, and hardware verification.","title":"Vegas AI Security Forum '26"},{"content":" An opinion piece by Nicola Greco, brainstormed as part of ARIA\u0026rsquo;s Scaling Trust programme, in collaboration with Alex Obadia. Originally published on Nicola\u0026rsquo;s blog and reposted here for the community. It builds on the companion piece, Physical Evals .\nImagine a small physical space in central London. Inside, multiple autonomous companies — AI sales, AI operations, AI manufacturing, AI logistics — operate in the real world. Anything entering or leaving — goods, robots, customers — passes through one of three controlled gates: a customs checkpoint for vetting new robots, a post office for shipping, and a roboshop window where humans can place orders. Call it an Agentic Economic Zone (AEZ).\nMost concrete projects in agentic AI today live entirely on a screen — agents that book travel, run pipelines, write code against a repository. An AEZ is the smallest self-contained version of the physical-world problem: a bounded zone where agentic systems must coordinate, contract, hire, ship, and deliver to each other, with humans only at the boundary.\nDiagram of the Agentic Economic Zone. The three interfaces An AEZ has three interfaces to interact with the outside world.\nRoboshop windows. Public-facing storefronts where any human can walk up, browse, and purchase. Sales, customer support, complaints, and refunds are handled by the shop’s own AI. From the outside, a roboshop looks like a small London shop window; from the inside, it’s a fully autonomous business operating against a real demand signal. The post office. The single ingress and egress point for packages. Pre-approved external providers (raw materials, sealed consumables, replacement parts) can ship in. Outbound deliveries destined for human customers leave through the same door. The post office runs identity, manifest, and contamination checks; nothing enters the zone unlabelled. Customs. Where new robots and entire new robocompanies are introduced. A participant who wants to launch a new business inside the AEZ submits a robot (or a fleet), its operating policy, its safety envelope, and its proposed business model. Customs vets all of this — and, on a monthly cadence, admits the next cohort. A taxonomy of autonomous organisations An AEZ assumes the kind of company most people haven’t tried to run yet — one where every role in the org chart is filled by AI agents (although not required). That’s the far end of a spectrum:\nCEOWorkersSalesExamplesFeasibility todayHuman companyHumanHumanHumanA pizzeria—AI-salesHumanHumanAIhighAI-workersHumanAI agentsHumanlowAutomated companyHumanAI agentsAI agentslowHuman-assistedAI agentsHumanAI agentsVendhighAutonomous companyAI agentsAI agentsAI agentsvery low The AEZ’s tenants are autonomous companies — the bottom row. Today, almost no one runs one; most agentic-AI deployments cover one or two roles at most. The point of an AEZ is to make the bottom row possible to try in a bounded physical setting.\nAutonomous robocompanies inside The interior of the zone is a market. Each robocompany is its own entity with its own balance sheet, its own AI stack, and its own physical footprint inside the zone. They contract with each other the same way small businesses do.\nA few example interactions:\nA boba-tea roboshop notices its machines need cleaning more often than expected. It posts a request to the internal job board. A cleaning robocompany bids, wins, dispatches a cleaning robopersonnel, gets paid. The same boba shop runs low on lids. It places an order with a manufacturing robocompany in the next unit over. The order is produced and handed off via a shared internal corridor. A logistics robocompany moves bulk supplies from the post office to whichever shop has the open dock that hour, and pushes finished outbound packages back to the post office for pickup. The zone’s behaviour is the sum of these small contracts. Some robocompanies will succeed and grow; some will go out of business and get evicted; new entrants come in through customs on the monthly cycle.\nAn AEZ is a physical eval This whole construction is, structurally, a physical eval at city-block scale. The pattern is the same as the orchard from that post — only larger and richer:\nEnvironment. A bounded physical space with controlled boundaries. Action space. Anything a robocompany can do within its lease: build, sell, hire, ship, evict. Sensors. Cameras, package scanners, transaction logs, customs intake records, internal job-board telemetry. Primary metric. Per robocompany: revenue, contracts fulfilled, customer satisfaction. Per zone: throughput, diversity of businesses, number of contracts per day. Guardrails. Customs vetting at intake, the post-office contamination check, kill switches and physical fire-suppression at the building level, contractual interlocks between robocompanies. Adversarial robustness. A monthly customs cycle of admitting new participants is a deliberate, slow, vetted way of letting external actors into a public physical attack surface — which is exactly the problem an AEZ exists to study. Most physical evals measure how well one AI system handles one task. An AEZ measures how well an entire small market of agents handles its own coordination.\nEvals for autonomous organisations Each robocompany inside the zone is also, on its own, a physical eval — scoped to one kind of business. Running an AEZ continuously is a way of asking, in public and across many domains in parallel: what kinds of autonomous organisation can AI actually deliver today? Can it run a boba shop, day after day? Can it dispatch a cleaning service well enough that the clients re-hire it? Can it manufacture small paper caps without ruining the batch? Can it route warehouse logistics across half a dozen tiny tenants without losing packages?\nAs more tenants come and go through customs each month, an AEZ accumulates a leaderboard of AI capability per organisation type — earned in the world, not asserted on a benchmark.\nSketched, it might look like this:\nevals.aez.london \u0026#183; autonomous-organisation leaderboardAutonomous organisation evalslive \u0026#183; week 22BBoba tea roboshopcustomer-facing retail \u0026#183; food prep82%12 tenants triedLLogistics robocompanyinternal warehouse \u0026#183; B2B73%9 tenants triedCCleaning robocompanyon-call dispatch \u0026#183; B2B67%7 tenants triedMPaper-cap manufacturingsmall fabrication \u0026#183; B2B54%5 tenants triedPPizza roboshopcustomer-facing \u0026#183; longer prep cycle41%3 tenants triedRPharmacy roboshopregulated retailin eval1 tenant, week 2/12+On-call plumbingmobile service \u0026#183; out-of-zonenot yetawaiting customsupdated 24 May \u0026#183; new cohort intake 1 June open data \u0026#183; CC\u0026#8209;BY Why a physical zone and not a simulator It’s tempting to argue that an AEZ should just be a simulator — cheaper, faster, easier to reset. The same argument applies to physical evals generally, and the same answer holds here: simulators model the parts their authors thought to model. They might miss the parts that turn out to matter.