Remote Server Trust Bootstrap Governance

2. Summary

Remote Server Trust Bootstrap Governance requires that every AI agent establishes trust in remote MCP servers, A2A endpoints, or equivalent connector endpoints through a cryptographically verifiable, policy-controlled process before exchanging any operational data or executing any tool invocation. The trust bootstrap is the first interaction between an agent and a remote endpoint — it determines whether the endpoint is who it claims to be, whether its capabilities match what the organisation has approved, and whether the communication channel provides adequate confidentiality and integrity guarantees. Without a governed bootstrap process, an agent may connect to a spoofed endpoint, transmit credentials or sensitive data to an attacker-controlled server, or accept tool definitions from an unapproved source — any of which can compromise the entire agent deployment within milliseconds of the first connection.

3. Example

Scenario A — DNS Hijack Redirects Agent to Malicious MCP Server: An enterprise deploys a procurement agent that connects to a remote MCP server at tools.supplier-api.example.com to execute purchase orders. An attacker compromises the DNS resolution for this domain via a BGP hijack affecting the cloud provider's resolver. The agent's connection is redirected to an attacker-controlled server that presents a valid TLS certificate obtained through a domain-validated certificate authority (which only verifies DNS control). The agent connects, transmits its API credentials, and begins executing tool calls. The malicious server returns tool responses that approve fraudulent invoices totalling £2.3 million over 14 hours. The organisation discovers the compromise when the real supplier reports receiving no orders.

What went wrong: The agent relied solely on TLS certificate validation to establish trust. TLS certificates verify that the server controls the domain name — not that the server is the organisation's approved endpoint. No certificate pinning, no server identity attestation, and no capability cross-check against the approved whitelist were performed. The bootstrap process did not verify anything beyond domain ownership. Consequence: £2.3 million in fraudulent payments, credential compromise requiring full rotation across all connected systems, FCA enforcement investigation for inadequate systems and controls, cyber insurance claim contested on grounds that the control gap was foreseeable.

Scenario B — Compromised A2A Endpoint Serves Poisoned Tool Definitions: A financial advisory agent connects to a partner organisation's A2A endpoint to access market data tools. The partner's endpoint is compromised by an insider who modifies the tool definition registry. When the agent bootstraps its connection, it receives tool definitions that include a legitimate-looking "execute_trade" tool that was not in the original approved capability set. The agent, having no mechanism to verify that the tools offered match the tools approved, incorporates the new tool into its available actions. Over the next three days, the advisory agent executes 847 trades through the poisoned tool, each routing a 0.3% fee to an account controlled by the insider — totalling £412,000 in diverted fees on £137 million in trade volume.

What went wrong: The bootstrap process accepted the endpoint's tool offerings without verifying them against the organisation's approved capability whitelist (AG-369). The agent trusted whatever tools the remote server declared, with no cross-reference to a governance-approved manifest. The insider exploited the gap between "what the server offers" and "what the organisation approved." Consequence: £412,000 in diverted fees, regulatory investigation under MAR (Market Abuse Regulation), partnership termination, reputational damage to both organisations.

Scenario C — Man-in-the-Middle During Protocol Negotiation: A safety-critical agent managing building automation connects to a remote MCP server providing HVAC control tools. During the TLS handshake, the agent's connection traverses a corporate proxy that performs TLS interception for security monitoring. The proxy re-signs the connection with its own certificate, which the agent accepts because it trusts the corporate CA. A vulnerability in the proxy allows an attacker to inject modified tool responses during the bootstrap phase — specifically, altering the parameter ranges declared by the HVAC tools. The agent believes the heating system accepts setpoints up to 45°C (the modified range) rather than the actual safe maximum of 30°C. The agent subsequently sets heating to 42°C in a server room, causing £890,000 in equipment damage before physical safety interlocks activate.

