Oktenli, Burak

About / Research Mission

Research Mission

The rapid 2026 adoption of autonomous, tool-using AI agents created a security gap that software alone cannot close: when an agent can spend, call tools, and spawn sub-agents on its own, its authority and its record of decisions are only as trustworthy as the software holding them, and that software is exactly what an indirect prompt injection or a compromised host can subvert. The mission of this work is to specify a tamper-evident hardware root of trust that makes an agent's authority tier and audit ledger non-forgeable, so that an agent cannot exceed its granted authority or rewrite its history without breaking the device, and breaking the device leaves evidence.

Problem

Agent permissions today live in software the agent process can read and, under compromise, alter. The logs that should prove what an agent did are written by the same stack being audited. There is no portable hardware that holds the authority tier itself, signs each action with a non-exportable key, and refuses to operate after a physical tamper.

Gap

General-purpose secure elements and TPMs exist, but none binds the specific authority lifecycle of an AI agent (graded tiers, per-tool tokens, spawn-quorum aggregation, deterministic tamper response) to a tamper-evident device that an agent or its host can attach over USB or M.2.

Contribution

BLADE-AGENT-HSM extends the AUTHREX governance framework (validated across six BLADE platforms) into the agentic-AI domain as the seventh BLADE platform and the first hardware root of trust in the family. It is the hardware companion to the AUTHREX-AGENT software shim, contributing a non-exportable-key signing path, TPM-resident tier state, HKDF-derived per-tool tokens, spawn-quorum aggregation, and a deterministic multi-modal tamper cascade, all reproduced by an adversarial high-assurance emulator under 275 deterministic checks.

Assurance boundary. This is a research demonstrator. Hardware maturity is approximately TRL 2-3 (specification and reference design); the emulator is approximately TRL 3-4. The emulator runs real Web Crypto primitives, but no certified hardware exists and no FIPS, Common Criteria, EAL, NSA, NASA, or DoD endorsement, validation, or certification of any kind is claimed. Silicon timing is modeled, not measured; post-quantum fields model interface shape only.

Strategic Context

National Importance

In 2026 the United States and its closest partners moved from encouraging agentic AI to governing it. On 1 May 2026 the Cybersecurity and Infrastructure Security Agency, the NSA AI Security Center, and the Five Eyes cyber agencies issued joint guidance, Careful Adoption of Agentic AI Services, calling for hardware-anchored identity, non-repudiable audit, and least-privilege authority for autonomous agents. The FY2026 National Defense Authorization Act addressed the same problem in Sections 1513 and 6601.

Software controls alone cannot satisfy that guidance, because the software is the attack surface. A hardware root of trust changes the trust assumption: when the signing keys live in an EAL6+ secure element, the authority tier lives in a TPM, and every action is signed by hardware, an attacker cannot escalate an agent past its tier or forge its audit trail without physically defeating the device, and the device records the attempt. This is the principle that secures payment and identity hardware, applied to the authority of autonomous AI.

BLADE-AGENT-HSM, paired with the AUTHREX-AGENT software shim, is a research contribution toward closing that gap. It makes no empirical claims about specific products or incidents, claims no government endorsement, and is a reference design at research-demonstrator maturity.

Capability Gap

What Agentic-AI Security Does Not Yet Provide

The market has mature secure elements, TPMs, and a growing set of software frameworks for agent identity and tool permissions. None binds the AI-agent authority lifecycle to a tamper-evident device the agent can carry.

Four Documented Authority Gaps

Software-only authority. Agent permissions live in configuration the agent process can read and, under prompt injection or host compromise, alter. No hardware holds the authority tier itself and refuses actions above it.
Forgeable audit. Agent action logs are written by the same software stack being audited. Without a hardware signer and a hash-chained ledger, a record cannot demonstrate the integrity an evidentiary or compliance standard requires.
No tamper-bound authority. General secure hardware detects tampering but does not tie a tamper event to an agent authority model that zeroizes keys, latches to a halt tier, and records the cause.
No portable anchor for the lifecycle. Existing devices secure keys, not the agent lifecycle (graded tiers, per-tool tokens, spawn-quorum aggregation). No attachable module makes that lifecycle hardware-rooted.

