Verifiable Knowledge: The Third Pillar of Trust for Agentic AI
As AI agents evolve from generating responses to making decisions, invoking tools, and taking action across enterprise workflows, trust must extend beyond the model itself. Enterprises need to know that the knowledge an agent relies on is accurate, traceable, governed, and authorized for use. This is the role of Verifiable Knowledge: a new trust layer that proves what an agent knows, where that knowledge came from, and whether the agent had the right to use it.
Bringing this vision to life requires a secure foundation at the infrastructure layer, where data, inference, and agent actions can be protected and verified in silicon.
Today at GTC Taipei, NVIDIA introduced new security innovations for NVIDIA Vera BlueField-4 STX, powered by NVIDIA DOCA. These new capabilities support a new class of secure-by-design AI storage for data, agents, and context memory in silicon. For EQTY Lab, this is more than a product launch. It is the keystone of our three-year body of work with NVIDIA to embed trust in every verifiable AI token.
With this foundation in place, we believe NVIDIA is positioned to become the backbone of the emerging agentic marketplace, which Gartner projects will handle more than $15 trillion in B2B spending by 2028.
Here’s how EQTY brings together all the pieces across the NVIDIA AI stack to create this powerful solution:
Eighteen months ago, we introduced Verifiable Compute, the first hardware-rooted notary system that uses NVIDIA Confidential Computing for AI workflows, capable of issuing certificates of authenticity and compliance for training, inference, and benchmarks.
Earlier this year, we introduced a Verifiable Runtime, extending that trust boundary onto the NVIDIA BlueField DPU and integrating with NVIDIA DOCA Argus to create a dedicated, silicon-based enforcement layer for autonomous agents.
With NVIDIA Vera BlueField-4 STX, we can now introduce Verifiable Knowledge as the third pillar: the layer that proves what an agent or AI system knows, where that knowledge came from, and whether the agent had the right to use it.
The scope for EQTY’s Verifiable Knowledge solution is vast, from gigabytes of RAG data to kilobytes of configuration files. For every data object, large or small, you can now get an independent witness and a control plane backed by NVIDIA DOCA’s unmatched security guarantees.
A good example includes enforcing policies to prevent version drift for the recently introduced NVIDIA-verified agent skills. With our DOCA Argus-powered notary, tamper-evident signals of agent state can be streamed to host-operated secure runtimes like NVIDIA OpenShell and to our Gateway Guardian, which runs on dedicated compute resources on the BlueField DPU. With a network-isolated control plane and host-independent compute engines, BlueField-4 presents a highly resilient platform for implementing real-time agent governance and runtime security at zero cost to host capacity for operating agent workloads.
Other use cases include our work with Accenture to underwrite trust for enterprise agent platforms in which certified skills and agents can be downloaded and exchanged in a next-gen appstore or catalog. Verifiable Knowledge in NVIDIA Omniverse fills a missing data governance solution to track and audit the lineage of synthetic training data or digital twin outputs that must be demonstrable to regulators and partners.
The leap here for enterprises cannot be overstated. As our partners at Accenture posted today, for too long companies have kept proprietary data behind firewalls because it could not be shared safely. Insurance claim histories, clinical trial outcomes, customer archives: all valuable, all stuck in the building. Verifiable Knowledge changes that.
When an agent can verifiably prove what it knows, where the knowledge came from, and what it is licensed to do, the agent itself becomes an asset with its own intrinsic value. With this new layer of trust, an agent can be rented to a partner or syndicated across a supply chain with enforceable contracts that pay out based on verifiable outcomes, unlocking its true pricing potential.
That’s the power of verifiable AI with NVIDIA AI Enterprise. Trusted knowledge and skills convert agents from cost centers into assets that can generate revenue and appreciate in value with every verified deployment.
From DOCA Argus to DOCA Flow to DOCA Vault: The Maturing NVIDIA DOCA Security Stack
To understand what Verifiable Knowledge requires, it helps to trace how the NVIDIA DOCA security stack has matured across three successive layers, each one extending the silicon-rooted trust boundary further into the agentic data path.