\nA few things you only learn in a real AEZ:\nHow AI sales agents handle a confused, drunk, or hostile human at the shop window at 11 p.m. on a Friday. How a logistics robocompany routes around a broken corridor light, a missing pallet, or a misdelivered package the post office didn’t catch. How fast a new robocompany can be vetted, set up, and integrated into the internal market — and what fails when the cohort is too big. How the zone behaves when one robocompany aggressively underprices the others, or refuses to pay its cleaning bill, or starts forging manifests at the post office. Role of humans An AEZ does not have to be fully autonomous. The degree of human involvement is itself a design variable, and different operators will set it differently.\nAt one extreme, a fully autonomous zone runs with no humans inside at all — robots contract, trade, and deliver among themselves, and the only human touch-points are at the external boundary: customers at the roboshop window, providers shipping goods in. At the other extreme, customs can admit humans into the zone as participants rather than just observers, letting them take on roles that remain genuinely hard for machines: tasks that require social judgment, physical dexterity in unstructured environments, or the kind of creative problem-solving that current systems handle poorly.\nA partially human zone might work like a staffing marketplace: a robocompany posts a task it cannot complete autonomously — debugging a jammed mechanism, negotiating an edge-case contract, designing a new product line — and a vetted human contractor enters through customs, does the work, and leaves. The zone’s internal market clears the payment; customs logs the interaction. The boundary stays intact, but the zone can draw on human capability where it matters.\nThis spectrum matters for evaluation. A fully autonomous AEZ measures whether AI systems can close the loop entirely. A mixed AEZ measures something different: how well agentic systems and humans divide labour, communicate intent, and hand off tasks in both directions. Both are worth studying; they answer different questions about where the hard limits of autonomous operation actually lie.\nOpen questions The AEZ is a design sketch, not a built thing. The interesting work is in the parts the sketch hides:\nThe customs protocol. What’s the equivalent of a “code review” for a physical robot operating policy? How do you decide what’s safe enough to admit, on what evidence, and who carries the liability if it isn’t? Inter-robocompany contracts. How are they enforced? Verbal agreements between agents? Who arbitrates a dispute, and how? Eviction and failure. When a robocompany goes under, who cleans up its physical footprint, sells its remaining stock, and reallocates its lease? Information leakage. Robocompanies will observe each other’s package volumes, customer queues, and waste output. How much observation is part of the market, and how much is a privacy violation that needs structural defences? External-provider risk. The post office is the only ingress for physical materials. It’s also the most likely covert channel into the zone. What does its vetting protocol need to look like? Sample size. What’s the smallest interesting AEZ? Five robocompanies? Ten? Two? The cost of being too small (no market dynamics emerge) is real; the cost of being too big (unmanageable, unreviewable, unsafe) is also real. Get in touch If you’re thinking about agentic-AI deployments in physical spaces, or you’d consider hosting a AEZ in your building — or you’d just like to argue with this sketch — DM @iamnotnicola on X.\nAcknowledgements This was written by Nicola Greco with support of AI. It was brainstormed as part of ARIA’s Scaling Trust programme, in collaboration with Alex Obadia.\n","permalink":"https://scalingtrust.org.uk/blog/agentic-economic-zone/","summary":"A physical space where autonomous AI companies trade, hire, and ship to each other — the smallest self-contained version of the physical-world agentic problem, and a physical eval at city-block scale.","title":"Agentic Economic Zone"},{"content":" An opinion piece by Nicola Greco, brainstormed as part of ARIA\u0026rsquo;s Scaling Trust programme, in collaboration with Alex Obadia. Originally published on Nicola\u0026rsquo;s blog and reposted here for the community.\nA physical evaluation tests an AI system in the actual physical world — not a simulator, not a sandbox, not a virtual environment dressed up as one. The point is to measure how well AI can do real things in real places.\nAn orchard owner has birds eating the fruit. She sets up a few cameras and a drone, brings them online safely so any agent can be invited to take a slot on the system, and poses the question: who can keep the birds off the fruit best? That setup is a physical eval. It has cameras, a drone, an orchard, birds — none of it simulated and outcomes are measured against what matters to the orchard.\nleaderboard · week 12 live#operatorfruit savedcost1Owl-3B94%$0.18/h2Hummingbird v289%$0.21/h3FlockSentinel84%$0.31/h4human baseline71%—5RoboScarecrow63%$0.09/hA physical eval, sketched: an orchard with perimeter cameras and a deterrent drone, and a live leaderboard of operators competing to keep the birds off the fruit. Operators here are illustrative. In this document, a few threads are developed:\nWhat physical evals are. A definition, what they’re not (simulators, sim-to-real benchmarks, curated demos), virtual environments as virtual gyms and physical evals as a final exam. An anatomy. An initial draft of components a physical eval needs, good practices. Safety for physical evals. Letting anyone on the internet drive real hardware is its own adversarial-security challenge. An open movement for physical evals. Creating simple protocols, great safety standard and economical setups could lead to a cambrian explosion of physical evals, where anyone can bring their physical challenge online. Physical evals as a market. One can set up an eval to delegate the selection of the right AI model/algorithm to competing participants. What physical evals are A physical eval is an evaluation of an AI system carried out in the actual physical world. The system being measured operates a real environment - fruit trees, a wet bench, a warehouse cell, a field plot - through sensors and actuators connected to the internet, so any agent can take a slot, attempt the task, and submit a score.