BLADE-AGENT-HSM addresses all four as an attachable module that integrates over USB-A or M.2 Key-E. It does not run the agent's model; it anchors the agent's authority and the record of it in hardware.

Framework Extension

Software Shim Plus Hardware Anchor

BLADE-AGENT-HSM is deliberately one half of a program. The AUTHREX-AGENT software shim implements the authority lifecycle (tiering, deliberation, recovery, ledger) so any agent can adopt it immediately; BLADE-AGENT-HSM then closes the production-readiness gap by making the keys non-exportable, the tier hardware-attested, and the ledger tamper-evident. The same root-of-trust design is already embedded inside the BLADE-EDGE, BLADE-AV, and BLADE-INFRA reference variants; this platform extracts it into a standalone, attachable device.

AUTHREX-AGENT (Software)

The authority-lifecycle shim. Runs the T3 to T0 tiering, the deliberation window, recovery, and an ECDSA P-256 audit ledger in software. Adoptable today; software trust assumptions. TRL 3-4.

BLADE-AGENT-HSM (Hardware)

The hardware root of trust. Non-exportable keys in an EAL6+ secure element, tier state in a TPM 2.0, tamper-evident audit ledger. USB-A stick or M.2 Key-E. ~$199 per unit. TRL 2-3 silicon.

Together they are a complete answer to the hardware-anchored-identity, non-repudiable-audit, and least-privilege expectations of the CISA, NSA, and Five Eyes agentic-AI guidance.

Host Interface

What the HSM Does: Five-Opcode ABI

BLADE-AGENT-HSM does not run an AI model. It exposes a fixed 64-byte command frame (over USB-HID for the stick, or SPI-slave for the M.2 module) with exactly five authority-bearing operations. The host or the AUTHREX-AGENT shim calls these; the keys and the tier state stay inside the device.

0x10

audit_sign

Sign a 32-byte ledger hash with the SE051 ECDSA P-256 key

0x11

pcr_extend

Extend a named PCR (0-7) in the TPM

0x12

pcr_quote

TPM quote over a PCR selection and a caller nonce

0x13

tool_auth

HKDF-derive a per-tool token, bound to the active tier

0x14

spawn_quorum_sign

Verify N-of-M sub-agent signatures, aggregate via SE051

PCR Allocation

PCR	Holds	Extended
PCR0	Authority tier state (T3 / T2 / T1 / T0)	On every tier transition
PCR1	Audit ledger chain	On every audit_sign
PCR2	Tool policy	Sealed at provisioning
PCR3	Spawn quorum	On every spawn event
PCR4	Tamper cause code	Only on tamper
PCR5-PCR7	Reserved for integrator policy	Integrator-defined

The frame carries a 4-byte opcode, a 2-byte length, a payload up to 26 bytes, and a 32-byte HMAC-SHA-256. The full layout is in the Interface Control Document (ICD-AGENT-HSM-001).

Authority Model

Four-Tier Authority, Indicated in Hardware

BLADE-AGENT-HSM holds the four-tier HMAA authority state in the TPM and surfaces it on a tri-colour indicator LED, so the authority state of an agent is visible physically and is not something the agent process can misrepresent.

Tier	Indicator	Description
T3	Green	Autonomous. The agent may act within its tool policy without per-action confirmation. Every action is still signed and extended into the ledger.
T2	Amber	Supervised. High-consequence actions are signed only after a supervising party acknowledges. Non-acknowledgment defaults to refusal.
T1	Red	Confirmed. The most consequential actions require an explicit operator confirmation recorded with full context.
T0	Blinking red + alarm	Halted and locked. Entered on tamper, attestation failure, or operator halt. Keys are zeroized; the ABI refuses every opcode except pcr_quote until re-provisioning.

