One Week, Five Trust Stacks for Autonomous Software

And why none of them solves the DACH problem.

What this is about

Within three weeks — from 14 April to 4 May 2026 — seven very different houses gave very different answers to the same question: How do you trust autonomous software that, in the name of a company, signs contracts, places orders, exchanges data and moves money?

OKX launched the Agent Payments Protocol (APP) on 29 April — a settlement layer for autonomous payment flows across twenty blockchains (crypto.news).
Stripe unveiled around 288 announcements at Sessions 2026 on 28/29 April, including a CLI-based provisioning layer for autonomous software, together with Vercel, Supabase, Twilio, ElevenLabs, WorkOS and nine other vendors (Stripe Newsroom, Stripe Blog).
Experian announced “Agent Trust” on 30 April — a KYA framework (“Know Your Agent”), trust tokens, agent registry, alliance-capable with Visa, Cloudflare and Skyfire (Experian Newsroom).
Microsoft brought Agent 365 to general availability on 1 May — and with it shifted from a pure enterprise identity layer to a stated control plane over foreign stacks: AWS Bedrock, Google Cloud, plus third-party software from Genspark, Zensai, Egnyte, Zendesk, Kasisto, Kore and n8n are pre-configured for management (Microsoft Security Blog, Microsoft 365 Blog).
Salesforce added native observability and automated testing for Agentforce to the Einstein Trust Layer at TDX 2026 (Salesforce Developers).
Anthropic introduced an identity check for end users on 14 April as the first firm in its segment — photo ID plus selfie via Persona Identities (Apiyi help). In addition, in spring 2026 a systemic vulnerability in the STDIO variant of the Model Context Protocol (MCP) was publicly documented, with risk of remote code execution (OX Security). A full fix at the protocol root had not been delivered by the editorial cut-off.
SAP closed two strategic acquisitions in early May: Dremio (Apache Iceberg-native lakehouse) and Prior Labs from Freiburg (Tabular Foundation Model TabPFN-2.5, complementing SAP’s own RPT-1). Together with the Reltio acquisition closed in March (master data management), this creates the most complete data stack behind a single application layer to date: Joule (conversation) → SAP AI Core (RPT-1 + TabPFN) → Business Data Cloud (Iceberg-native) → Reltio. Investment volume over four years: more than one billion euros (SAP News, Techzine).

Seven houses, seven answers, three weeks. Anyone trying to set up a German mid-sized company to put autonomous software into production for logistics, accounting, scheduling or compliance preparation has a problem: none of these stacks covers what is actually needed in the DACH region.

This piece explains why.

The trust-stack map, sorted

To keep the comparison fair, a word on layering. Autonomous software has — simplified — six layers at which trust can be anchored:

Layer	Question	Who addresses it?
Data foundation	What does it access?	SAP Business Data Cloud + Dremio + Reltio (new, 04.05.)
Identity	Who is this software?	Microsoft Entra Agent ID, Experian Agent Trust
Provisioning	Where does it run, what is it connected to?	Stripe Projects
Observation	What does it do, across all stacks?	Microsoft Agent 365 (new claim from 01.05.)
Permission	Is it actually allowed?	Salesforce Einstein Trust Layer (in the walled garden)
Business process	Does this make economic/legal sense?	— largely open —
Settlement	Who carries the money, with what proof chain?	OKX APP, Stripe Payment Tokens

The layer in the middle — business process — is the one that fails every day in DACH mid-market. This is exactly where the architecture we are building at HEINI starts. Before we get there, a sober look at the houses.

SAP Joule + Dremio + Prior Labs + Reltio — the data layer in enterprise full kit

With the May 2026 acquisitions, SAP has placed the bet that autonomous software in enterprises is above all a data problem: without a clean lakehouse, without a tabular foundation model, without master data consolidation, Joule runs on mixed data and produces mixed results.

The solution: Dremio delivers the Iceberg-native lakehouse. Prior Labs from Freiburg delivers, with TabPFN-2.5, the tabular foundation model — specifically for structured enterprise data, complementing SAP’s own RPT-1. Reltio delivers the master data layer. Joule becomes the conversation layer on top. Investment volume over four years: more than one billion euros.

What this solves: enterprise IT leaders who have lived in S/4HANA and Business Suite for twenty years get a vertically integrated stack with a clear roadmap.

What this does not solve: the mid-market. The stack requires an SAP data base, a migration project to Business Data Cloud, a consolidation project for master data, and a licensing model that calculates at enterprise scale. For a company with 250 to 2,000 employees that does not run S/4HANA, this is not an accessible layer.