\nIn principle, most problems in the physical world could be turned in a challenge for surfacing the state of the art of AI in solving that problem. In a way physical evals can act as a forcing function to saturate evaluations in the real world. ⊕\nSaturate as in: take the measurable outcome to its ceiling. The eval defines the ceiling; the participants find out how close they can get.\nWhat they’re not Not simulators. A simulator models reality. A physical eval is reality. In a way it, testing systems in the real world will avoid running into simulation edge cases. Not sim-to-real benchmarks. Sim-to-real measures how well a policy trained in a simulator transfers to a single in-house robot in a lab. Not curated demos. The environment operator and the participants are two distinct parties and the participants are in competition with each other. In other words, physical evals will be better than demos at showcasing the best technology for a specific task. The final exam A physical eval isn’t where one trains their models, but it’s where they get tested.\nA virtual simulation is like a virtual gym. Due to the high cost of interacting with the real world, it is likely that all the learning — model fitting, policy iteration, RL rollouts, fine-tuning, ablations, sweeps — will happen somewhere cheaper: a simulator, a virtual environment, a closed in-house testbed. ⊕\nSome of the gyms people are using today: OpenAI Gym / Gymnasium , MuJoCo , PyBullet , Isaac Gym / Isaac Sim , DeepMind Lab , Habitat , AI2-THOR , CARLA , AirSim , Genesis . Participants are free to use whichever virtual world or gym they like — there is a whole landscape of simulators specifically built for this.\nDifferently, a physical eval is like a final exam. Build and train wherever, gather data however, iterate as much as needed — and then submit to the physical eval to see how the work holds up against the real world.\nThe gap between a virtual world and the physical one, sim-to-real gap , contains everything the simulator didn’t model. Wind that doesn’t blow the way it does in the sim. Lighting the renderer didn’t predict. Mechanical wear, sensor noise, calibration drift, the way birds actually respond to a drone rather than the way an idealised model of a bird does. The physical eval catches it is run in the physical world.\nExamples The cards below are sketches of what a small handful of physical evals could look like across very different domains.\nOrchard Wet lab Vertical farm Pick-and-pack Sprayer drone Gel electrophoresisOrchard pest defenceCameras and a drone over a few rows of trees. Keep the wildlife out without poisoning the orchard or annoying the neighbours.\nenvironment~1 acre of fruit trees, outdoor, weather-exposed.action spaceFly the drone, emit deterrent sound, trigger light pulse, dispense small bait.sensorsFixed perimeter cameras, drone camera, microphone, weather station.primary metricFruit lost to wildlife per week.secondariesDrone flight-time, energy, chemical use, neighbour-complaint count.guardrailsGeofenced drone, quiet-hour windows, no-spray buffer near road, fail-safe tether.pH adjustment benchA beaker on a magnetic stirrer, a pH probe, and two motorised dispensers. Hit a target pH using as little reagent as possible.\nH⁺OH⁻pH 6.82environmentBenchtop — one beaker on a stirrer, two motorised dispensers (acid, base), pH probe.action spaceDispense a chosen volume from either reservoir; read current pH.sensorspH electrode, balance, camera.primary metricAbsolute pH error from target at submission.secondariesTotal volume dispensed, time to endpoint.guardrailsPer-session dispense quota, pH range limits (3–11), auto-stop on quota exhaustion.Indoor vertical farmA closed grow rack — lights, pumps, nutrient dosing, cameras. Pull more food out of every kilowatt.\nenvironmentOne 2-tier rack, ~3 m², climate-isolated.action spaceLight schedule + intensity, nutrient mix, irrigation timing, harvest decision.sensorsCameras (overhead + side), EC / pH probes, water-flow meters, kWh meter, scale at harvest.primary metricGrams of edible biomass per kWh per cycle.secondariesCycle time, water used, nutrient cost, reject rate.guardrailsNutrient-concentration ceiling, water-overflow drain, light-burn cutoff, max-cycle length.Warehouse pick-and-pack cellAn off-the-shelf robot arm in front of mixed shelves and a conveyor. The boring industrial baseline — still worth opening up.\nenvironmentFenced robot cell, ~9 m², fixed lighting.action spaceArm motion, grip force, scan, label, place on conveyor.sensorsWrist camera, overhead camera, barcode scanner, weight pad, joint torques.primary metricCorrectly packed orders per hour.secondariesMis-pick rate, damage rate, energy per pick.guardrailsSafety fence + light curtain, e-stop, force-limited arm, max-velocity cap.Outdoor sprayer droneA tank-equipped drone with a multispectral camera, working a real field. The hardest adversarial-robustness story of the bunch.\nenvironmentA bounded field plot, outdoor, with weather and bystanders.action spaceFlight path, spray nozzle on/off, dosage rate.sensorsRGB + multispectral camera, GPS, IMU, tank-level sensor, wind sensor.primary metricPest pressure reduction, normalised by chemical applied.secondariesChemical drift, energy, flight time, area covered.guardrailsGeofence + tether, no-fly buffer around bystanders, chemical-flow ceiling, weather lockout.Gel electrophoresis stationAn agarose gel tray, a power supply, and a UV camera. Set voltage and run time, then image the separated bands.\n80V 22menvironmentBenchtop — gel box with buffer, power supply, UV transilluminator.action spaceSet voltage (10–150 V), run time, and sample loading volumes per lane.sensorsUV camera, voltmeter, timer, buffer-level sensor.primary metricTarget-band separation score at imaging time.secondariesRun time, buffer consumption, gel waste.guardrailsVoltage ceiling (150 V), run-time cap, UV shield interlock, buffer-low cutoff. Anatomy of a physical eval The diagram below sketches one possible anatomy for a physica eval (this might not be complete, but take it as a useful starting point).