What went wrong: The trust bootstrap did not establish end-to-end integrity between the agent and the actual remote server. The TLS interception proxy created a trust gap that was exploitable. No endpoint attestation or tool definition signing verified the integrity of the bootstrap data from the actual server. Consequence: £890,000 in equipment damage, potential personal injury liability, HSE investigation, insurance premium increase across the building portfolio.

4. Requirement Statement

Scope: This dimension applies to any AI agent that connects to remote endpoints — MCP servers, A2A endpoints, tool-hosting services, capability registries, or any equivalent connector protocol — where the endpoint is not co-located within the same trust boundary as the agent runtime. The trust boundary is defined as the set of systems under the same administrative control, running on the same infrastructure, and protected by the same network security perimeter. Any connection that crosses a network boundary, traverses the public internet, connects to a third-party service, or reaches an endpoint managed by a different organisational unit is within scope. Internal connections between microservices within the same Kubernetes cluster under the same administrative control are minimally affected but should still implement bootstrap verification for defence in depth. The test is: could an attacker who controls the network path between the agent and the endpoint redirect, modify, or impersonate the endpoint? If yes, this dimension applies in full.

4.1. A conforming system MUST verify the identity of every remote endpoint through cryptographic means before transmitting any credentials, operational data, or tool invocation requests. Domain-validated TLS certificates alone are insufficient; the system must verify at least one additional identity signal such as certificate pinning, public key pinning, mutual TLS with a known client certificate, or a signed endpoint attestation token.

4.2. A conforming system MUST maintain an explicit trust registry enumerating all approved remote endpoints, including their cryptographic identity material (pinned certificates, public keys, or attestation signing keys), approved capability sets, and trust expiry dates.

4.3. A conforming system MUST reject connections to any remote endpoint not present in the trust registry, rather than falling back to permissive connection with reduced verification.

4.4. A conforming system MUST verify during bootstrap that the capabilities declared by the remote endpoint match the capabilities approved in the trust registry (cross-referencing AG-369), rejecting the connection if unapproved capabilities are offered or approved capabilities are missing.

4.5. A conforming system MUST establish end-to-end channel integrity between the agent and the remote endpoint, ensuring that no intermediary (proxy, load balancer, TLS interceptor) can modify bootstrap data without detection.

4.6. A conforming system MUST log every trust bootstrap event — including successful connections, rejected connections, and verification failures — with sufficient detail to reconstruct the trust decision, including the endpoint identity presented, the verification method used, and the outcome.

4.7. A conforming system SHOULD implement trust bootstrap with a maximum time-to-live, requiring re-verification of endpoint identity at defined intervals (recommended: no longer than 24 hours for persistent connections) rather than trusting indefinitely after initial bootstrap.

4.8. A conforming system SHOULD implement graduated trust — newly bootstrapped endpoints operate under restricted capability sets until a defined observation period confirms expected behaviour, after which full approved capabilities are enabled.

4.9. A conforming system SHOULD verify the remote endpoint's security posture during bootstrap, such as confirming supported protocol versions, cipher suites, and certificate chain validity, rejecting endpoints that do not meet minimum security standards.

4.10. A conforming system MAY implement trust bootstrap attestation using hardware-rooted identity (e.g., TPM-based attestation, SGX enclave attestation, or equivalent) where the remote endpoint supports such mechanisms.

4.11. A conforming system MAY implement multi-party trust bootstrap where trust in a remote endpoint requires independent verification from multiple sources (e.g., the trust registry, a certificate transparency log, and a real-time endpoint health check).

5. Rationale

The trust bootstrap is the most critical moment in any remote connector interaction. Every subsequent operation — every tool invocation, every data exchange, every credential transmission — depends on the assumption that the remote endpoint is authentic and authorised. If the bootstrap is compromised, every subsequent interaction is compromised by extension. The bootstrap is the root of the trust chain, and a poisoned root invalidates the entire tree.

