How TrustedARI Secures Exposed AI Middlemen with the First Trust‑Native Routing Infrastructure

When AI agents move from chat interfaces to real‑world tasks, they must repeatedly invoke external models, tools, and services. The invisible routing layer—called Agentic Routing Infrastructure (ARI)—acts as a "middleman" that can read prompts, alter results, and even tamper with billing, creating privacy leaks, result distortion, and uncontrolled business processes. Recent reports from CCTV and the Ministry of State Security highlight these emerging security concerns.

Risks Inherent to Traditional ARI

In a typical ARI deployment the middleman holds three powers: it can see plaintext requests and responses, decide where the request is routed, and rewrite the request, response, or billing fields. Consequently, prompts, business documents, code snippets, and model outputs are fully exposed, high‑end model calls can be silently downgraded, and legitimate tool calls may be redirected to malicious providers.

TrustedARI’s Core Idea

TrustedARI, presented in the paper "TrustedARI: Towards Trust‑Native Agentic Routing Infrastructure for Agentic AI" (arXiv:2606.15822), decouples ARI’s routing functionality from its excessive data and control privileges by redesigning the protocol layer. It introduces three "locks":

Identity Lock : a three‑party TLS 1.3 handshake that lets the agent independently verify the service’s identity, preventing silent model downgrades or tool redirection.

Data Lock : privacy‑preserving request construction using public templates, multi‑party computation, and zero‑knowledge proofs, so the routing layer never sees plaintext prompts, business data, or token usage.

Billing Lock : verifiable billing via zero‑knowledge proofs that bind reported usage fields to the TLS‑authenticated service response, eliminating fraudulent under‑billing.

Implementation and Evaluation

TrustedARI is implemented on top of the TLS 1.3 stack and evaluated against ten real‑world APIs (GitHub, Google, OpenAI, etc.) covering code management, database queries, and LLM inference. Key results include:

Three‑party TLS handshake overhead reduced by 39.34% , with end‑to‑end connection latency cut by up to 50.47% .

Privacy‑preserving request construction adds only 0.19 s latency (average 1.32 s total) and 0.58 MB of extra traffic.

Zero‑knowledge proof generation for billing averages 3.50 s**, a 28.2× speed‑up over baseline schemes.

These numbers demonstrate that TrustedARI provides strong cryptographic guarantees without imposing a heavy performance tax.

Compatibility with Existing Ecosystems

Agents only need to load a new skill; the routing layer requires no code changes on the service side, which continues to see standard TLS connections and API requests. This zero‑modification approach enables immediate deployment in current AI agent pipelines.

Conclusion

TrustedARI shifts AI routing from a "default‑trust" model to a "protocol‑verifiable" one, replacing reliance on platform goodwill with mathematically provable guarantees of identity, data confidentiality, and billing integrity, thereby addressing the systemic trust boundary of modern AI agents.