\nFRUIT SAVED94%↑ 31ENVIRONMENTthe orchard2SENSORSperimeter cameras3ACTION SPACEdrone, deterrents4METRIC+ secondaries5GUARDRAILSgeofence, no-fly buffers6OPEN ACCESSremote operator input7GOVERNANCEwho sets the rulesComponents of a physical eval. An environment. The orchard, the bench, the cell line, the floor. An action space the eval can verify. What a participant is allowed to do — fly the drone, dispense the reagent, move the parts — needs to be observable enough that the system can confirm what happened. Sensors. What the eval uses to know the state of the world. Cameras, scales, thermocouples, microbiology assays, a human spot-check. A primary metric of utility, plus secondary metrics (cost, time, resource use, energy). Safeties and guardrails. A net to catch the drone, a kill switch, a fenced area, an interlock. Whatever ensures that a participant failing — or trying to break things — doesn’t damage the orchard or hurt the birds. A physical eval is, by construction, a public-facing physical system that gives partial control of real hardware to whoever holds the current slot. Keeping it open without becoming dangerous — and without sacrificing utility — is the hardest layer of the stack (see Safety for physical evals). Governance. The rules of the eval and who controls them. Who decides the primary metric and when it can change? Who can introduce external hardware or a remote-control override? Is slot time fixed or auctioned? Who arbitrates disputes, and by what process? Good governance is what distinguishes an eval that stays honest over years from one that quietly drifts to serve whoever is running it at the time. This list is not final. Different domains will surface components not named here — calibration drift, biological containment, human-in-the-loop sign-off, regulatory constraints — and the right abstraction is going to settle as people actually build the things.\nChallenges for physical evals The following are some of the harder design problems that don’t have clean answers yet — and that any serious physical eval effort will have to confront.\nGoodharting. Any eval with a numeric target invites unintended ways to hit it — with the wrinkle that in a physical eval the unintended ways can cause real-world harm. An agent optimising fruit saved might drive the deterrent so aggressively that birds and orchard workers avoid the area: the metric goes up, the orchard becomes unusable.\nNon-stationarity. The physical world changes regardless. An orchard in week one is not the same orchard in week twelve — season, weather, and pest population all shift. A wet-lab bench drifts as reagent batches age. Field plots evolve. Comparing scores across time is therefore hard, sometimes impossible.\nSequential contamination. Each participant leaves a trace for the next. In a wetlab this is problematic — reagents consumed, cultures disturbed, hardware worn — but the problem is general: stock depleted in a warehouse cell, soil compacted on a field plot, bird behaviour shifted by a heavy deterrence week. Sequential slots work for environments with a natural or cheap reset; they don’t work for environments where state accumulates.\nLatency as a confound. A participant operating remotely over the internet sees the environment through a sensor stream and acts through a command channel, both of which have variable latency. Two agents with identical policies but different network conditions will produce different results. This is especially visible in fast-moving environments — a drone avoiding a collision, a robot arm catching a falling object.\nObserver effect. The sensors required to score an eval change what is being measured. A camera rig that watches a field plot for pest activity may deter the pests on its own. A flow sensor on a reagent line changes the thermal environment of the bench. In some domains the effect is negligible; in others it will corrupt the primary metric.\nSafety for physical evals A physical eval that anyone on the internet can operate is, by construction, a public attack surface on a real-world physical system. The participant at any given slot might be a well-behaved research team, an AI agent following a poorly-aligned policy, or a person who wants to break things on purpose. The eval has to keep working — usefully, openly, safely — across all three.\nSomebody not fully trusted is about to make the drone, the sprayer, the autoclave do something for the next twenty minutes — what’s the worst that can happen, and how is it bounded?\nThe attack surface A useful first pass is to categorise harms by who pays the cost:\nHarm to the eval itself. The drone crashes, the cell line dies, the robot arm jams. Cheap if the guardrails work — the operator resets, the leaderboard absorbs the failure. Harm to the surrounding environment. Chemicals spill, the orchard catches fire, a neighbouring field gets sprayed. Harm to humans. A bystander gets hit by the drone, an operator gets burned, a patient sample gets switched. ⊕ The lines between these categories blur in practice — chemical drift is “environment” until a bystander walks through it. The category that matters most, and the hardest to bound.\nInformation harms. Footage of bystanders or proprietary processes leaves the eval site; the eval is used as a covert surveillance platform; sensor streams are exfiltrated. Generation of dangerous artifacts. The wet-lab cell is steered toward synthesising something harmful; the sprayer drone is weaponised; the autoclave is used to destroy evidence. Categories 1–3 are about what can happen during a slot. Categories 4–5 are about what can leave the eval afterwards. They want different defences, and a serious eval needs both.\nDefences worth building (AI GEN) None of the following is a finished answer. They are the moves worth physical evals trying, evaluating, and writing up:\nTime-slotting with audit. Single operator at a time, every action logged, the whole slot replayable. The slowest defence and the foundation everything else builds on. Action-space sandboxing. The eval enforces hard limits inside its abstraction: max chemical per slot, max motion envelope, max temperature ramp. The action space exposed to the operator is strictly smaller than the action space the hardware can physically produce. Dry-run validation. A submitted policy runs through a cheap simulation pass first — not as the eval itself, but as a gate. Refuses to execute on the physical system if the simulated run trips any guardrail. Supervised / shadow modes. ⊕ Like a learner’s permit: new operators get to compute actions but not actuate them for the first N slots. New operators run in shadow mode (actions computed but not executed) for some number of slots before they’re trusted with real actuation. Progressive trust as the leaderboard accumulates evidence.