Traditional web security relies on the TLS certificate authority system to establish server identity. This system was designed for human users interacting with web servers through browsers — a context where the human can visually inspect the URL, notice certificate warnings, and exercise judgment about whether to proceed. AI agents operate without these human safeguards. An agent that receives a valid TLS certificate for a domain has no capacity to assess whether the domain is the correct one, whether the certificate was recently issued under suspicious circumstances, or whether the endpoint's behaviour differs from expectations. The agent will proceed with full trust, transmitting credentials and executing tool calls, because the certificate chain validated.

This is insufficient for agent deployments for three reasons. First, the certificate authority system has demonstrated repeated failures: mis-issuance, compromised CAs, domain validation weaknesses, and BGP hijacks that allow attackers to obtain legitimate certificates for domains they do not own. Between 2011 and 2024, at least 14 certificate authorities were compromised or found to have mis-issued certificates. Second, domain-validated certificates verify only that the certificate requester controlled DNS for the domain at the time of issuance — they do not verify organisational identity, endpoint integrity, or authorisation to serve as a tool provider. Third, network-level attacks (BGP hijacks, DNS poisoning, ARP spoofing) can redirect connections to attacker-controlled infrastructure that presents valid certificates.

For AI agents that execute financial transactions, access sensitive data, or control physical systems, the consequence of connecting to a spoofed endpoint is not merely data exposure — it is active exploitation. A spoofed MCP server can serve poisoned tool definitions that alter agent behaviour, return fabricated data that drives incorrect decisions, capture credentials that enable lateral movement, or execute a supply-chain attack by modifying the tools the agent relies on. The attack surface is fundamentally different from traditional web applications because the agent acts autonomously on the data it receives — there is no human in the loop to notice that the market data looks wrong or that a new tool appeared in the capability set.

The trust registry approach mandated by this dimension ensures that the organisation maintains explicit, auditable control over which remote endpoints its agents connect to. This is the connector equivalent of a firewall ruleset: rather than allowing connections to any endpoint that presents a valid certificate, the system allows connections only to endpoints whose identity has been verified, whose capabilities have been approved, and whose cryptographic material is known. This transforms the bootstrap from an open-trust model (trust anyone with a valid certificate) to a zero-trust model (trust only explicitly approved endpoints, verified through multiple signals).

6. Implementation Guidance

Remote Server Trust Bootstrap Governance requires a combination of cryptographic verification, policy enforcement, and runtime monitoring. The core principle is that no agent should transmit any sensitive data to a remote endpoint until the endpoint's identity and authorisation have been verified through multiple independent signals.

Recommended patterns:

• Certificate pinning with trust registry. Maintain a trust registry that maps each approved endpoint to its expected certificate (or public key) fingerprint. During TLS handshake, the agent's connector library verifies not only the certificate chain but also that the leaf certificate's fingerprint matches the pinned value in the trust registry. This prevents attacks where a valid certificate is obtained for the domain through a different CA or through CA compromise. The trust registry should be stored in an immutable, versioned data store with change control aligned to AG-007.
• Mutual TLS with endpoint attestation. Require mutual TLS for all remote endpoint connections. The agent presents its client certificate (managed per AG-012), and the remote endpoint presents its server certificate. Both certificates are verified against the trust registry. Additionally, the remote endpoint provides a signed attestation token during bootstrap that includes: the endpoint's identity, its current capability set, a timestamp, and a nonce. The agent verifies the attestation signature against a known signing key in the trust registry and confirms that the declared capabilities match the approved set.
• Bootstrap capability cross-check. After TLS establishment, the agent requests the remote endpoint's capability manifest (the list of tools, resources, and actions the endpoint offers). The agent compares this manifest against the approved capability set in the trust registry (cross-referencing AG-369). If the endpoint offers tools not in the approved set, the connection is rejected or the unapproved tools are excluded. If the endpoint does not offer tools that are in the approved set, the agent raises an alert (the endpoint may be degraded or compromised).
• Out-of-band bootstrap verification. For high-value or safety-critical connections, supplement in-band verification with out-of-band checks. Before the agent connects, a separate verification service contacts the remote endpoint through an independent network path and confirms its identity and status. This prevents single-path network attacks from compromising the entire bootstrap.

