Current LLM-based autonomous agents operating in sensitive domains (e.g., finance, governance) rely on untrusted host infrastructure, exposing them to tampering risks—of the model, inputs, or outputs—thereby undermining verifiable autonomy. This paper proposes VET, the first framework enabling host-independent, cryptographically verifiable autonomous execution. VET introduces the Agent Identity Document (AID), a standardized metadata schema for agent identity and policy; integrates Trusted Execution Environments (TEEs), succinct zero-knowledge proofs (zk-SNARKs), and TLS session attestation (“Web Proofs”) into a composable verification stack; and achieves tamper-proof output certification within an API-proxy architecture. Experiments show Web Proofs incur less than 3× overhead, and the TEE proxy maintains compatibility with public APIs. A production-deployed verifiable transaction agent demonstrates VET’s practicality and engineering feasibility under real-world workloads.

Recent advances in large language models (LLMs) have enabled a new generation of autonomous agents that operate over sustained periods and manage sensitive resources on behalf of users. Trusted for their ability to act without direct oversight, such agents are increasingly considered in high-stakes domains including financial management, dispute resolution, and governance. Yet in practice, agents execute on infrastructure controlled by a host, who can tamper with models, inputs, or outputs, undermining any meaningful notion of autonomy. We address this gap by introducing VET (Verifiable Execution Traces), a formal framework that achieves host-independent authentication of agent outputs and takes a step toward host-independent autonomy. Central to VET is the Agent Identity Document (AID), which specifies an agent's configuration together with the proof systems required for verification. VET is compositional: it supports multiple proof mechanisms, including trusted hardware, succinct cryptographic proofs, and notarized TLS transcripts (Web Proofs). We implement VET for an API-based LLM agent and evaluate our instantiation on realistic workloads. We find that for today's black-box, secret-bearing API calls, Web Proofs appear to be the most practical choice, with overhead typically under 3$ imes$ compared to direct API calls, while for public API calls, a lower-overhead TEE Proxy is often sufficient. As a case study, we deploy a verifiable trading agent that produces proofs for each decision and composes Web Proofs with a TEE Proxy. Our results demonstrate that practical, host-agnostic authentication is already possible with current technology, laying the foundation for future systems that achieve full host-independent autonomy.