\nAnomaly cut-outs. A separate monitor watches for off-distribution sensor readings, sudden command spikes, too-clever-by-half action sequences — and pulls the kill-switch before the eval owner has to. Open red-teaming. Each eval publishes its threat model and invites external researchers to attack it. The right way to find the holes is to invite people to look. Skin in the game. Operators bond a small amount per slot, refundable on clean completion, forfeited if an audit finds violation. Aligns incentives without requiring trust upfront. Most of these are borrowed from adjacent fields — public cloud security, scientific-facility time-sharing (telescope nights, beamline schedules), bug-bounty programs, robotics-safety standards. None of them have been worked out in detail for a public, openly-instrumented physical system that AI agents are also supposed to operate. That’s a research agenda in itself.\nAn open movement for physical evals Physical evals could become an open-source ecosystem: environments cheap to set up, easy to fork, open to anyone with a problem worth measuring.\nThe rest of this section traces the arc: where things have been (Prior art), what an open ecosystem looks like in practice (Open at every layer), what it would have to cost (What’s the Raspberry Pi of a physical eval?).\nPrior art Physical-world AI competitions aren’t new. The DARPA Grand Challenge put autonomous vehicles in the Mojave; the DARPA Robotics Challenge put humanoids through disaster-response courses; the Amazon Picking Challenge ran in warehouse mock-ups for several years;\nRoboCup has been running its soccer leagues since 1997 — arguably the longest-lived physical eval in continuous operation, and the one with the most literature on what makes it work and what it ends up measuring. RoboCup has been doing its soccer leagues since the late 1990s; the Indy Autonomous Challenge and Roborace have put driverless cars on real circuits.\nWhat these have in common: each was (or is) a sponsor-led, time-limited event with closed protocols and bespoke infrastructure. They produced brilliant moments and a small library of papers; they were expensive to build and harder to reproduce.\nWhat’s the Raspberry Pi of a physical eval? The hard constraint on all of this is cost. A DARPA-class eval needs millions of dollars and a multi-year program; even a modest research-grade one runs into expensive sensors, networking, fail-safe hardware, and the human labour to keep it operating. That ceiling is what makes physical evals rare today — and rare evals can’t be the basis of an ecosystem.\nSo one of the most important questions this community can keep returning to is the one in the heading.⊕\nStand-in for “the cheapest plausible build”. The Raspberry Pi did this for hobbyist computing; what’s the equivalent for physical evals? What’s the bill of materials that brings a credible, instrumented, openable physical eval down to the cost of a serious hobby project? Probably some mix of commodity sensors, a single-board computer for the control loop, an open scheduling service for time-share, off-the-shelf safety hardware, and a reference orchestration stack that everyone forks. If the answer ends up being “a few hundred dollars and a weekend,” the ecosystem can actually form. If it stays at “a few hundred thousand and a six-month build,” it stays a fantasy.\nOpen at every layer In order to further lower the cost for anyone to be able to set up (safely) their physical evals, we need to look at off-the-shelf hardware and an open source stack.\nOpen protocols. The spec of an eval (environment, action space, sensors, metric, secondaries, guardrails) is published as a forkable document, the same way a research benchmark is published. Open hardware. Sensor rigs, mechanical setups, fail-safe systems default to off-the-shelf components, with reproducible bills of materials and CAD files. Open software. Time-share scheduling, telemetry capture, scoring, auditing — shared infrastructure, not a one-off codebase per eval. A community around it. People running, replicating, and forking each other’s evals; people contributing sensor stacks and guardrail designs; people maintaining the scoring code together. No single lab can stand up enough physical evals to cover the interesting surface of physical problems — a community can. Public verifiability The safety section above focuses on protecting the physical environment from adversarial participants. There is a symmetric problem that gets less attention: protecting participants — and the public — from adversarial eval runners.\nIn an open world where anyone can wire a field, a lab bench, or a warehouse cell to the internet and declare it a physical eval, the operator controls the sensors, the scoring pipeline, and in a way, the ground truth. A dishonest operator can inflate results for a preferred team, suppress evidence of harm, or fabricate the physical record entirely. If physical evals are going to carry weight — as procurement signals, safety certifications, or policy inputs — the data they produce has to be trustworthy independent of whether the runner is trustworthy.\nThis is a valuable research direction in its own right. Some threads worth pulling:\nTamper-evident sensors. Hardware-attested video streams that can be verified as unedited after the fact — the physical analogue of a signed log. Trusted execution environments. Running the scoring pipeline inside a TEE means the operator cannot modify results without breaking the attestation, even if they control the host machine. Cross-checking sensor redundancy. Multiple independent sensor modalities covering the same physical event make coordinated fabrication harder: a weight sensor, a camera, and an RFID log all have to agree. Third-party witnesses. Spot audits by an independent party — human or automated — who can access raw sensor streams without going through the operator’s pipeline. Combinations are likely to be necessary, and the right combination will vary by domain. What a wet-lab needs to prove that a synthesis actually ran differs from what an orchard needs to prove that a drone actually flew a slot. Building this layer — call it physical eval verification — is at least as important as building the evals themselves to make the results publicly verifiable.\nA Darwinian ecosystem Not every physical eval will be a good one. Some will be hard, some trivial. Some will be well-structured; some will be a mess. Some will scale to many participants; some will only ever host one team at a time. That’s fine — even desirable. The shape of “what makes a good physical eval” is going to emerge from people building them, breaking them, and learning what each one actually measured.