What is VIRP?
VIRP — Verified Infrastructure Response Protocol is an open standard for trustworthy AI on live infrastructure.
Every action an AI agent takes on a real network produces a cryptographically signed observation — a tamper-evident record of exactly what the device said, when it said it, and what command produced it. No fabrication. No ambiguity. No “trust me.”
VIRP is built on three principles:
1. The AI is an untrusted principal.
Not because it’s malicious. Because trust must be structural, not assumed. An AI that could forge an observation but chooses not to is less trustworthy than an AI that cannot forge one by design.
2. Signed observations, not signed promises.
HMAC-SHA256 signing at the moment of collection. Two-channel separation between what the network said (Observation) and what the AI intends to do (Intent). A chain of custody for every interaction.
3. Cryptographic proof over policy compliance.
Policies can be bypassed. Cryptographic boundaries cannot. VIRP enforces trust at the architecture level — not the instruction level.
The Seven Trust Primitives
VIRP defines seven primitives that together constitute a complete trust framework for AI on infrastructure:
| Primitive | What It Guarantees |
|---|---|
| Verified Observation | Device output is cryptographically signed at collection. Cannot be fabricated. |
| Tiered Authorization | Every action is classified GREEN / YELLOW / RED. RED requires human approval. |
| Verified Intent | Intent is signed and bound to evidence before execution begins. |
| Verified Outcome | Pre and post state are automatically captured and compared. |
| Baseline Memory | Deviations from known-good state are detected and flagged. |
| Trust Chain | Every interaction is appended to a tamper-evident chain. Append-only. |
| Agent Containment | The AI process is structurally isolated from key material, credentials, and direct device access. |
Primitive 7 — Agent Containment — was added as a direct result of our red team findings. It didn’t exist in the original spec. We found the gap and closed it.
Current Status
draft-howard-virp-01 — 2,278 lines. Threat model, formal security properties, observation freshness, multi-node coordination, protocol versioning, conformance requirements. Published with DOI on Zenodo.
Open source reference implementation. Apache 2.0. Running against FortiGate 200G, Cisco IOS, Linux hosts in production lab. 42 passing tests + 200K+ fuzz rounds on the C core.
Why This Matters
Vendors are shipping AI for networks right now. Cisco has it. Palo Alto has it. Fortinet has it. None of them have published a cryptographic trust model for what the AI is allowed to observe, what it’s allowed to do, and how you prove it stayed within bounds.
VIRP is that model. Open standard. Vendor-neutral. Designed to be implemented by the platforms that already own your network — not to replace them.
The goal is to be BGP, not EIGRP. Open protocol, not proprietary lock-in.
VIRP is active research. The findings on this page are from live testing on real infrastructure. The gaps were found intentionally. The fixes are being built.