DOCA Argus was the starting point. Argus is the runtime threat detection and telemetry microservice that streams security-relevant events from the BlueField's isolated trust domain. It listens for indicators of attack including runtime anomalies, workload integrity violations, unauthorized process execution, unexpected file access and network activity, and can provide telemetry and alerts that can support policy enforcement and response through BlueField and integrated ecosystem security solutions. With Verifiable Runtime, EQTY integrated Argus telemetry into the AI notary, so that every event Argus observes becomes a cryptographically attested entry in the agent's behavioral lineage. The DPU watches; the notary remembers.
DOCA Flow is the next layer outward. Flow is the programmable, hardware-accelerated packet processing capability that processes network traffic between agents, remote resources, and inference pipelines. At line rates up to 800Gb/s, Flow enforces segmentation between agents and the systems they communicate with, without slowing AI inference performance. Whereas DOCA Argus helps answer the question "Is this agent behaving as expected?" Flow provides the hardware-accelerated primitive to enforce permitted agent communications at line rate.
DOCA Vault is the newest addition. Vault is a data security microservice that mediates access to file-based storage according to fine-grained policies and permissions. In effect, Vault converts file-based AI storage into a zero-trust access layer. File access requests, including actions such as open, read and write, can be evaluated against granular authorization policies and enforced in BlueField-4 silicon. Drift, exfiltration, and unauthorized execution are blocked inline, not flagged after the fact by a host-based agent that the attacker may already have compromised.
These three components create a unified, NVIDIA DOCA-powered security stack that can enforce policy on behavior, traffic, and data through a single, coherent, silicon-rooted trust domain. Argus provides visibility into what the agent does. Flow governs what the agent communicates. Vault governs what the agent can access.
Closing the Loop with NVIDIA OpenShell
The DOCA stack handles enforcement at the silicon boundary on the BlueField DPU, but agents live one layer up, inside processes that need their own governance perimeter. That is what NVIDIA OpenShell provides. OpenShell sits between the agent and the host infrastructure it runs on, moving governance out of the agent process and into a separate enforcement plane composed of a sandbox, a policy engine over filesystem, network, and process activity, and a privacy router that controls where inference traffic travels. Controls become structurally enforced rather than behaviorally requested against an AI model.
This is the natural counterpart to Vera BlueField-4 STX. OpenShell governs the agent at the software boundary; Argus, Flow, and Vault govern the resources beneath it at the silicon boundary with dedicated hardware.
Decisions taken by OpenShell, such as which tools an agent may invoke or which data domains it may query, can be presented to EQTY's Gateway Guardian, which runs on dedicated compute resources on the DPU and enforces them via DOCA Flow and Vault. Conversely, attestations produced inside BlueField-4 can be surfaced back to OpenShell to inform sandbox decisions in real time. The result is an agent governance fabric that holds together across the full stack, with no gap between the policy as written and the policy as enforced.
EQTY's Notary Extends DOCA into Verifiable Knowledge
A hardware enforcement layer is necessary but not sufficient. Enforcement ensures that a specific policy is applied, but verifiability allows a counterparty to confirm any process weeks or years later, without rerunning the workload. For example, one agent wants to prove to another party that the report they produced utilized a specific skill, downloaded from a skill marketplace, such as NVIDIA-verified agent skills that carry an NVIDIA-signed certification cryptographically bound to the skill files.
EQTY’s notary takes the security-relevant telemetry and policy signals generated through BlueField-4 and the NVIDIA DOCA security stack (Argus telemetry, Flow's network policy context, Vault's file-access policy decisions) and assembles them into a tamper-evident lineage graph. Each event is hashed, signed by keys held inside the DPU's trust domain, and chained into an integrity record that travels with the agent. The result is a structure we call the integrity graph: a portable, verifiable ledger of every data object an agent has touched, every policy decision that authorized the touch, and every behavioral attestation collected while the agent was acting on that data.
Three conditions become verifiable rather than assumed.
