PockotPockot 珀刻機

Pockot

Offline Agents Still Need a Trust Model

Research Note: Offline Agents Still Need a Trust Model

Question

Removing the cloud does not remove risk. An offline agent can still mishandle private data, follow malicious instructions in documents, run unsafe local tools, or produce unreliable outputs. Pockot needs a trust model that starts before autonomy.

Source-Backed Data Points

  • NIST's AI Risk Management Framework is intended to help organizations incorporate trustworthiness considerations into AI design, development, use, and evaluation. Source: NIST AI RMF.
  • The NIST AI RMF 1.0 PDF lists trustworthy AI characteristics including valid and reliable, safe and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. Source: NIST AI RMF 1.0 PDF.
  • OWASP's LLM Top 10 lists risks such as prompt injection, unsafe output handling, training-data poisoning, model denial of service, and supply-chain vulnerabilities. Source: OWASP LLM Top 10.

Reading

An offline device has a better privacy posture in one sense: no default cloud round trip. But privacy is not the only trust property. The user still needs to know what sources are loaded, which tools the agent can call, whether the model can write files, how logs are stored, and how to reset state after a bad interaction.

Prompt injection matters even offline because documents can contain instructions. If the local assistant reads a manual, email export, web archive, or source pack, it may encounter text that tries to override the user's intent. The device needs a rule that untrusted content is data, not authority.

The trust model should be boring and mechanical: source registry, tool permission list, offline log, model/version label, rollback, and a refusal boundary. Without those, "off-grid" only means the failure happens locally.

Tool Rule

The calculator should not output an autonomy score. It should output readiness gaps: missing source registry, missing rollback, missing tool permissions, missing update path, or missing audit log. Offline does not equal trustworthy.