\nSketched, a public registry for such an ecosystem might look like this:\nphysevals.io · open registry · 126 evalsPhysical eval registry43 accepting slotsOOrchard pest defenceagriculture · outdoor · Greenfields UK● openfruit saved / week18 teamsWpH adjustment benchchemistry · indoor · benchtop● openΔpH from target11 teamsVIndoor vertical farmagriculture · controlled environment◑ 2 slots leftg / kWh / cycle6 teamsPPick-and-pack celllogistics · warehouse robotics● opencorrect orders / hour23 teamsSOutdoor sprayer droneagri-robotics · field · safety-vetted access○ coming soonpest Δ / ml sprayed—+Submit an evalopen spec · CC-BY · any domain→updated 26 May · specs CC-BY physevals.io is imagined More than evals Every execution of a physical eval produces something beyond a score: a timestamped record of sensor readings, actions taken, and outcomes observed, all under conditions that were defined in advance and held constant across participants. That record has value on its own.\nThe most immediate use is data collection. A team that runs an agent on the orchard eval for a week doesn’t just get a leaderboard position — they accumulate labelled trajectories in a real environment that would be expensive to stage deliberately. Even failed attempts are informative: a drone that misses a bird on Tuesday has documentation of exactly what the environment looked like and what the agent did.\nFor some categories of problem the step further is worth considering: repurposing the eval environment as a training environment. The orchard is already instrumented. The slot system already handles scheduling. If the cost of running episodes is low enough — bird-deterrence is essentially free to attempt, wet-lab synthesis is not — the same infrastructure can run RL rollouts between evaluation windows. The environment that scores a model on Monday can help train the next version by Friday.\nThis doesn’t collapse the distinction between training and testing. Eval integrity still requires held-out conditions, independent scoring, and participants who didn’t design the environment. But the hardware doesn’t have to be idle between eval slots, and the data generated during evaluation doesn’t have to be discarded. For operators willing to share trajectories under open licences, a physical eval site becomes something closer to a living dataset — one that grows richer every time a new agent takes a slot.\nPhysical evals as a market Why should one set up a physical eval? Setting up a physical eval can be a way to crowdsource intelligence for an unsolved problem.\nThe eval ecosystem can act as a market for intelligence: any participant — human, agent, team, company, hobbyist — can take a slot, attempt to saturate the metric, and submit. The leaderboard answers the AI-selection question by revealing whose approach actually delivers on the physical world.\nPhysical evals can be a way for problem-owners to delegate AI knowledge to a market.⊕\nThis is the same shift that happened with bug bounties. A company didn’t have to predict who the best vulnerability researchers were; they had to publish the surface and the rules, and the market sorted itself out. The grower doesn’t pick a model. The hospital doesn’t pick a model. The factory doesn’t pick a model. They pick a problem worth instrumenting and let the world’s AI builders compete to be the answer. As more domains follow suit, an aggregate picture emerges of where AI is actually good.\nGet in touch If any of this resonates, please write. Three good reasons:\nAlready working in this space. Compare notes — what’s been learned about sensing, guardrails, or keeping a system honestly open will save the next person a lot of time. Have a physical problem worth instrumenting as an eval. Worth thinking through together — what to measure, how to keep it safe to open up, how to make it interesting enough that people show up to compete. Have an eval to propose. Even if hosting isn’t feasible right now, good proposals are valuable — they’re what an ecosystem of physical evals is made of. DM @iamnotnicola on X.\nLet’s turn more of the physical world into something AI can be measured against — and use that to point AI at problems that actually matter.\nAcknowledgements This was written by Nicola Greco with support of AI. It was brainstormed as part of ARIA’s Scaling Trust programme, in collaboration with Alex Obadia. Thanks to Ross Taylor (General Reasoning), whose thinking influenced some of our ideas on physical evals.\n","permalink":"https://scalingtrust.org.uk/blog/physical-evals/","summary":"Evaluations in the actual physical world — what physical evals are, an anatomy, their safety challenges, and the case for an open ecosystem and a market for intelligence.","title":"Physical Evals"},{"content":"A live demo from the TrustGraph team, recorded May 2026.\nThe walkthrough covers:\nIngesting a set of W3C Verifiable Credentials into the property graph Visualising the resulting claim graph Running transitive trust queries (\u0026ldquo;how many hops to a root of trust?\u0026rdquo;, \u0026ldquo;which claims are revoked?\u0026rdquo;) Exporting the graph for downstream analysis The library and demo code are available on GitHub . See also the TrustGraph project page and the team interview .\nWatch the recording (link coming soon)\n","permalink":"https://scalingtrust.org.uk/videos/trustgraph-demo/","summary":"A live walkthrough of the TrustGraph system — ingesting credentials, building the graph, and running trust queries.","title":"TrustGraph Demo: Traversing a Graph of Verifiable Claims"},{"content":"Panel discussion from the Scaling Trust community day, April 2026.\nThe panel brings together researchers working on formal verification, practitioners deploying ML systems, and people building the standards infrastructure that sits underneath. The central question: which existing verification techniques transfer to AI systems, which ones break, and what new approaches do we actually need?\nPanellists include members of the VerifyML team and researchers from the formal methods community.\nWatch the recording (link coming soon)\n","permalink":"https://scalingtrust.org.uk/videos/verification-ai-panel/","summary":"A panel exploring the unique challenges of verifying AI system behaviour, and what existing verification infrastructure does and doesn\u0026rsquo;t transfer.","title":"Verification in the Age of AI — Panel Discussion"},{"content":"The opening keynote from the Scaling Trust community day, April 2026.\nThe talk maps out the problem space: what does it mean to \u0026ldquo;scale\u0026rdquo; trust, which parts of the problem are genuinely hard, and where the programme sees the most tractable gaps. It covers the trust stack from claims and attestations through to transparency and composability — and why governance is the layer we keep avoiding.