Summary: Only advanced cryptography of the type developed by NovaNet from ICME Labs delivers the mathematical certainty that enterprise AI needs to secure AI—for risk management, regulatory compliance, and the coming era of agentic commerce.
Every enterprise AI system tested by Zscaler’s ThreatLabz red team in 2025 failed at least once under realistic adversarial pressure. Not some systems. Not most. Every single one.
That finding, buried in Zscaler’s 2026 AI Security Report, should be a five-alarm fire for every CISO, Chief Risk Officer, and board director in the world.
It confirms what security researchers have been warning for years: the AI guardrails that enterprises rely on to keep their systems safe are fundamentally inadequate. They can be bypassed, manipulated, and broken. Not through exotic zero-day exploits, but through creative prompting, role-play scenarios, and multi-turn storytelling that any motivated attacker can learn in an afternoon.
Meanwhile, enterprise AI adoption isn’t slowing down to wait for security to catch up.
AI guardrails are, at their core, a category error. They attempt to solve a mathematical problem with linguistic heuristics. When a model produces an output, guardrails ask a question that sounds reasonable: “Does this output look safe?”
But the question enterprises actually need answered is fundamentally different: “Can I cryptographically prove that this specific model, running this specific version, processed this specific input and produced this exact output?”
It’s the difference between a padlock and a mathematical theorem.
In October 2025, OpenAI launched its Guardrails framework as a comprehensive safety solution, employing large language models as “judges” to evaluate whether inputs and outputs posed security risks.
Within days, researchers at HiddenLayer bypassed both the jailbreak detection and prompt injection detection systems using straightforward techniques. The fundamental problem is what researchers call the “same model, different hat” vulnerability: using LLMs to both create responses and evaluate their safety means a single malicious prompt can compromise both systems simultaneously.
As the researchers noted, organizations relying on these guardrails may develop a false sense of security, unaware that adversaries can engineer confidence-score subversion. Security experts have been unequivocal: current guardrail systems should be treated as supplementary rather than primary security measures.
The security challenge compounds dramatically as AI moves from chat interfaces to autonomous agents.
Lakera AI analyzed attack activity in Q4 2025 and found that even early-stage AI agents—those capable of browsing documents, calling tools, or processing external inputs—are already creating new and exploitable security pathways.
Researchers observed attempts to extract confidential data from connected document stores, script-shaped fragments embedded within prompts, and hidden instructions placed inside external webpages or files processed by agents. These indirect attacks often required fewer attempts to succeed, highlighting external data sources as a primary risk vector.
When AI agents operate with real-world permissions—executing transactions, accessing databases, calling APIs—a guardrail failure can become an operational, legal, and even ethical disaster.
The regulatory landscape for AI in 2026 represents the most significant compliance challenge since GDPR.
By August 2, 2026, the EU AI Act requires companies to comply with transparency requirements and rules for high-risk AI systems, with penalties reaching €35 million or 7 percent of global annual turnover.
In the U.S., the SEC has made AI governance a FY2026 examination priority and elevated AI washing to a top enforcement concern, while the cyber insurance market is increasingly conditioning coverage on AI-specific security controls including documented red-teaming and model-level risk assessments. Meanwhile, a patchwork of state laws—Colorado's SB24-205, California's AB 2013, and others—adds approximately 17 percent overhead to AI system costs, with 77 percent of stakeholders expected to require verified compliance proof by 2026.
The compliance burden extends beyond any single jurisdiction.
NIST's AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act all converge on a shared demand: verifiable evidence that AI systems function as intended, with documented controls, technical safeguards, and audit trails that can withstand regulatory scrutiny. As David Cass, CISO at GSR, put it: "You can never outsource your accountability. So if you decide to place reliance on these AI models… and something goes terribly wrong, the accountability is still going to fall on the organization."
Across every framework, regulators want something that guardrails, model cards, and policy documents fundamentally cannot provide—mathematical certainty.
When a regulator asks an enterprise to prove that its AI system used the approved model and executed correctly on a specific decision, only a cryptographic proof answers definitively. Audit logs can be falsified. Guardrails can be bypassed. But a zero-knowledge proof is a mathematical fact that either verifies or it doesn't. There is no jailbreak for mathematics.
If AI security is already critical for internal enterprise systems, it becomes existential when AI agents begin operating autonomously in commerce. And that moment has arrived.