Provisioning state. During the provisioning ceremony the tier LED shows a slow blue pulse; a green power LED is solid whenever the 3.3V rail is stable. Each agent carries a sealed tool policy (PCR2) that defines its tier ceiling.

Tamper Detection

Physical Intrusion to Key Zeroization

BLADE-AGENT-HSM is a sealed module on a four-layer board whose inner layers carry an active tamper mesh. Several independent sensing paths feed the deterministic tamper cascade.

Sensing Path	Mechanism	Trips On
Active PCB mesh	Continuous low-current serpentine loop on layers L2/L3 (8-12 ohm), polled every 10 ms	Short, open, or impedance shift over 5 percent
Voltage-glitch detector	Windowed comparator on the 3.3V rail	Undervoltage below 2.7V or overvoltage above 3.6V
Thermal monitor	High-accuracy I2C temperature sensor with alert to the MCU	Out-of-envelope temperature (thermal-tamper)
Supply supervisor	Windowed reset supervisor on the 3.3V rail	Rail excursions trigger an MCU reset

Tamper Cascade (Firmware-Defined)

An interrupt fires on mesh fault, voltage glitch, or thermal alert
The MCU issues a key-zeroize command to the secure element; private-key slots are wiped
The TPM extends PCR4 with the tamper cause code, then PCR0 with a T0 lock marker
A one-time-programmable tamper-latch flag is written so the event survives power cycling
The alarm LED goes solid red and the piezo buzzer chirps; the device latches to T0

A physical tamper-evident seam label spans the enclosure and tears on opening, with its serial recorded against the device serial number. The response is deterministic: a tampered device stops signing until an authorized re-provisioning ceremony.

Evidence Chain

Hardware-Signed, Hash-Chained Audit

Every authority-bearing action is signed and recorded so the agent's history is verifiable after the fact.

Non-Exportable Hardware Signing

Each audit entry is signed with an ECDSA P-256 key resident in the EAL6+ secure element, whose extractable attribute is fixed false at provisioning. The private key never leaves the device, so a signature ties each record to a specific physical device identity.

Hash-Chained Ledger and PCR Binding

Each entry references the previous entry's hash, forming an append-only chain that is also extended into TPM PCR1. A periodic TPM quote over the PCR selection provides an attested checkpoint that can be exported and anchored externally.

Signed Golden-Trace Anchor

The reproducibility package includes a deterministic golden trace and a P-384 signed anchor over the event count, the final PCR digests, and the trace SHA-256. The bundled verifier re-derives the PCR chain, checks the ECDSA signature on every entry, and validates the anchor; truncation or substitution fails verification.

Trust-root caveat. The audit anchor's attestation public key travels inside the evidence file, so it is not a trust root on its own. Adversarial forgery resistance requires the verifying party to pin the device's attestation identity out-of-band. Absent that pin, the verifier honestly reports integrity-and-same-session trust only.

Security Architecture

Defense-in-Depth Security

BLADE-AGENT-HSM uses a three-layer security architecture anchored in hardware. Because the device is the root of trust, the model protects the keys, the identity, and the integrity of the evidence chain.

Layer 1: Hardware Root of Trust

NXP EdgeLock SE051 (CC EAL6+) holds non-exportable ECDSA P-256/P-384 keys, plus ECDH, AES-256-GCM, SHA-256/384, and HKDF. Infineon SLB 9670 TPM 2.0 (FIPS 140-2 Level 2) owns the PCR bank, sealed storage, quote, and attestation key. A discrete ATSHA204A adds second-source entropy and a device serial.

Layer 2: Authority Enforcement

An STM32L432 Cortex-M4F MCU runs the ABI dispatcher and the authority logic as deterministic firmware isolated from the host. It refuses any action above the active tier, gates all signing on the tamper state, and serves only pcr_quote after a tamper latch.

