AI safety research lab

ZeroProof AI

The verification layer for AI agents

AI agents are beginning to act on people’s behalf. We make every one of those actions verifiable.

Customer

“There’s an $81.40 charge from Amazon I never made, I want it refunded.”

Intent

zeroproof-ecommerce-1b

Typereverse · refund
Amount$81.40
Confidence0.85

Proof

Verified

Signed by the agent and the tool server.

sha256:7f3a…1b2

A refund request is read as an intent, and the resulting action is attested.
01

Research

Language models are already capable of transacting on a person’s behalf, and financial errors are where tolerance for AI mistakes ends: no platform lets a model move money on its own account.

The barrier is not capability but verification.

Delegation becomes safe when three questions can be answered about any agent action:

  1. 01What is the agent about to do?
  2. 02Is it aligned with what the user intended?
  3. 03Did the agent actually execute it?

Our research answers the first two before execution, by reading intent from the conversation, and the third after it, with a cryptographic proof. The result is a verification layer in which every answer is a signed, independently checkable claim.

02

Our Work

Intent Detection

We train small models that recover a customer’s true intent from conversation, before an agent acts on it.

Flow of one transaction through the verification layer: a user refund request, the agent's proposed refund call, the intent read and amount check passing in the ZeroProof layer, the rails issuing the refund, a signed proof, and a hallucinated purchase blocked at the layer before it reaches the rails
One transaction through the verification layer: intent read before execution, a signed proof issued after, and a mismatched action stopped before it reaches the payment rails.

Behavioral Attestation

We build the cryptographic record of what an AI system did and produced. Each action carries a zkTLS proof signed by both the agent and the tool server.

A content supply chain shown without and with attestation: without, liability pools at the publisher with fines to 15 million euros or 3 percent of turnover; with, every provider registers a signed attestation and the publisher verifies against the registry before publishing, receiving an allow-with-label decision
The same primitive applied to content: each hop signs what it produced, the publisher verifies before publishing, and the disclosure the AI Act requires is carried as verifiable evidence.
03

Models and results

Two models fine-tuned for e-commerce payment intent: rank-16 QLoRA adapters over gemma-3-1b-it and qwen2.5-0.5b-instruct, served from a single L4 behind an OpenAI-compatible vLLM endpoint. Weights, training data, and the evaluation set are on Hugging Face.

Accuracy vs cost to serve

Near-frontier accuracy at about 1/100th the cost.

1007550250$0.10$1$10$ per 1M output tokens, log scalegemma-1bGPT-5Sonnet 5Opus 4.8Zzeroproof-ecommerce-1b$0.18 per 1M

Macro intent-type accuracy (%), identical balanced held-out rows for all models. Frontier cost at published list prices; ZeroProof cost from measured throughput on a single L4.

The same data trains zeroproof-ecommerce-0.5b to within five points at half the size.