McKinsey projects that by 2030, the volume of transactions conducted through AI agents will reach a global value of $3 to $5 trillion. Visa predicts that millions of consumers will use AI agents to complete purchases by the 2026 holiday season. Rubail Birwadker, SVP and Head of Growth Products & Partnerships at Visa, declared: “This holiday season marks the end of an era. In 2026, AI agents won’t just assist your shopping—they will complete your purchases.”
The fundamental challenge of agentic commerce is trust. When an AI agent autonomously initiates a $10,000 procurement transaction, the merchant needs to know: Is this agent legitimate? Did the consumer authorize this purchase? Did the agent faithfully execute the consumer’s instructions? Is the AI’s decision-making process verifiable?
Every major payment network is racing to answer these questions. Visa introduced its Trusted Agent Protocol in October 2025, an open framework developed with Cloudflare to enable secure communication between AI agents and merchants. Mastercard launched its Agent Pay Acceptance Framework, designed to establish standards for agent verification and data exchange. FIS announced an industry-first offering enabling banks to identify and authorize agent-initiated transactions using “Know Your Agent” (KYA) data.
But every one of these solutions only addresses identity and authorization at the protocol level.
None of them answer the deeper question: How do you verify that the AI model’s decision-making process itself was correct? That the approved, tested model actually made the decision? That the inference executed without tampering?
This is the gap that zero-knowledge machine learning fills.
Current agentic commerce frameworks verify the agent’s identity and the consumer’s authorization. But they treat the AI model’s inference—the actual computation that determines what the agent decides to do—as a black box. This creates a critical vulnerability in the trust chain:
In the current paradigm, these scenarios are undetectable. With cryptographic proofs, they are mathematically impossible to hide.
Zero-knowledge machine learning applies cryptographic proof technology to AI model inference. Anyone can verify that a specific AI model executed correctly on specific inputs and produced specific outputs.
This means that AI agent guardrails become cryptographically auditable. zkML mathematically guarantees that the guardrail model executed correctly on the actual inputs. Any bypass, tampering, or failure to run the guardrail at all becomes instantly known.
Until now, zkML has been impractical for production use because traditional approaches represent neural network operations as arithmetic circuits, which are prohibitively slow and expensive. zkML from ICME Labs solves this with a fundamentally different architecture built on lookup table technology that eliminates circuits entirely.
The performance difference means zkML is now finally viable infrastructure for AI guardrail verification. Real-time guardrail verification is achievable for the transaction authorization, fraud detection, and compliance decisions that enterprises and agents will soon be executing millions of times daily.
The code is open source and reproducible today at github.com/ICME-Lab/jolt-atlas.
Cryptographic proofs address the domains where enterprises need AI security most urgently.
Only 29 percent of organizations feel prepared to defend against AI-related threats, and BlackFog research shows nearly half of employees already use unsanctioned AI tools at work.
Cryptographic proof provides what no other technology can: unforgeable evidence that the approved, tested guardrail made each decision. Model governance stops being a policy document and becomes a mathematical guarantee.
The NIST AI RMF, the EU AI Act, and SEC guidance all converge on a single requirement: verifiable evidence that AI systems function as intended. Cryptographic proofs directly satisfy this demand to create the audit logs and model inventories that regulators require, with mathematical certainty that cannot be forged or retroactively altered.
When a regulator asks "prove that your AI system used the approved model and executed correctly on this specific decision," an enterprise with zkML can answer definitively. An enterprise without it can only produce logs, evidence that is only as trustworthy as the system generating it.
Current agentic commerce frameworks verify agent identity and payment authorization, but leave the AI inference layer—the actual decision-making—unverified.
zkML completes the trust chain: the agent is authenticated (identity layer), authorized (payment layer), and its decision-making process is cryptographically verified (inference layer).
For a $5,000 autonomous procurement decision, the enterprise can prove exactly which model version processed which inputs and produced which output. Disputes become resolvable with mathematical evidence instead of competing assertions.
Enterprises are deploying AI systems whose outputs they cannot cryptographically verify, into regulatory environments that increasingly demand such verification, through autonomous agents that will soon control trillions of dollars in transactions.
Guardrails are necessary. But they are not enough by themselves. Policy frameworks are essential for governance. But they are not enforceable at the computational layer. Audit logs are useful for record-keeping. But they are not tamper-proof.
zkML provides what none of these alternatives can: a sub-second cryptographic proof that a specific AI model executed correctly on specific inputs and produced a specific output. That proof is verifiable by any party in milliseconds. It is unforgeable. It is mathematically certain. And it is fast enough for production deployment today.
The code is at github.com/ICME-Lab/jolt-atlas.
