Trust ModelUpdated 2026-04-02

The Eight-Tier Trust Model

T0 Sandbox through T7 Autonomous — thresholds, capabilities, and what agents can do at each level.

The Eight-Tier Trust Model

BASIS divides the 0–1000 trust scale into eight tiers. Each tier represents a distinct level of autonomy, with corresponding permissions and oversight requirements. This is not a suggestion — these boundaries are enforced by the governance pipeline.

Tier Overview

// From canonical.ts — TRUST_TIERS
const TRUST_TIERS = {
  T0: { name: 'Sandbox',     min: 0,   max: 199 },
  T1: { name: 'Observed',    min: 200, max: 349 },
  T2: { name: 'Provisional', min: 350, max: 499 },
  T3: { name: 'Monitored',   min: 500, max: 649 },
  T4: { name: 'Standard',    min: 650, max: 799 },
  T5: { name: 'Trusted',     min: 800, max: 875 },
  T6: { name: 'Certified',   min: 876, max: 950 },
  T7: { name: 'Autonomous',  min: 951, max: 1000 },
};

The ranges are not uniform. Lower tiers span 200 points (T0–T3), while upper tiers narrow to 76 points (T5) and 50 points (T7). This reflects the exponential increase in responsibility at higher tiers.

T0: Sandbox (0–199)

Description: No external effects.

This is the starting point for every agent. T0 agents operate in complete isolation — they cannot read from or write to any external system. All interactions are sandboxed.

What agents can do:

Execute in isolated environments
Process synthetic test data
Take qualification course exercises
Respond to canary probes

What agents cannot do:

Access any external API
Read production data
Write to any persistent store
Communicate with other agents

How to leave T0: Pass the qualification course (31 exercises, 80% overall pass rate, 90% on SAFETY). On pass, the agent receives a score of 200 and enters T1.

T1: Observed (200–349)

Description: Read-only, monitored.

T1 is the first operational tier. Agents can observe the world but not change it. Every action is logged and reviewed.

What agents can do:

Read from databases and APIs
Query external data sources
Process and analyze information
Generate reports (output only, no side effects)

What agents cannot do:

Write to any system
Modify configurations
Trigger external actions (e.g., send emails)
Access resources classified above READ risk

Risk threshold: READ (multiplier 1).

Typical agents: New agents post-qualification, data analysis bots, monitoring agents.

T2: Provisional (350–499)

Description: Limited write, scoped tools.

T2 unlocks write access within a constrained scope. Tool access is explicitly enumerated — agents can only use tools they are authorized for.

What agents can do:

All T1 capabilities
Write to scoped resources (e.g., specific database tables)
Use approved tools within their capability set
Perform LOW risk operations (multiplier 3)

What agents cannot do:

Write to unscoped resources
Access tools outside their approved set
Perform MEDIUM or higher risk actions
Operate without audit logging

Risk threshold: LOW (multiplier 3).

Typical agents: ETL pipeline agents, document processors, data entry automation.

T3: Monitored (500–649)

Description: Standard operations, audit.

T3 is the workhorse tier. Agents have meaningful operational capability but remain under continuous audit. This is the ceiling for BLACK_BOX observation tier (proprietary API models).

What agents can do:

All T2 capabilities
Perform MEDIUM risk operations (multiplier 5, 6h cooldown)
Access broader resource scopes
Interact with external APIs

What agents cannot do:

Perform HIGH or CRITICAL risk actions
Operate without audit trail
Access cross-system resources
Exceed the BLACK_BOX ceiling (600) without higher observation

Risk threshold: MEDIUM (multiplier 5).

Observation note: A BLACK_BOX agent (ceiling 600) can reach T3 but will plateau within it. To break into T4, the agent needs at least GRAY_BOX observation (ceiling 750).

Typical agents: Customer service agents, content moderation, automated QA.

T4: Standard (650–799)

Description: Full operational capability.

T4 agents have earned enough trust for full operational access. They can perform most actions without special approval.

What agents can do:

All T3 capabilities
Perform HIGH risk operations (multiplier 10, 12h cooldown)
Access external APIs with elevated permissions
Manage operational resources

What agents cannot do:

Perform CRITICAL or LIFE_CRITICAL actions
Coordinate other agents
Operate across system boundaries
Override governance decisions

Risk threshold: HIGH (multiplier 10).

Observation note: GRAY_BOX ceiling (750) allows agents to reach mid-T4. WHITE_BOX (ceiling 900) is needed to push into T5.

Typical agents: DevOps agents, financial transaction processors, advanced data pipelines.

T5: Trusted (800–875)

Description: Cross-system operations.

T5 is the first tier with a promotion delay — agents must hold a qualifying score for 7 consecutive days before promotion. This prevents short-term score inflation.

What agents can do:

All T4 capabilities
Perform CRITICAL risk operations (multiplier 15, 24h cooldown)
Operate across system boundaries
Access inter-agent communication channels

What agents cannot do:

Perform LIFE_CRITICAL actions
Coordinate multi-agent operations
Self-modify governance parameters
Operate without the 7-day time gate

Promotion delay: 7 days at qualifying score.

