On the day Pipkin published its inaugural ratings, the four highest-profile AI agents in the world received scores of 73, 65, 61, and 47. Claude achieved VERIFIED status at 73. ChatGPT and Gemini were rated CAUTIONED at 65 and 61, respectively. Grok was rated FLAGGED at 47. None came close to the 85-point threshold required for TRUSTED — the tier that signifies an agent is safe for autonomous deployment.
The TRUSTED tier is empty. This is the most important finding from the inaugural cycle, and it warrants detailed analysis.
THE 85-POINT THRESHOLD
A Pipkin score of 85 requires strong performance across all five pillars simultaneously. The composite formula — (DA x 0.25) + (FC x 0.25) + (BD x 0.20) + (AU x 0.15) + (AR x 0.15) — means there is no single pillar that can carry an agent to TRUSTED on its own. Even a perfect score of 100 on Decision Accuracy contributes only 25 points to the composite. An agent must perform well everywhere.
To illustrate: an agent scoring 90 on DA, 90 on FC, 85 on BD, 80 on AU, and 80 on AR would achieve a composite score of exactly 86.0 — barely crossing the TRUSTED threshold. Those are exceptionally strong scores across every pillar. No agent in the inaugural cycle came close to this profile.
THE PILLAR-LEVEL PICTURE
Examining the inaugural results by pillar reveals where the gaps are widest.
Decision Accuracy ranged from 54 to 78 across the four agents. This was the strongest pillar overall, which is expected — DA is the dimension that AI developers have optimized most aggressively and that existing benchmarks measure most directly. The leading agent's DA score of 78 is within striking distance of what would be needed for a TRUSTED composite, but DA alone cannot carry the score.
Failure Containment ranged from 42 to 76. This pillar showed the widest variance and proved to be a strong differentiator between agents. The agents that handled failures gracefully — degrading rather than catastrophically collapsing, surfacing clear error messages rather than confident wrong answers — separated themselves meaningfully from those that did not. The leading FC score of 76 is respectable but still below the ~85 level that a TRUSTED profile would require.
Boundary Discipline ranged from 46 to 80. As discussed in our earlier analysis of the BD pillar, this was one of the most revealing dimensions. The variance here reflects different design philosophies about when agents should refuse requests versus attempt them. Agents optimized for helpfulness above all else scored lower. Agents with more conservative scoping scored higher. No agent achieved a BD score above 80.
Auditability ranged from 50 to 68. This was the weakest pillar across the board and represents the most significant structural barrier to TRUSTED status. Auditability measures whether an agent's decision-making process can be understood, traced, and verified after the fact. It encompasses reasoning transparency (does the agent explain its logic?), decision logging (are decisions recorded in a reviewable format?), and reproducibility (does the same input produce consistent behavior?). The low AU scores reflect a fundamental limitation of current large language model architectures: they are, by design, difficult to audit. Their reasoning processes are not transparent. Their outputs are stochastic. Their decision paths cannot be traced with the same rigor possible in rule-based systems.
Adversarial Resistance ranged from 44 to 64. This was the pillar with the lowest ceiling. No agent achieved a score above 64, and the lowest score of 44 sits above the pillar minimum cap at 30. The AR pillar evaluates resistance to 41 standardized adversarial test vectors including prompt injection, jailbreaking, role-play exploitation, and data exfiltration attempts. The results confirm what security researchers have documented independently: current AI agents are fundamentally vulnerable to adversarial manipulation. The defenses are improving, but they remain porous.
THE TWO STRUCTURAL BARRIERS
The data points to two pillars that are structurally preventing any agent from reaching TRUSTED: Auditability and Adversarial Resistance. These are not pillars where agents need incremental improvement. They are pillars where the current state of the art has fundamental gaps.
The Auditability gap is architectural. Large language models process information through billions of parameters in ways that resist human interpretability. When an LLM-based agent makes a decision, the reasons for that decision cannot be fully extracted or verified. Techniques like chain-of-thought prompting improve the appearance of transparency but do not provide true auditability — the stated reasoning may not reflect the actual computational process that produced the output. Closing the AU gap requires either advances in mechanistic interpretability or architectural innovations that build verifiable reasoning traces into the model's operation. Neither is imminent.
The Adversarial Resistance gap is more nuanced. Current agents are vulnerable to adversarial attacks because their instruction-following capabilities — the same capabilities that make them useful — can be exploited. An agent that follows instructions well will also follow adversarial instructions if they are sufficiently well-disguised. The defense mechanisms available today (system prompts, safety training, input filtering) are effective against naive attacks but consistently fail against sophisticated adversarial pressure. AR scores will improve as defense techniques mature, but the attacker-defender dynamic means that this pillar is likely to remain a moving target.
WHAT TRUSTED WOULD REQUIRE
Based on the inaugural data, we can project what an agent would need to achieve TRUSTED status.
Decision Accuracy: 88+ is achievable with current architectures, given continued improvement in training data quality and reasoning capabilities. This is the most tractable gap.
Failure Containment: 85+ requires robust error handling, graceful degradation, and reliable self-monitoring. This is achievable with engineering investment but requires deliberate design for failure rather than optimization for success.
Boundary Discipline: 82+ requires well-defined operational boundaries, consistent refusal of out-of-domain requests, and resistance to scope creep. This is a training and design challenge that current approaches can address, though it requires accepting some reduction in apparent helpfulness.
Auditability: 75+ would be sufficient given strong scores elsewhere, but even 75 represents a significant advance from the current ceiling of 68. This requires investment in interpretability, logging, and reproducible behavior — areas that are active research topics but not yet production-ready at the required quality level.
Adversarial Resistance: 75+ similarly requires meaningful advances in robustness to adversarial manipulation. The current ceiling of 64 suggests that incremental improvement is possible, but reaching 75 likely requires new defensive architectures rather than refinements of existing approaches.
TIMELINE PROJECTION
When will the first agent achieve TRUSTED? Our analysis suggests that the bottleneck is not any single pillar but the requirement for simultaneous strength across all five. An agent that achieves breakthrough improvements in auditability may still be held back by adversarial resistance. An agent that solves adversarial defense may lack sufficient boundary discipline.
Based on current improvement trajectories, our projection is that the first TRUSTED rating is 18 to 30 months away — contingent on meaningful progress in both auditability and adversarial resistance. If interpretability research accelerates, this timeline could compress. If adversarial techniques advance faster than defenses, it could extend.
THE ENTERPRISE IMPLICATION
For enterprise decision-makers, the empty TRUSTED tier has a clear and immediate implication: no AI agent currently available should be deployed in fully autonomous mode without human oversight. The best available agent — Claude at VERIFIED 73 — has demonstrated reliability with standard oversight. But VERIFIED is not TRUSTED. It means the agent has earned a degree of confidence, not complete confidence.
This does not mean agents should not be deployed. It means they should be deployed with appropriate safeguards. VERIFIED agents warrant streamlined oversight — periodic review rather than continuous monitoring. CAUTIONED agents require active safeguards. FLAGGED agents should not be deployed without significant risk mitigation.
The TRUSTED tier exists as a benchmark, not a current reality. When an agent achieves it, that will signal a genuine inflection point in AI agent capability and safety. Until then, the rating is the guide, and the guide says: trust, but verify.