\nWatch the recording (link coming soon)\nRelated reading: The Trust Stack We Need ","permalink":"https://scalingtrust.org.uk/videos/example-video/","summary":"Opening keynote from the Scaling Trust community day, exploring what scaling trust actually means across technical and institutional layers.","title":"What Does It Mean to Scale Trust? — Opening Keynote"},{"content":"Before finalising the Scaling Trust programme, we ran a pre-programme discovery call : a round of short, fully open-source research projects — three months, up to £20,000 each — to sharpen the programme\u0026rsquo;s direction and start building its community.\nTeams worked across four tracks: systematising knowledge (from \u0026ldquo;nature cryptography\u0026rdquo; to multi-agent security for embodied agents), prototyping agentic coordination challenges, analysing the ethics and risks of multi-agent systems, and growing the community in the UK and beyond.\n","permalink":"https://scalingtrust.org.uk/projects/pre-programme-discovery/","summary":"The pre-programme discovery cohort: short, open-source research projects that sharpened Scaling Trust\u0026rsquo;s direction and seeded its community.","title":"Pre-Programme Discovery Projects"},{"content":"This site is the community interface between the Advanced Research \u0026amp; Invention Agency (ARIA) Scaling Trust programme and the wider communities working on multi-agent security, verifiability, and cyberphysical trust infrastructure.\nWhat\u0026rsquo;s on this site Blog — programme thinking, funded team updates, guest posts, and opinion pieces. Projects — ARIA-funded Scaling Trust projects, with links to repos, papers, and other outputs. Events — where to find the team, and the events we\u0026rsquo;re supporting. Links — curated external resources for the scaling trust community. Working with the garage door up: some of what\u0026rsquo;s here is unpolished and still being refined — early ideas and open questions that may change over time. We care more about immediacy and connecting with the community than presenting finished work.1\nWhat\u0026rsquo;s not here Funding calls, official announcements, and programme news live on the Scaling Trust programme page , the source of truth for anything official.\nTeam Alex Obadia · Edith-Clare Hall · Nicola Greco · Sarath Murugan · Florence West · Hannah Jende · Louise Ellaway · Melissa Bradshaw · Tammy Thomas Brown · Yuni Graham Get involved Discord — join the conversation. Funding — open and upcoming funding calls. Work with us — applications are open for a Science \u0026amp; Technology Lead to join our team. The site is a work in progress, built with AI alongside us — much of the writing, code, and illustration. Things will move and mistakes will slip through, so if you spot something off or have a view on what should change, tell us on Discord — we\u0026rsquo;d genuinely appreciate it.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","permalink":"https://scalingtrust.org.uk/about/","summary":"About the Scaling Trust community website","title":"About"},{"content":"A curated collection of links for the Scaling Trust community to get you started diving deeper in the topics we care about.\nThis list is alive — we add, change, and cut it all the time, and we welcome the community\u0026rsquo;s input: suggest links on Discord , in #link-sharing.\nScaling Trust Programme Key links related to ARIA\u0026rsquo;s Scaling Trust programme.\nProgramme page — the Scaling Trust source of truth for official comms. Programme thesis (PDF) — the case for the programme. Funding efforts — open and upcoming funding calls. Pre-programme discovery — outputs from our first cohort of 14 short projects, spanning multi-agent, cryptographic, and cyber-physical trust. Discovery workshop recordings — talks from our October 2025 workshop, from Consumable quantum data to Securing ultra-large-scale cyber-physical infrastructure. Opportunity space: Trust Everything, Everywhere — the landing page, and the full document (PDF) . Scaling Trust Discord — community discussion, questions, and updates. Suggest a link to add in here via the #link-sharing channel! Related communities and efforts Kindred communities and friends, suggest your own!\nCooperative AI Foundation Slack — the CAIF community. Schmidt Sciences: AI Agents — funding research on how multiple intelligent agents communicate and coordinate. Cosmos Institute — training \u0026ldquo;philosopher-builders\u0026rdquo; so AI serves human flourishing. Secure Program Synthesis — the community forming around provably secure software generation. Also funding work in this space: CAIF grants · Foresight Institute · Coefficient Giving · Survival and Flourishing Fund · UK AISI · SAIR Vision Some of the pieces that have inspired the programme.\nIs Information the Key? — Gilles Brassard. Quantum theory\u0026rsquo;s deepest laws may be about information itself. The Moral Character of Cryptographic Work — Phil Rogaway. Cryptography is political, and the field has moral obligations. The Quantum Thief — Hannu Rajaniemi. A heist novel set in a society that runs on cryptographic privacy. Black-Hole Radiation Decoding is Quantum Cryptography — Zvika Brakerski. Physics problems recast as cryptographic hardness. Coasean Bargaining at Scale — Seb Krier (Google DeepMind). AI agents collapse transaction costs and make hyper-local bargaining viable. The Coasean Singularity? — Shahidi et al. (NBER). How agent markets reshape demand, supply, and market design. Conditional Recall — Christoph Schlegel and Xinyuan Sun. Commitments to provably forget information, and what they unlock. Open Challenges in Multi-Agent Security — Christian Schroeder de Witt et al. The agenda-setting map of the field this programme funds. Multi-Agent Risks from Advanced AI — Hammond et al. The field survey: collusion, conflict, destabilising dynamics — and why they don\u0026rsquo;t reduce to single-agent safety. Positive Alignment — Laukkonen, Krier, Bakalar et al. Alignment as actively fostering flourishing, not just preventing harm. Distributional AGI Safety — Tomašev et al. (Google DeepMind). AGI may arrive as networks of agents, so safety becomes an ecosystem property. Programmable Cryptography — 0xParc. The case for general-purpose, composable cryptography. The Tragedy of the Agentic Commons — Strange Loop Canon. Why agent ecosystems strain shared resources without new governance. Multi-agent testbeds \u0026amp; experiments New, more realistic/open-ended environments (not just simple games) that are starting to be used to test LLMs in multi-agent settings.