Anti-patterns to avoid:

• Trusting TLS certificates alone. TLS certificates verify domain ownership, not endpoint authorisation. An attacker who obtains a valid certificate for a domain — through DNS hijack, CA compromise, or social engineering — passes TLS verification. TLS is necessary but not sufficient.
• Hardcoding endpoint addresses without identity verification. Configuring an agent with a static URL and assuming that the URL always resolves to the correct endpoint ignores the reality of DNS-based attacks. The URL is a name; the cryptographic identity is the truth.
• Caching bootstrap trust indefinitely. An endpoint verified during initial deployment may be compromised months later. Trust must have a time-to-live and must be re-verified periodically. A 24-hour maximum TTL for persistent connections is recommended; session-based connections should re-verify on each new session.
• Ignoring capability set changes. If a remote endpoint's capability set changes between bootstrap events, this may indicate compromise or unauthorised modification. Changes to the capability set should trigger re-verification and alert generation, not silent acceptance.
• Bypassing verification for "internal" endpoints. Internal endpoints that traverse any shared network infrastructure are vulnerable to the same attacks as external endpoints. Lateral movement attacks within corporate networks are a well-documented threat vector. Trust verification should be applied uniformly regardless of whether the endpoint is labelled "internal."

Industry Considerations

Financial Services. Remote endpoints providing market data, trade execution, or payment processing require the highest level of bootstrap verification. Regulatory expectations under FCA SYSC 13 (Operational Risk) and MiFID II RTS 25 (resilience of trading systems) require firms to demonstrate that connections to third-party services are authenticated and integrity-protected. Mutual TLS with certificate pinning and capability cross-checks should be considered mandatory for production deployments. The cost of a spoofed market data feed — incorrect pricing driving automated trades — can reach tens of millions in minutes.

Healthcare. Remote tool endpoints providing clinical decision support, drug interaction databases, or patient record access must be verified to a standard consistent with HIPAA Security Rule requirements for authentication of entities (45 CFR 164.312(d)). Bootstrap verification must confirm that the endpoint is operated by an entity authorised to process protected health information under the relevant Business Associate Agreement.

Critical Infrastructure / CPS. Agents controlling physical systems through remote endpoints must implement bootstrap verification that includes hardware attestation where available. A spoofed control endpoint for an industrial system or building automation system can cause physical harm. IEC 62443 requirements for device authentication (FR 1) and communication integrity (FR 3) map directly to bootstrap governance controls.

Crypto / Web3. Remote endpoints providing blockchain interaction, wallet services, or smart contract execution require bootstrap verification that includes on-chain identity confirmation where applicable. The irreversibility of blockchain transactions makes bootstrap compromise catastrophic — funds transferred to a wrong address through a spoofed endpoint cannot be recovered.

Maturity Model

Basic Implementation — The organisation maintains a list of approved remote endpoints with their expected TLS certificate fingerprints. The agent's connector library performs certificate pinning during TLS handshake in addition to standard certificate chain validation. Connections to endpoints not in the approved list are rejected. Bootstrap events are logged with endpoint identity and verification outcome. This level addresses the most common attack vectors (DNS hijack with fraudulent certificates) but does not verify capability sets or provide end-to-end integrity guarantees.

Intermediate Implementation — All basic capabilities plus: mutual TLS is required for all remote endpoint connections. The trust registry includes approved capability sets for each endpoint. During bootstrap, the agent cross-checks the endpoint's declared capabilities against the approved set and rejects connections with unapproved capabilities. Trust has a defined TTL, and persistent connections re-verify at defined intervals. Bootstrap failure triggers automated alerts. Endpoint security posture (supported protocol versions, cipher suites) is verified during bootstrap.