Layer 3: Tamper and Audit

Active mesh, voltage-glitch, and thermal sensing drive a zeroize-and-lock cascade. A USB ESD device guards the host interface. Every action is ECDSA-signed and hash-chained into PCR1, with a P-384 signed golden-trace anchor for external verification.

Hardware

Attachable Secure Module - Reference Design

Form Factors

A single 30 mm by 80 mm four-layer PCB supports two enclosures: a USB-A stick (84 by 24 by 9 mm, two-piece clamshell with a tamper-evident seam label) for development, red-team rehearsal, and forensic verification; and an M.2 Key-E module (Type 2280) for production edge and rack deployment, where the host chassis provides physical security. The USB-A variant regulates host 5V to 3.3V on board; the M.2 variant takes 3.3V from the host directly.

Cryptographic and Control Subsystems

Reference	Component	Role
U1 Secure Element	NXP EdgeLock SE051C2HQ1/Z01V (CC EAL6+)	Non-exportable ECDSA P-256/P-384 keys; ECDH, AES-256-GCM, SHA-256/384, HKDF, on-chip RNG. I2C.
U2 TPM	Infineon SLB 9670VQ2.0 TPM 2.0 (FIPS 140-2 L2)	PCR bank (PCR0-7), quote, sealed storage, attestation key. SPI.
U3 Governance MCU	STMicro STM32L432KCU6 (Cortex-M4F, 80 MHz)	USB-FS device; USB-HID stack, I2C/SPI master, tamper polling, ABI dispatch.
U4 Tamper Sensor Block	Active mesh + voltage-glitch + thermal (I2C temperature sensor)	Multi-modal physical intrusion detection feeding the tamper cascade.
U5 TRNG / Serial	Microchip ATSHA204A	Second-source entropy for the secure element and a unique device serial number.
U6 / U7 Power	TI TPS73633 LDO (5V to 3.3V) + TPD2E001 USB ESD + MAX16162 supervisor	Clean 3.3V rail, host-interface ESD protection, and undervoltage/overvoltage supervision.
U8 / U9 Timing	Abracon ABS06 RTC crystal + ABM3B HSE crystal	Real-time clock for ledger timestamps and the MCU high-speed clock.
Indication	Green power LED, tri-colour tier LED, red alarm LED, Kingstate KPT-G2810 piezo	Surfaces the active authority tier, provisioning state, and tamper alarm.
J1 / J2 Host Interface	USB-A castellated pads + M.2 Key-E gold fingers (75-position)	Two attachment options; not co-populated on a given unit.

Four-layer FR-4, 1.6 mm, ENIG finish; inner layers L2/L3 carry the active tamper mesh. Full bill of materials, pin-level interconnect, and connection maps are in the Zenodo deposit (DOI 10.5281/zenodo.20299821).

Trust-Anchor Architecture

Enforces Authority, Takes No World Action

Unlike the BLADE domain nodes, which can gate a physical effector, BLADE-AGENT-HSM has no actuator that acts on the outside world. Its only outputs are a signed authorization, a PCR extension, a ledger entry, an indicator state, and a tamper alarm. It enforces authority by withholding a signature: an action the agent cannot get signed is an action it cannot prove was authorized, and a tier-bound tool token the device will not derive is a tool the agent cannot use.

Why this matters. The device deliberately cannot move money, call a tool, or send a command on its own. It is a checkpoint, not an actor. This keeps the safety property simple: the worst a compromised host can do is be refused a signature or a token, and any physical attack zeroizes the keys and leaves a recorded tamper event. It is the inverse of the SIL-3 effector interlock in the physical BLADE variants, the same root-of-trust idea applied to a device that authorizes rather than acts.

Electrical Design

System Schematic

Full subsystem node graph color-coded by type (MCU, Sensor, Actuator, Power, Module, Display). Shows the STM32L432 governance MCU at the center, the TPM 2.0, secure element, and discrete TRNG cryptographic subsystems, the tamper sensor block, the tier-indicator, alarm, and power LEDs, the piezo buzzer, the LDO power regulation and USB ESD protection, the RTC and HSE crystals, and the USB-A and M.2 Key-E host interfaces with data and power links.