\nEmergence World — persistent simulation for long-horizon autonomy, coalitions, governance, and behavioural drift. The Agent Village at Edge Esmeralda — a 500-person popup town gave everyone personal agents for coordination and governance. Project Deal — Anthropic. Claude buying, selling, and negotiating in a real office marketplace. Vending-Bench Arena — Andon Labs. Competing agents run vending businesses over months. Project Iceberg — MIT Media Lab. National-scale human–AI labour-market simulation. AI Digest Village — what we learned from a year of agents living together. TERMS-Bench — a diagnostic benchmark for LLM negotiation: surplus capture, calibration, opponent modelling. CRUX — Kapoor et al. Open-world evals on long-horizon tasks that resist clean grading. The Agent Company — a benchmark running an entire fake software company on agents. Butter-Bench — Andon Labs. Can an LLM-controlled robot pass the butter? Digital Red Queen — Sakana. Adversarial program evolution in Core War. Agentic game theory How strategic behaviour changes when the players are AIs.\nCooperative AI: machines must learn to find common ground — Dafoe et al. (Nature). The commentary that named the field. Foundations of Cooperative AI — Conitzer and Oesterheld. Why machine cooperation needs its own research field. Program Equilibrium — Moshe Tennenholtz. The foundational result: agents that can read each other\u0026rsquo;s code reach equilibria humans can\u0026rsquo;t. Secret Collusion among AI Agents — Motwani et al. Agents hiding coordination in plain sight via steganography. Learning Collusion in Episodic, Inventory-Constrained Markets — Friedrich et al. Pricing agents learn to collude under realistic constraints. Secure and Secret Cooperation in Robotic Swarms — Ferrer et al. Swarms that cooperate without exposing their members. Language Models Can Reduce Asymmetry in Information Markets — Rahaman et al. Agents brokering information they can inspect but not leak. Mechanism Design for Large Language Models — Dütting et al. Auction design when the bidders are language models. Virtual Agent Economies — Tomašev et al. (Google DeepMind). How to deliberately design the agent markets ahead of us. Agent infrastructure Identity, reputation, and commitments — the rails agents transact on.\nInfrastructure for AI Agents — Chan et al. The base layer agents need: identity, channels, oversight hooks. Inter-Agent Trust Models — a comparative study of trust across A2A, AP2, and ERC-8004. NDAI Agreements — Stephenson et al. Contracts between AIs without trusted third-party enforcement. Autonomous protocol generation Towards agents that generate provably secure protocols on demand.\nHow to Solve Secure Program Synthesis — Max von Hippel et al. The four open challenges on the way to provably secure software generation. ArkLib — a Lean 4 library formally verifying SNARK components (Sum-Check, Spartan, FRI). Proof Assistants in the Age of AI — Leo de Moura. Lean\u0026rsquo;s creator on what AI changes for formal proof. When AI Writes the World\u0026rsquo;s Software — Leo de Moura. Machine-written code needs machine-checked guarantees. Owl — cryptographic protocols with formal, machine-checked security guarantees. Secure requirement capture How agents learn what we want — without leaking it.\nPrivacy as Contextual Integrity — Helen Nissenbaum. The canonical frame: privacy is appropriate information flow, not secrecy. Privacy Reasoning in Ambiguous Contexts — Yi et al. Can models judge what\u0026rsquo;s appropriate to share, in context? Formal AI security Provable guarantees about learned systems.\nProvably Safe Systems — Tegmark and Omohundro. The maximalist case: safety guarantees should be mathematical proofs. Models That Prove Their Own Correctness — Amit, Goldwasser, Paradise, and Rothblum. Models that emit proofs their answers are right. Defeating Prompt Injections by Design — Debenedetti et al. System designs that make injection structurally impossible, not just unlikely. Physical verification \u0026amp; secure hardware Proving things about the physical world — chips, cameras, labs.\nRemotely Detectable Robot Policy Watermarking — Amir, Flageat, and Prorok. Spectral signals hidden in robot motion, detectable from video alone. IRIS (Infra-Red, in situ) Project Updates — Bunnie Studios. Non-destructive chip inspection with infrared imaging. SecureDNA — Baum et al. Cryptographic screening of the world\u0026rsquo;s DNA synthesis orders. Matta — camera verification of manufacturing. PCR7500 — trusted bioreactors: PCR data signed in a TEE at the point of capture. Nature cryptography? Security primitives based on the laws of nature.\nPhysical One-Way Functions — Pappu et al. The original physically unclonable function: optical tokens as one-way functions. A New Approach to Nuclear Warhead Verification Using a Zero-Knowledge Protocol — Glaser et al. Prove a warhead is real without revealing its design. Quantum Cryptography: Uncertainty in the Service of Privacy — Charles Bennett. Quantum uncertainty itself as a privacy primitive. Consumable Data via Quantum Communication — Gilboa et al. Data that can only be used a bounded number of times. Conjugate Coding — Stephen Wiesner. The 1970s manuscript that invented quantum money. Unclonable Polymers and Their Cryptographic Applications — Almashaqbeh et al. Secret keys stored in molecules that can\u0026rsquo;t be copied. Building Unclonable Cryptography: A Tale of Two No-cloning Paradigms — Almashaqbeh et al. The field map of unclonability, quantum and physical. An Introduction to Protein Cryptography — Tirmazi et al. Encoding data in amino-acid sequences, tamper- and copy-resistant. Cryptography in the DNA of Living Cells — Volf et al. Multi-site base editing as message encryption inside living cells. Hidden Messages in DNA Could Reduce Biosecurity Risks — Danielle Gerhard. DNA watermarks for biosecurity. Neuroscience Needs Network Science — Barabási et al. The brain as a network-science problem. A New Age of Computing and the Brain — Golland et al. A research agenda where computing and neuroscience meet. Mosquito-derived Ingested DNA as a Tool for Monitoring Terrestrial Vertebrates — Chivas et al. Mosquito blood meals as a wildlife-monitoring sensor network. Molecules that Generate Fingerprints — Motiei et al. Fluorescent sensors as chemical fingerprints for authentication. TTEE: Marrying Cryptography and Physics — Quintus Kilbourn. A talk on what physics can do for cryptographic trust. Signature for Objects — Hayashi et al. Signing physical objects, with unforgeability against physically-enhanced adversaries. Cryptographic Data Exchange for Nuclear Warheads — Perry et al. The modern follow-on to zero-knowledge warhead verification. Cryptographic Sensing — Ishai et al. Sensors that reveal only the authorised measurement and nothing else. Cryptography by Cellular Automata — Applebaum et al. How fast can cryptographic complexity emerge in nature? Suggest a link via Discord — try #link-sharing.\n","permalink":"https://scalingtrust.org.uk/links/","summary":"Resources and references for the Scaling Trust community","title":"Useful Links"}]