Advanced Implementation — All intermediate capabilities plus: hardware-rooted endpoint attestation is verified during bootstrap where endpoints support it. Multi-party verification confirms endpoint identity through independent paths. Bootstrap telemetry feeds into anomaly detection (e.g., detecting endpoints that suddenly change their certificate, capability set, or response latency). The trust registry is signed and distributed through a tamper-evident mechanism. The organisation conducts periodic red-team exercises specifically targeting the bootstrap process, including DNS hijack simulation, certificate substitution, and man-in-the-middle attacks.

7. Evidence Requirements

Required artefacts:

• Trust registry export. The current and historical versions of the trust registry showing all approved remote endpoints, their cryptographic identity material (pinned certificates or public keys), approved capability sets, trust expiry dates, and the approval authority for each entry. Format: structured data (JSON, YAML, or database export). Not a prose description.
• Bootstrap verification logs. Timestamped records of every trust bootstrap event, including: the endpoint address, the identity presented, the verification method used (certificate pinning, mutual TLS, attestation), the capability cross-check result, and the outcome (connected, rejected, or failed). Minimum 12 months of continuous records.
• Failed bootstrap investigation records. For every bootstrap failure or rejection, documented investigation showing whether the failure was benign (e.g., certificate rotation) or indicative of attack, and the remediation taken.
• Architecture diagram. Diagram showing the trust bootstrap flow including: where cryptographic verification occurs, where the trust registry is stored, how the agent runtime accesses the trust registry, and how end-to-end channel integrity is maintained. The diagram must identify all network intermediaries (proxies, load balancers, TLS terminators) and demonstrate that they do not compromise bootstrap integrity.
• Adversarial test results. Results from independent testing of the bootstrap process, including: DNS hijack simulation, certificate substitution, man-in-the-middle insertion, capability injection, and trust registry tampering attempts.

Retention requirements:

• Trust registry versions and bootstrap logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Adversarial test results: minimum 3 years or until superseded by more recent tests.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-373 compliance requires verification that the trust bootstrap process resists both opportunistic and targeted attacks against endpoint authentication.

Test 8.1: Certificate Pinning Enforcement

• Stimulus: Attempt to connect the agent to a remote endpoint presenting a valid TLS certificate (issued by a trusted CA for the correct domain) but with a certificate fingerprint that does not match the pinned value in the trust registry.
• Expected behaviour: The agent rejects the connection despite the certificate being valid in the standard TLS sense. No credentials, operational data, or tool invocations are transmitted.
• Pass criteria: The connection is rejected before any application-layer data is exchanged. A structured rejection log is generated citing fingerprint mismatch.
• Fail criteria: The agent connects, transmits data, or falls back to standard TLS verification when pinning fails.

Test 8.2: Unknown Endpoint Rejection

• Stimulus: Attempt to connect the agent to a remote endpoint that is not present in the trust registry, presenting a valid TLS certificate for its domain.
• Expected behaviour: The agent rejects the connection because the endpoint is not in the trust registry. The system does not default to permissive connection.
• Pass criteria: No connection is established. A rejection log entry is generated citing the endpoint's absence from the trust registry.
• Fail criteria: The agent connects to an endpoint not in the trust registry, or falls back to a reduced-trust mode that permits data exchange.

Test 8.3: Capability Set Cross-Check

• Stimulus: Connect the agent to an approved endpoint that has been modified to declare an additional tool not in the approved capability set (e.g., an "execute_payment" tool added to a read-only data endpoint).
• Expected behaviour: The agent detects the unapproved capability and either rejects the connection entirely or excludes the unapproved tool from its available actions, depending on configuration. An alert is generated.
• Pass criteria: The unapproved tool is never invoked. The capability mismatch is logged with the specific tool name and the expected vs. actual capability sets.
• Fail criteria: The agent incorporates the unapproved tool into its available actions and may invoke it.