View Full Schematic (PDF) ↓ Vector Schematic (SVG) ↓

Cost Analysis

Reference Configuration Cost

BLADE-AGENT-HSM is a low-cost secure module, an order of magnitude cheaper than the domain governance nodes. The reference bill of materials is dominated by the three cryptographic devices. The figures below are from the reference BOM and the first-article engineering estimate in the deposit.

Item	Reference Cost
Secure element (SE051, EAL6+)	$35.00
TPM 2.0 (SLB 9670)	$25.00
Governance MCU (STM32L432)	$18.00
Tamper sensor block + TRNG + supervisor	~$32.00
Power, ESD, crystals, indicators, passives	~$5.00
PCB (4-layer, ENIG) + enclosure + assembly	~$84.00
Per-unit total (qty 10-100)	~$199
Non-recurring engineering (first article)	~$8,250
First-article total	~$8,449

Non-recurring engineering covers PCB layout, firmware, debug tooling, test fixtures, and documentation. At volume the per-unit cost falls further; the cryptographic devices set the floor.

Specifications

Physical Specifications

Parameter	Value
Form factor	USB-A stick (84 x 24 x 9 mm) or M.2 Key-E module (Type 2280), single 30 x 80 mm 4-layer PCB
Power	Host 5V (4.75-5.25V) → 3.3V rail (±3%); 80 mA typical, 250 mA peak during ECDSA P-384 signing
Operating temperature	-10 C to +75 C
Host interface	USB full-speed HID (stick) or SPI-slave (M.2); 64-byte fixed ABI frame, 5 opcodes
Secure element	NXP EdgeLock SE051 (CC EAL6+) · non-exportable ECDSA P-256/P-384, ECDH, AES-256-GCM, SHA-256/384, HKDF
TPM	Infineon SLB 9670 TPM 2.0 (FIPS 140-2 Level 2) · PCR0-7, quote, sealed storage
Governance MCU	STMicro STM32L432KCU6 (Arm Cortex-M4F, 80 MHz)
Tamper detection	Active PCB mesh (L2/L3, 8-12 ohm, polled 10 ms) + voltage-glitch window (2.7/3.6V) + thermal monitor → zeroize and T0 lock
Authority model	Four-tier (T3 green / T2 amber / T1 red / T0 blink + alarm), TPM-resident in PCR0
Evidence chain	ECDSA P-256 signed, hash-chained, PCR1-bound; P-384 signed golden-trace anchor
Standards alignment	CISA / NSA / Five Eyes agentic-AI guidance · FY26 NDAA §1513 and §6601 · NIST SP 800-53 Rev. 5 · FIPS 140-2 / 140-3 · TPM 2.0 (TCG)
Reference cost	~$199 per unit (qty 10-100); ~$8,250 NRE; ~$8,449 first article
Maturity	TRL 2-3 silicon · TRL 3-4 emulator

Interactive Demo

Adversarial High-Assurance Emulator

The BLADE-AGENT-HSM emulator runs the full hardware behavior in the browser with real Web Crypto primitives (ECDSA P-256/P-384, SHA-256, HKDF) and no backend. It models the PCR measurement chains, the audit-ledger signing, the tier transitions, the spawn quorum, the per-tool zero-trust tokens, and the failure-mode scenarios, including a voltage glitch, an electronic-warfare hazard with recovery, split-brain ledger reconciliation, and Byzantine fault isolation. It exports a signed evidence bundle and runs a browser self-test.

The emulator and its core are reproduced by a bundled test suite of 275 deterministic checks across seven batteries (275 of 275 passing, confirmed over three reruns), plus a software-only-versus-HSM baseline that quantifies what the hardware anchor adds. A deterministic golden trace and a P-384 signed anchor allow independent verification.

