Existing cryptographic protocols struggle to effectively establish, constrain, and revoke persistent trust relationships between humans and probabilistic AI agents. This work proposes the first continuous delegation model tailored for probabilistic AI and designs and implements a post-quantum secure continuous delegation protocol. The protocol integrates one-time signature certificates (based on ML-DSA-87), a zero-overhead boundary enforcement engine, a sub-second push-based revocation mechanism, and a SHA-256-backed verifiable chain of accountability. Formally verified using Tamarin Prover, the protocol achieved 79.5% autonomous execution, 6.1% human escalation, and 14.4% blocking in 100,000 simulation runs. Furthermore, five rounds of adversarial auditing identified and remediated twelve cross-tier vulnerabilities, substantially overcoming the limitations of traditional authorization protocols in dynamic AI environments.

The rapid deployment of AI agents acting autonomously on behalf of human principals has outpaced the development of cryptographic protocols for establishing, bounding, and revoking human-AI trust relationships. Existing frameworks (TLS, OAuth 2.0, Macaroons) assume deterministic software and cannot address probabilistic AI agents operating continuously within variable trust boundaries. We present AITH (AI Trust Handshake), a post-quantum continuous delegation protocol. AITH introduces: (1) a Continuous Delegation Certificate signed once with ML-DSA-87 (FIPS 204, NIST Level 5), replacing per-operation signing with sub-microsecond boundary checks at 4.7M ops/sec; (2) a six-check Boundary Engine enforcing hard constraints, rate limits, and escalation triggers with zero cryptographic overhead on the critical path; (3) a push-based Revocation Protocol propagating invalidation within one second. A three-tier SHA-256 Responsibility Chain provides tamper-evident audit logging. All five security theorems are machine-verified via Tamarin Prover under the Dolev-Yao model. We validate AITH through five rounds of multi-model adversarial auditing, resolving 12 vulnerabilities across four severity layers. Simulation of 100,000 operations shows 79.5% autonomous execution, 6.1% human escalation, and 14.4% blocked.