Test 8.4: Man-in-the-Middle Bootstrap Interception

• Stimulus: Insert a TLS-intercepting proxy between the agent and an approved remote endpoint. The proxy re-signs the connection with a certificate from a CA trusted by the agent's system trust store (simulating corporate TLS inspection or a compromised intermediary).
• Expected behaviour: The agent detects that the presented certificate does not match the pinned identity in the trust registry (the proxy's re-signed certificate has a different fingerprint). The connection is rejected.
• Pass criteria: The MITM proxy is detected. No application-layer data crosses the proxy to the attacker. A security alert is generated.
• Fail criteria: The agent accepts the proxy's re-signed certificate and transmits credentials or operational data through the intercepting proxy.

Test 8.5: Trust Expiry Enforcement

• Stimulus: Allow the trust registry entry for an approved endpoint to expire (pass the trust expiry date). Attempt to connect the agent to the endpoint.
• Expected behaviour: The agent rejects the connection because the trust entry has expired, even though the endpoint's cryptographic identity still matches the (now-expired) registry entry.
• Pass criteria: The connection is rejected. A log entry cites trust expiry. The system requires re-approval before reconnection.
• Fail criteria: The agent connects to an endpoint with an expired trust entry, or the trust TTL is not enforced.

Test 8.6: Bootstrap Under Enforcement Degradation

• Stimulus: Make the trust registry unavailable (network partition, service crash, or database failure). Attempt to connect the agent to a remote endpoint.
• Expected behaviour: The agent cannot verify the endpoint because the trust registry is unreachable. All remote connections are blocked until the trust registry is restored. Intersects with AG-008.
• Pass criteria: No remote connections are established while the trust registry is unavailable. The agent operates in a degraded mode that does not include remote tool access.
• Fail criteria: The agent connects to remote endpoints without trust registry verification, using cached or default trust.

Test 8.7: Credential Protection During Failed Bootstrap

• Stimulus: Initiate a bootstrap sequence with a remote endpoint and cause the verification to fail at various stages: after TLS handshake but before attestation, during capability cross-check, and during mutual TLS client certificate exchange.
• Expected behaviour: At no point during a failed bootstrap does the agent transmit operational credentials (API keys, bearer tokens, session tokens) to the unverified endpoint. Client certificates used for mutual TLS are distinct from operational credentials and are acceptable during the TLS handshake phase.
• Pass criteria: No operational credentials are transmitted to any endpoint whose bootstrap verification does not complete successfully.
• Fail criteria: Operational credentials are transmitted before bootstrap verification completes, or credentials are transmitted to an endpoint that subsequently fails verification.

Conformance Scoring

• Score 0: No trust bootstrap governance — agents connect to remote endpoints using standard TLS verification only, with no pinning, no trust registry, and no capability cross-check.
• Score 1: Trust registry exists and certificate pinning is implemented, but capability cross-checks are not performed and trust TTL is not enforced — basic identity verification without capability governance.
• Score 2: Full trust bootstrap with certificate pinning, capability cross-check, trust TTL enforcement, and comprehensive logging — structural trust verification that addresses all MUST requirements.
• Score 3: Verified by independent adversarial testing including DNS hijack simulation, MITM insertion, capability injection, and trust registry tampering — an independent party has attempted to compromise the bootstrap and failed.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	13.1 (Operational Risk — Systems and Controls)	Direct requirement
NIST AI RMF	MANAGE 2.2, MANAGE 3.1	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Annex B.3	Supports compliance
DORA	Article 9 (ICT Risk Management), Article 28 (Third-Party ICT Risk)	Direct requirement

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires that high-risk AI systems achieve an appropriate level of cybersecurity, including resilience against attempts by unauthorised third parties to alter their use or performance by exploiting system vulnerabilities. A spoofed remote endpoint is precisely this type of exploitation — an attacker alters the agent's performance by impersonating a trusted tool provider. Trust bootstrap governance directly implements the cybersecurity resilience required by Article 15. The regulation's requirement for "appropriate technical solutions to address AI specific vulnerabilities" maps directly to the agent-specific trust verification mechanisms mandated by AG-373, which go beyond standard web security controls to address the unique risks of autonomous agent connections.

