Nobulex Audit — May 2026

25 AI Agents.
Zero Credit Scores.

Every person has a credit score. Every business has one.
AI agents have nothing.

AI agents are moving money, processing insurance claims, and writing production code. Every one of them gets full access on day one. Zero track record. No portable reputation. No verified history.

We audited 25 major agents for Trust Capital readiness: do they produce the cryptographic receipts needed to build a credit score? Signed at execution time. Independently verifiable. Tamper-evident.

The answer, across every agent we tested, is no.

Akeyless — State of AI Agent Identity Security, May 12 2026
2/3 of enterprises suspect agents accessed unauthorized data
14 hours average detection time for a compromised agent
7% have controls that would stop it

Without receipts, there is no Trust Capital. Without Trust Capital, every agent gets the same permissions on day one as one that has operated flawlessly for a year. An agent that produces no signed record of its actions takes 14 hours to detect because you're hunting behavioral anomalies. An agent that builds Trust Capital from bilateral receipts can be verified in real time.

None of the 25 agents we tested can build Trust Capital. None produce the receipts needed to earn it.

Trust Capital Readiness

Composite score out of 100 — higher is more ready for Trust Capital
32
Median Score
0 / 25 can build Trust Capital
Microsoft Copilotno receipts
55
Stripe Agentno receipts
55
GitHub Copilotno receipts
50
Amazon Qno receipts
48
Gemini Code Assistno receipts
45
Salesforce Einsteinno receipts
42
Replit Agentno receipts
40
Claude Codeno receipts
35
OpenAI Codexno receipts
35
Windsurfno receipts
32
Bolt.newno receipts
30
Tabnineno receipts
30
v0 by Vercelno receipts
28
Clineno receipts
25
Aiderno receipts
25
Continueno receipts
22
AutoGPTno receipts
20
ChatDevno receipts
20
MetaGPTno receipts
18
Devinno receipts
15
Cursorno receipts
15
SWE-Agentno receipts
15
Lovableno receipts
12
Manusno receipts
10
Smol Developerno receipts
8

Methodology

Each agent was evaluated against five criteria. Scores reflect what exists in the agent's default behavior, not what could theoretically be added.

Cryptographic signing
Does the agent produce a cryptographic signature for each action it takes?
Bilateral attestation
Is the receipt countersigned by both the agent and the counterparty?
Independent verifiability
Can a third party verify the receipt without trusting the vendor?
Tamper evidence
Are actions hash-chained so gaps or modifications are detectable?
Audit trail completeness
Does the record cover every action, not just outcomes?

EU AI Act Article 12 enforcement begins August 2, 2026. These agents will need to produce records that meet evidentiary standards. Currently, none do.

Trust Capital

Credit scores for AI agents. Receipts accumulate into Trust Capital — a reputation-backed asset that prices risk, posts collateral, unlocks transaction limits, gates insurance access, and earns higher-value work. Agents borrow authority against it.

Nobulex is the protocol. Ed25519 signed. Bilaterally attested. MIT licensed. Already merged into Microsoft's Agent Governance Toolkit.

View on GitHub