Data is reliable: current, high-quality, and demonstrably fit for the decision at hand. Vault binds policy to the data object itself, so freshness windows, source attestations, and quality scores become enforceable preconditions for access, not metadata that lives somewhere downstream of the agent.
Data is permissioned and licensed: accessible to this agent, for this purpose, under terms that can be enforced rather than assumed. Flow carries the licensing terms into every network exchange, and the notary records each grant and revocation in a form that can be audited by the licensor without revealing the underlying data.
Data is untampered: cryptographically attested from source to point of use, with integrity rooted in mathematics rather than trust. Argus continuously verifies that the workload reading the data is the workload that was authorized to read it, and the notary preserves that attestation long after the inference is complete.
This is the operational meaning of Verifiable Knowledge. Not a metadata layer bolted onto a data lake, but a property of the silicon path itself, proven the moment the agent acts.
AI Factories Become the Backbone for Agentic Markets
What does this make possible? It changes the unit of value in the AI economy.
For two decades, enterprise data strategy has chased a single goal: get more data into more pipelines, more cleanly. The data fabric unified disparate sources into a governable plane. The data mesh pushed stewardship into the domains that understood it best. Both assumed the consumers of data were a person, a dashboard, or a model running on a predictable schedule. Agentic AI breaks that assumption. Autonomous agents read, write, reason, and act on enterprise data continuously, and every decision compounds into the next. A single poisoned or stale input does not stay isolated. It propagates, and the cost of correction grows with every downstream action.
The enterprises that have spent years curating proprietary datasets — insurance claims histories, clinical trial outcomes, supply chain telemetry, customer interaction archives — face a challenge. The data is valuable, but its value cannot leave the building because, once it does, it cannot be governed. An agent trained on it inherits the value but inherits the same constraint.
With Verifiable Knowledge, the calculus inverts. An agent grounded in cryptographically attested data can be exchanged with a partner, licensed across a supply chain, or listed in a marketplace alongside complementary agents from other enterprises, because every interaction it has with the licensee's environment is still policy-checked in Vault, still inspected by Flow, still attested by Argus. The cryptographic terms travel with the agent and are enforced in silicon that the licensee cannot reach.
The result is a new architecture for an agentic market. Continuous, hardware-rooted governance makes it possible for the value locked in proprietary knowledge to circulate safely and, more importantly, to be priced based on what it can be proven to deliver rather than what its owner claims it delivers. Counterparties no longer have to take an agent's capabilities on faith, nor do they have to choose between disclosing their data to participate and keeping it inert behind a firewall. They can transact on proofs.
The economic consequences of that shift are immense. Attribution becomes possible at object granularity, so contributors to an agent's knowledge base (the data owners, the curators, the infrastructure providers) can be compensated when the agent produces results, rather than paid once at acquisition and forgotten. Valuation becomes dynamic and outcome-based, reflecting the freshness of the data the agent is grounded in, the breadth of authorized use, and the quality scores attested at the point of access. Markets that today cannot exist, for licensed clinical reasoning agents, for syndicated supply chain agents, for cross-jurisdictional agents, become feasible, because the terms that govern them are enforceable rather than theoretical.
AI Factories can now underwrite that market. NVIDIA Vera BlueField-4 STX is the secure-by-design AI storage foundation. NVIDIA DOCA Argus, Flow, and Vault are the security building blocks. EQTY's notary is the proof layer that turns enforcement into evidence, evidence into value, and value into something an agent can carry across organizational boundaries without losing its provenance.
What Comes Next
Verifiable Compute showed that AI workflows could be cryptographically secured. Verifiable Runtime demonstrated that autonomous agents could be governed in silicon in real time by relying on control-plane isolation and novel remote observability. Verifiable Knowledge, delivered now on the NVIDIA Vera BlueField-4 STX, proves that the data those agents act on can carry its own integrity, its own license, and its own price.
The future of enterprise value is not measured solely in the data you accumulate. It is measured in the agents you can prove are worth trusting.