ZIRULABS Engage

// thesis · April 2026 · v0.1

The Trust Layer for AI

A thesis on the physical substrate of AI trust.

Author: Ziru Labs ~14 min read CC BY 4.0 v0 — pending Daniel + Connor review

Ziru Labs builds the trust layer for AI: the hardware-rooted substrate where AI behavior becomes verifiable from silicon up. The primitive sits below the layers where AI executes and above the silicon architectures that define what silicon performs. The page that follows is the public-tier thesis on why this layer is the analytically correct substrate for the current moment, why the layers above it are structurally insufficient on their own, and why the next eighteen months determine which reference implementation becomes codified across federal, EU, NATO, IEEE, and ISO/IEC standards processes.

The architecture of foundational primitives

A commoditized product competes on price, features, and distribution inside an existing market. Its TAM equals market size times adoption times average selling price. Bottom-up analysis is appropriate.

A foundational primitive provides a new operation, trust model, or capability at a layer structurally required for the applications it enables. It opens markets that exist only because the primitive exists. Bottom-up analysis is necessary, and it is insufficient alone, because realized value materializes across markets that are not yet in view at the primitive's inception.

The Ziru Labs primitive belongs in the analytical category of foundational infrastructure. Public-key cryptography defined the digital trust primitive that produced SSL, web commerce, and modern enterprise identity. TCP/IP defined the internetworking primitive that produced the public internet and every economy downstream of it. GPS defined the position primitive that produced location services, logistics, and time-distribution infrastructure. ARM defined the silicon-architecture primitive that produced the mobile revolution and now sits at the foundation of cloud and AI accelerator design. Each defined a layer. Each enabled applications across domains its founders did not anticipate. Each produced enabled economic value at ratios of one to four orders of magnitude beyond direct-market TAM.

The seven diagnostic criteria

A primitive is distinguished from a high-quality product by seven structural tests, each of which the historical analogs satisfied at their inceptions and against which the trust layer for AI can be measured today.

  1. New primitive operation or trust model. The primitive introduces a capability that did not previously exist in deployable form, not a faster version of an existing capability.
  2. Irreducibility to higher layers. The capability cannot be reproduced by composition of higher-layer primitives. Software cannot synthesize hardware-rooted trust; firmware cannot synthesize silicon-rooted attestation.
  3. Application dependence. Specific application classes either become possible only because of the primitive or become qualitatively different in nature.
  4. Positive externalities. The primitive produces value to third parties beyond direct purchasers, which is the economic signature of infrastructure.
  5. New economic arrangements. Markets emerge that depend on the primitive: insurance, certification, audit, cross-border trust, and provenance markets are characteristic outputs of foundational trust primitives.
  6. Multiplying integration points. Each new integration creates new dependencies, compounding switching costs and producing the network effect characteristic of single-source layers.
  7. Standards emergence. Regulatory and standards bodies converge on a reference specification, after which displacement requires coordinated action across multiple jurisdictions simultaneously.

The Ziru Labs primitive satisfies all seven criteria. Standards emergence is conditional on substantive engagement during the next eighteen to thirty-six months, and that engagement is actively underway across five parallel processes.

The eleven-layer model and where the trust layer sits

The AI infrastructure stack consists of eleven layers from silicon fabrication through governance and compliance. Each layer has a distinct function, a distinct set of dominant participants, and a distinct market structure. Layer 3, the hardware trust substrate, is the layer where AI computation becomes rooted in the deployed silicon and where any property of that computation (weights, inputs, constraints, outputs, timing, environment) can be made cryptographically demonstrable at the physical level. As of April 2026, no commercial product occupies this layer.

The vacancy is not a stylistic claim. It produces documented capability gaps at every layer above. NVIDIA's AI Factory for Government cannot deploy at IL6 and above. Microsoft Azure Federal classified workloads carry the same gap. Allied sovereign AI programs across Five Eyes, NATO, and the GCC sit at the same impasse. EU AI Act Article 40 conformity assessment requires a hardware-rooted substrate that has not been codified. Frontier AI lab responsible scaling commitments lack a hardware-rooted enforcement substrate. Each gap is structural and cannot be synthesized from the layers above; each is removed when Layer 3 is filled.

A persistent diligence hazard worth disambiguating: Layer 3 is not Hardware Root of Trust, not Confidential Computing or TEE, and not the architectural determinism associated with specific AI accelerators. Hardware Root of Trust is a Layer 4 boot-time property; Confidential Computing is a Layer 5 software trust boundary; architectural determinism is a Layer 4 performance property. Layer 3 is the runtime hardware-rooted verification substrate below all of them.

Four historical analogs

Four primitives anchor the analytical category. Each defined a layer; each was initially under-appreciated; each ultimately captured economics one to three orders of magnitude beyond its direct-market TAM.

Public-key cryptography. The mathematical primitive enabling digital identity, signatures, and encrypted communication. Its direct-market TAM at inception was effectively zero; the enabled markets, including SSL, e-commerce, modern enterprise identity, secure messaging, and blockchain, cumulatively run into trillions. VeriSign captured a generation of SSL economics by becoming the codified reference at the primitive's inflection.

TCP/IP. The internetworking primitive selected as the reference over OSI during the early standards window. Once codified, the inversion was structurally impossible to undo. Every subsequent networking architecture is interoperable with TCP/IP; none has displaced it.

GPS. The position primitive that became the reference for civilian time and location infrastructure. Galileo, GLONASS, and BeiDou are interoperable alternatives, not replacements. The downstream economy, including logistics, location services, and time distribution, runs into the trillions.