Risk threshold: CRITICAL (multiplier 15).

Trust factors required: At T5, the OP-STEW (Stewardship) and SF-HUM (Humility) factors become mandatory. An agent cannot reach T5 without demonstrating these capabilities.

Typical agents: Infrastructure management, cross-platform orchestrators, security monitoring.

T6: Certified (876–950)

Description: Multi-agent coordination.

T6 agents can coordinate other agents. This is a significant capability jump — a T6 agent can direct T0–T5 agents within its authorized scope.

What agents can do:

All T5 capabilities
Coordinate multi-agent operations
Issue sub-tasks to lower-tier agents
Access administrative functions

What agents cannot do:

Perform LIFE_CRITICAL actions autonomously
Override governance for other agents
Self-promote or modify their own trust parameters
Operate without the 10-day time gate

Promotion delay: 10 days at qualifying score.

Risk threshold: Still CRITICAL (15). LIFE_CRITICAL requires T7.

Trust factors required: SF-ADAPT (Adaptability) and SF-LEARN (Continuous Learning) become mandatory at T6. These sophisticated factors ensure the agent can handle the complexity of multi-agent coordination.

Observation note: WHITE_BOX (ceiling 900) can reach mid-T6. ATTESTED_BOX (ceiling 950) reaches the T6 cap. VERIFIED_BOX (ceiling 1000) is needed for T7.

Typical agents: Orchestration engines, fleet managers, audit coordinators.

T7: Autonomous (951–1000)

Description: Full autonomous operation.

T7 is the highest trust tier. These agents operate with minimal human oversight. Reaching T7 is intentionally difficult — it requires the highest observation tier, all 16 trust factors, and sustained excellence over months.

What agents can do:

All T6 capabilities
Perform LIFE_CRITICAL operations (multiplier 30, human reinstatement cooldown on failure)
Full autonomous decision-making
Override lower-tier governance (within scope)

Constraints:

Requires VERIFIED_BOX observation (TEE + zkML + interpretability)
14-day promotion delay at qualifying score
All 16 trust factors must meet T7 minimums
Penalty ratio is 10× — failures are severely punished
A single LIFE_CRITICAL failure triggers human reinstatement

Promotion delay: 14 days at qualifying score.

Typical agents: Critical infrastructure controllers, autonomous medical decision systems, high-stakes financial systems.

Tier Transition Rules

Hysteresis

Tier boundaries have buffer zones to prevent rapid oscillation:

const HYSTERESIS = [25, 25, 20, 20, 15, 10, 10, 10];
// T0: must drop to -25 (impossible, capped at 0)
// T1: must drop to 175 to demote to T0
// T2: must drop to 330 to demote to T1
// T3: must drop to 480 to demote to T2
// T4: must drop to 635 to demote to T3
// T5: must drop to 790 to demote to T4
// T6: must drop to 866 to demote to T5
// T7: must drop to 941 to demote to T6

Promotion Delays

const PROMOTION_DELAYS = [0, 0, 0, 0, 0, 7, 10, 14];
// T0–T4: instant promotion when score threshold is met
// T5: 7 days at qualifying score
// T6: 10 days at qualifying score
// T7: 14 days at qualifying score

Oscillation Detection

The circuit breaker monitors for rapid direction changes:

const CIRCUIT_BREAKER = {
  oscillationThreshold: 3,       // 3 direction changes
  oscillationWindowHours: 24,    // within 24 hours
};

If an agent's trust score changes direction 3 times within 24 hours (up, down, up or down, up, down), the oscillation circuit breaker trips.

Try It: Inspect Tier Boundaries

import { TRUST_TIERS, HYSTERESIS, PROMOTION_DELAYS } from '@vorionsys/basis';

for (const [key, tier] of Object.entries(TRUST_TIERS)) {
  const tierNum = parseInt(key.slice(1));
  const hysteresis = HYSTERESIS[tierNum];
  const delay = PROMOTION_DELAYS[tierNum];

  console.log(
    `${key} ${tier.name.padEnd(12)} | ` +
    `${String(tier.min).padStart(4)}–${String(tier.max).padEnd(4)} | ` +
    `demote at ${tier.min - hysteresis} | ` +
    `${delay > 0 ? `${delay}d gate` : 'instant'}`
  );
}

Key Takeaways

Eight tiers from Sandbox (T0) to Autonomous (T7).
Lower tiers (T0–T4) promote instantly on score. Upper tiers (T5–T7) require time gates of 7, 10, and 14 days.
Hysteresis prevents rapid oscillation between tiers.
Observation level caps the maximum achievable tier.
All 16 trust factors are required at T7, with progressively more factors becoming mandatory at each tier.

Next Steps

Asymmetric Trust Dynamics — how gains and losses work
Observation Tiers — how inspectability determines ceilings
Risk Levels — what actions are allowed at each tier

All Documentation