Launch HSM Emulator

Evidence

Validation Metrics

275

Deterministic checks (275/275)

Test batteries

Reruns confirmed

P-384

Signed golden-trace anchor

P-256

Per-entry audit signature

Traced requirements

The seven batteries cover standalone logic, adversarial cases, the embedded-in-HTML core, red-team logic, and trust-root pinning. Critical findings closed include real signature verification on every audit entry (not a line count), enforced fault knobs, true tamper-origin-tier capture, and a P-384 anchor that fails on truncation. With an out-of-band identity pin, the verifier resists adversarial trace forgery, including anchor re-key attacks. These are emulator and reference-design results; no certified hardware exists.

Research Integration

Role in the Governance Stack

BLADE-AGENT-HSM is the seventh instantiation of the AUTHREX authority-governance framework and the first dedicated hardware root of trust in the family. The six domain governance nodes each embed a trust anchor internally; BLADE-AGENT-HSM extracts that anchor into a standalone, attachable device, and pairs it with the AUTHREX-AGENT software shim so the same hardware-rooted authority and audit chain is available to software AI agents and to any BLADE node. The seven governance architectures (SATA, HMAA, ADARA, MAIVA, FLAME, CARA, ERAM) are reused in their HSM-specific roles: attestation, tier enforcement, and deterministic recovery anchored in silicon.

Related platforms: Rover Testbed (~$484) · UAV Platform (~$4,200) · BLADE-EDGE (defense, ~$139K) · BLADE-AV (automotive, ~$16K) · BLADE-MARITIME (maritime, ~$43K) · BLADE-INFRA (infrastructure, ~$12K) · BLADE-SPACE (orbital, ~$505K) · BLADE-CUAS (counter-UAS, ~$43.5K) · BLADE-AGENT-HSM (agentic AI, ~$199). Nine research platforms demonstrating governance-stack portability across seven domains.

Governance Middleware

SDK Integration

The AUTHREX-AGENT shim calls BLADE-AGENT-HSM through the same unified API used across the BLADE family. An agent opens the device, requests an authorization or a tool token, and receives a hardware-signed result. Only the configuration changes between domains.

blade_agent_hsm.yaml Agentic AI

domain: agent_hsm
root_of_trust: hardware

crypto:
  secure_element: nxp_se051   # CC EAL6+, keys
  tpm: infineon_slb9670       # PCR bank, quote
  trng: microchip_atsha204a   # 2nd-source entropy

abi:
  audit_sign:        ecdsa_p256_se051
  pcr_extend:        tpm
  pcr_quote:         tpm
  tool_auth:         hkdf_tier_bound
  spawn_quorum_sign: n_of_m_se051

authority:
  T3_autonomous: green
  T2_supervised: amber
  T1_confirmed:  red
  T0_halt:       blink_red_alarm

tamper:
  paths: [active_mesh, voltage_glitch, thermal]
  on_event: [zeroize_keys, pcr4_cause, tier_T0]

agent_integration.py Python

import blade_governance as bg

# Attach the hardware root of trust (AUTHREX-AGENT)
hsm = bg.AgentHSM("blade_agent_hsm.yaml")

# Authorize a tool call at the active tier:
tok = hsm.tool_auth(tool="wire_transfer", tier="T1")
if tok is None:
    agent.block("wire_transfer")   # above tier

# Sign the audit entry with a non-exportable key:
sig = hsm.audit_sign(ledger_hash)  # ECDSA P-256
hsm.pcr_extend(pcr=1, value=ledger_hash)
# sig.device_id, sig.pcr_quote -> attested record

Cross-domain portability: the same API drives BLADE-AGENT-HSM and the six BLADE domain nodes. Switching from a defense node to an AI agent changes the configuration, not the application code. This is how one governance pipeline operates across seven domains.