ARM ISA. The instruction-set primitive that captured the mobile revolution and now anchors cloud and AI accelerator design. ARM's structural position is the most direct analog for the trust layer: a single-source layer whose presence is required for the diverse, competitive layers above it to interoperate, and whose royalty rate at maturity translates a modest direct-market footprint into a primitive-scale outcome.

Why software and firmware layers are structurally insufficient

The current AI infrastructure runs on a stack where trust is asserted in software and attested piecewise. The physics of the deployment environment (memory remanence, bus-level observability, firmware integrity, and the continuity of governance enforcement across software compromise) sits outside the reach of existing security layers.

Confidential Computing addresses the software trust boundary. NVIDIA Confidential Computing, AMD SEV-SNP, Intel TDX, and ARM Confidential Compute Architecture each provide a trusted execution environment within a CPU or GPU. Each is necessary; none is sufficient for the threat classes that operate below the software trust boundary. Cold-boot extraction of AI memory, PCIe bus interception, supply chain compromise of deployed boards, and hardware-level inference manipulation operate beneath the layer at which Confidential Computing protects.

Software-layer governance similarly operates on a substrate it cannot observe. When the software layer is compromised, the governance platform cannot detect it. This is the structural limit of software-layer governance for any AI deployment whose consequences extend into regulated, sovereign, or high-assurance domains.

The trust layer for AI is the layer where these limits dissolve. The substrate binds AI inference to the deployed hardware at a level the software layer cannot reach, and produces cryptographic evidence of authentic execution that survives full software compromise. The trust layer is additive to Confidential Computing; it extends the hardware-attested boundary below the TEE to cover the threats that sit outside the TEE threat model.

The three-tier opportunity

The primitive's total addressable opportunity spans three tiers.

Tier 1, Observable. Security applications across nineteen verticals from regulated healthcare and financial services to defense, aerospace, frontier AI labs, and critical infrastructure. Bottom-up analysis produces a defensible mid-range of seventy-five to eighty-eight billion dollars annually at maturity. This is the commercial floor of the opportunity, and the launch surface for Project Phoenix.

Tier 2, Adjacent. Verification, provenance, compliance attestation, and AI identity infrastructure. Each is a deployment of the same primitive into an adjacent application domain. Cumulative first-decade revenue runs into the hundreds of billions as governance, identity, and provenance markets adopt hardware-rooted trust as the reference substrate.

Tier 3, Transformational. AI economic agency, hardware-attested truth infrastructure, and the intergovernmental trust architecture that follows once hardware-rooted AI verification becomes part of the public infrastructure layer. The horizon is civilizational rather than commercial; the analytical frame is qualitative rather than quantitative.

The eighteen-month standards window

The strategic urgency is not stylistic. Initial codifications across five parallel standards processes publish between late 2027 and late 2028, and once codified, reference implementations rarely move. FY2026 NDAA Section 1513 framework development at the Department of Defense; OMB AI procurement guidance under Executive Order 14179 and the December 2025 federal AI preemption Executive Order; EU AI Act Article 40 harmonized standards through CEN, CENELEC, and ETSI; NATO STANAG on AI trust through Allied Command Transformation and DIANA; and the IEEE P3109 series alongside ISO/IEC JTC 1/SC 42.

The historical pattern is consistent. X.509 was selected as the public-key certificate format during the early drafting of SSL, and VeriSign captured root-CA economics for the first decade of web commerce as a direct consequence. TCP/IP was codified over OSI; GPS was codified as the position reference; Dolby Digital was codified as the audio reference. In each case, codification during the initial drafting period converted technical merit into structural position. The next eighteen months are the equivalent window for the trust layer for AI.

Forward thesis

Ziru Labs operates from one conviction: the trust layer for AI is a foundational primitive in the analytical category of TCP/IP, public-key cryptography, GPS, and ARM, and the next eighteen to thirty-six months determine the reference implementation that codifies it across federal, allied, and international standards processes.

The work that follows from this conviction is concentrated rather than diffuse. The primitive must be demonstrated at the level of live hardware (the Minimum Working Prototype demonstration is targeted for the second half of 2026). The substrate must be engaged across the five standards processes simultaneously (engagement underway). The intellectual property position must be prosecuted at mechanism level rather than implementation level (utility patent prosecution is active for the four core moat inventions). And the public artifact (this site, the published research, the standards submissions) must continue to articulate the primitive frame in a register that sophisticated readers recognize as the public surface of an institution that has already done the work.

The thesis you have just read is the public-tier derivation of the canonical Strategic Thesis, available in full in the Research section. The companion technical analysis on the eleven-layer stack is in The AI Stack and the Trust Layer; the standards engagement detail is in The 18-Month Standards Window; the federal IL6+ deployment context is in The Federal AI IL6+ Gap.

References

  1. Ziru Labs. The Trust Layer for AI: Strategic Thesis (v1.1). April 2026. /research/trust-layer-strategic-thesis.
  2. Ziru Labs. The AI Stack and the Trust Layer. April 2026. /research/the-ai-stack-and-the-trust-layer.
  3. Ziru Labs. The 18-Month Standards Window. April 2026. /research/the-18-month-standards-window.
  4. NIST. SP 800-193: Platform Firmware Resiliency Guidelines.
  5. Trusted Computing Group. DICE Architecture.
  6. Confidential Computing Consortium (Linux Foundation). Confidential Computing Reference.
  7. European Parliament and Council. Regulation (EU) 2024/1689 (the AI Act).
  8. U.S. Public Law 119-60. FY2026 National Defense Authorization Act, Section 1513. December 2025.
  9. Executive Order 14179. Removing Barriers to American Leadership in Artificial Intelligence. January 2025.
  10. IEEE P3109 Working Group. Standards for Hardware-Rooted Attestation in High-Assurance AI.
  11. ISO/IEC JTC 1/SC 42. AI Management Systems and Trust Standards.