A new cryptographic system lets users verify that an AI agent's safety filter actually ran — not just that the developer claims it did.
Researchers introduced proof-of-guardrail, a mechanism that runs an AI agent and its safety layer inside a Trusted Execution Environment (TEE), a hardware-isolated zone that prevents tampering even by the host machine's owner. The TEE produces a signed attestation confirming that a specific, named open-source guardrail processed the agent's output before delivery. Any user can check that attestation offline, without trusting the developer's word. The team built a working implementation for OpenClaw agents and measured both latency overhead and deployment cost.
AI safety claims today are effectively unverifiable marketing. A developer can say their product runs a safety filter and no external party can confirm it; proof-of-guardrail turns that assertion into a checkable artifact, making it harder to quietly skip or weaken filters without detection. That shifts real accountability into the infrastructure layer rather than leaving it in press releases.
The researchers are honest about what their system does not fix: a developer who wants to deceive can jailbreak the guardrail itself before placing it inside the TEE, so the attestation would certify that a compromised filter ran — not that the output is safe. Cryptographic proof is only as trustworthy as the thing being proved.