Research Papers

Companion Paper & Documentation

The BLADE-AGENT-HSM companion paper (16 sections, 5 figures, 28 references), the Interface Control Document, the host-integration guide, and the complete reference-design files are deposited on Zenodo under DOI 10.5281/zenodo.20299821 (CC BY 4.0, v4.0).

Document	Description
Companion Paper (PDF)	A Reference Hardware-Root-of-Trust Design and Verified Emulator for Agentic-AI Authority Governance.
Interface Control Document	ICD-AGENT-HSM-001: full ABI frame layout, pinout, and PCR allocation.
Integration Guide	Host-integration guide for the USB-A and M.2 variants.
Full Repository	All deposited files: emulator, paper, ICD, hardware reference files, and validation artifacts.

Current Status

Technology Readiness

BLADE-AGENT-HSM hardware is at approximately TRL 2-3 (specification and reference design); the emulator is at approximately TRL 3-4 (a research demonstrator running real Web Crypto). All silicon performance figures are design targets; silicon timing is modeled, not measured. Board fabrication, the provisioning key ceremony, and tamper-mesh calibration are post-petition deliverables.

Hardware - TRL 2-3

Reference design with the system schematic, four-layer stack-up, full BOM, pin-level interconnect, and both enclosure variants. No certified hardware exists; no hardware coupon is included.

Emulator - TRL 3-4

Browser-native, real Web Crypto, deterministic. 275 of 275 checks across seven batteries, a software-only-versus-HSM baseline, and a P-384 signed golden trace.

Research Roadmap

Future Work

First-Article Fabrication

Build the USB-A and M.2 Key-E first articles, bring up the secure element, TPM, and host interface, and verify the ABI against the golden vectors.

Provisioning Ceremony

Define and test the on-device key-generation ceremony, the out-of-band identity pin, and the baseline PCR quote export.

Tamper-Mesh Calibration

Calibrate the active-mesh impedance threshold and the voltage and thermal windows, and verify the deterministic zeroize-and-lock cascade on physical intrusion.

Post-Quantum Path

Move the ML-DSA fields from interface model to a real hybrid signature path, extending the CNSA 2.0 hybrid-signature work modeled in the emulator.

Open Research

Repository & Reproducible Artifacts

BLADE-AGENT-HSM provides reproducible artifacts enabling independent verification of the authority behavior, the reference hardware design, and the emulator. All files are published open-access on Zenodo (DOI 10.5281/zenodo.20299821) and mirrored in the repository.

Adversarial Emulator

A self-contained HTML emulator with real Web Crypto, deterministic clock, failure-mode scenarios, evidence-bundle export, and an in-browser self-test.

Reference Hardware

System schematic, four-layer stack-up, full BOM (27 line items), electrical and mechanical connection maps, and the host-integration guide and ICD.

Verification

Seven Node test batteries (275 deterministic checks), a software-only-versus-HSM baseline, a deterministic golden trace, and a P-384 signed anchor, with a machine-readable test report.

Standards Alignment

CISA / NSA / Five Eyes agentic-AI guidance, FY26 NDAA Sections 1513 and 6601, NIST SP 800-53 Rev. 5, FIPS 140-2 / 140-3, and the TCG TPM 2.0 specification.

View Repository Zenodo Record

Researcher

About This Project

The BLADE-AGENT-HSM Hardware Root of Trust is part of the authority-governed autonomy research program by Burak Oktenli at Georgetown University (M.P.S. Applied Intelligence). It is the seventh domain instantiation of the BLADE governance framework and the first hardware root of trust in the family, demonstrating that the same authority and evidence design developed across defense (BLADE-EDGE), automotive (BLADE-AV), maritime (BLADE-MARITIME), critical infrastructure (BLADE-INFRA), orbital (BLADE-SPACE), and counter-UAS (BLADE-CUAS) reference designs applies to securing autonomous AI agents.

Related architectures: SATA · HMAA · CARA · MAIVA · FLAME · ADARA · ERAM

View full research portfolio →