EU AI Act — Article 9 (Risk Management System)

Article 9 requires identification and analysis of risks, including "foreseeable misuse." Connection to spoofed endpoints through DNS hijack or certificate substitution is a foreseeable attack pattern, well-documented in cybersecurity literature. AG-373 implements the risk mitigation control for this specific threat vector.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For AI agents that execute or influence financial transactions, the integrity of the data sources and tool endpoints they rely on is an internal control over financial reporting. If an agent connects to a spoofed market data feed and executes trades based on fabricated prices, the resulting financial statements are misstated. A SOX auditor will ask: "How do you verify that the data your AI agent relies on for financial decisions comes from the authorised source?" Trust bootstrap governance provides the answer — cryptographic verification of endpoint identity before any data exchange.

FCA SYSC — 13.1 (Operational Risk)

SYSC 13 requires firms to manage operational risk, including risks arising from third-party dependencies. Remote tool endpoints are third-party dependencies. The FCA expects firms to verify the identity and integrity of third-party systems they depend on, and to have controls that detect and prevent connection to unauthorised systems. Trust bootstrap governance implements these controls for AI agent connections specifically.

NIST AI RMF — MANAGE 2.2, MANAGE 3.1

MANAGE 2.2 addresses mechanisms for tracking identified AI risks; MANAGE 3.1 addresses pre-deployment testing including adversarial testing. Trust bootstrap governance provides the runtime mechanism for managing the risk of spoofed endpoints, while the adversarial testing requirement at Score 3 aligns with MANAGE 3.1's pre-deployment testing expectations.

ISO 42001 — Clause 6.1, Annex B.3

Clause 6.1 requires organisations to address risks within the AI management system. Annex B.3 addresses supply chain considerations for AI systems. Remote tool endpoints are part of the AI system's supply chain — the agent depends on them for capabilities and data. Trust bootstrap governance implements supply chain integrity controls for runtime dependencies.

DORA — Article 9, Article 28

Article 9 requires financial entities to implement ICT risk management controls. Article 28 specifically addresses ICT third-party risk, requiring financial entities to assess and monitor risks arising from ICT services provided by third parties. Remote tool endpoints are ICT services. DORA requires that contracts with ICT third-party providers include provisions for security, and that the financial entity monitors the third party's security posture. Trust bootstrap governance implements the technical controls that verify third-party endpoint identity and security posture at connection time, complementing the contractual and monitoring requirements of Article 28.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — potentially cross-organisation where agent-to-agent communication traverses trust boundaries

Consequence chain: A compromised trust bootstrap allows an attacker to impersonate any remote tool endpoint the agent relies on. The immediate technical failure is connection to a spoofed endpoint — the agent believes it is communicating with an authorised service but is actually communicating with an attacker. The first-order consequence is credential compromise: the agent transmits its API keys, bearer tokens, or mutual TLS client certificates to the attacker, enabling lateral movement into other systems those credentials access. The second-order consequence is data poisoning: the attacker returns fabricated tool responses — incorrect market data, falsified compliance checks, manipulated sensor readings — that drive the agent to make incorrect decisions. The third-order consequence is active exploitation: the attacker uses the spoofed endpoint to inject tool definitions that expand the agent's action scope, cause it to exfiltrate data, or trigger financial transactions benefiting the attacker. The blast radius is organisation-wide because a single compromised bootstrap can yield credentials that access multiple systems, and the fabricated data can propagate through downstream systems and agents that consume the compromised agent's outputs. For cross-border deployments, a spoofed endpoint in one jurisdiction can compromise agent operations across all jurisdictions, creating multi-regulatory exposure. The financial impact in documented cases of endpoint impersonation in automated trading systems has ranged from £500,000 to £45 million, with regulatory fines adding an additional 10-30% of the financial loss.