And: this stack also does not address the question whether a planned action by a digital colleague has been checked before execution against the competence profile of the respective function. SAP consolidates data and application. The provability layer — hash chains, external anchoring, selective disclosure, pre-flight permission — remains open.

OKX Agent Payments Protocol — the money layer

OKX has built a self-custodial settlement wallet that runs in a sealed hardware environment, speaks to twenty chains and settles via X Layer (an OKX-native zk-rollup). The functional scope is impressive: quoting, negotiation, escrow, settlement and dispute mechanism — all along smart contracts. Partners include the Ethereum Foundation, Base, Sui, Aptos and Optimism (crypto.news).

What this solves: the question of how autonomous software moves money without humans approving every transaction individually.

What this does not solve: whether the transaction is economically or legally permissible in the first place. APP is a pure settlement layer. For a German company that needs §14-UStG-compliant invoices, a verifiable GDPR deletion chain or a GoBD-fixed record, this is a tool, not a solution.

OKX does not primarily address DACH mid-market logic.

Stripe Projects — the provisioning layer

Stripe centred Sessions 2026 around the concept of Vibe Deploying. On the Stripe Sessions stage the line came up: “Vibe coding is so 2025. The leading edge is now in vibe deploying” (Stripe Blog).

In concrete terms: a single command line is enough to spin up a Vercel front, a Supabase database, a Daytona backend, an Algolia search index, an ElevenLabs voice, a Render worker, a Twilio number, a Sentry tracker, a WorkOS tenant, a Browserbase browser and a GitLab repository at the same time — with Stripe acting as the trust anchor for billing across all participants (Stripe Newsroom).

Add to that Stripe Console for autonomous execution, claimable sandboxes, custom objects, workflows in general availability and guardrails for autonomous purchases.

What this solves: the bottleneck that every new productive software component needs its own contract, its own authentication and its own billing.

What this does not solve: the question whether the software being deployed is allowed to do anything at all in the concrete enterprise context. Stripe is a horizontal layer — it does not know that the freight forwarder from Münster is only allowed to release an order if a specific commission plan is in place, a safety data sheet check has been completed and the managing director has signed off in a four-eyes principle.

Experian Agent Trust — the identity and reputation layer

Experian relies on four building blocks: a “Know Your Agent” framework, a binding between human principal and autonomous software, an “Agent Trust Token” and a central registry. Alliance partners are Visa (Trusted Agent Protocol), Cloudflare (Network Edge) and Skyfire (KYAPay) (Experian Newsroom).

What this solves: the reputation problem on the open web — how does an online merchant know whether the software trying to place an order is attributable to a serious principal?

What this does not solve: the GDPR problem. Experian is a data house. Reputation building requires behavioural observation. Anyone in the DACH region who takes the right to be forgotten seriously — and German authorities increasingly do — cannot place an architecture at the top of their stack that, by construction, builds behavioural histories and runs on vendor infrastructure that may fall under US Cloud Act jurisdiction. On top of that: the trust-token format is proprietary. Signing up there means signing up to a walled garden.

Microsoft Entra Agent ID + Agent 365 GA — the claim to the control plane

Microsoft has acted in two steps. Step one, running for some time: autonomous software gets a Service Principal in Microsoft Entra ID. It does not need its own credentials but an Agent Identity Blueprint that manages them, plus Federated Identity Credentials. Conditional Access for Agents (Public Preview) and Entra ID Protection for Agents complete the identity line (Microsoft Tech Community, Microsoft Learn).

Step two, from 1 May 2026: Agent 365 is generally available — and with this Microsoft declares itself the control plane over all other stacks. Concretely this means (Microsoft Security Blog):

Registry sync with AWS Bedrock and Google Cloud in public preview — Microsoft now inventories autonomous software that does not even run in Microsoft environments.
Shadow software discovery on Windows devices via Defender and Intune — explicitly named: OpenClaw, GitHub Copilot CLI, Claude Code.
Pre-configured third-party software — Genspark, Zensai, Egnyte, Zendesk plus builder platforms Kasisto, Kore and n8n become manageable without proprietary integration.
Windows 365 for Agents as a cloud-PC class for autonomous workloads, US-only for now.
Network Controls via Entra for Microsoft Copilot Studio and on-device local software — including block lists and data-flow control.

Five core functions are officially marketed: Registry, Access Control, Visualization, Interoperability, Security (Microsoft 365 Blog, Constellation Research).

What this solves: identity hygiene, delegation chains and a vendor-spanning visibility layer in an enterprise that already lives in Microsoft environments. For IT leaders who have to tame in-house sprawl, this is by far the most complete offering of these weeks.

What this does not solve: no cryptographically provable deletion process under GDPR Article 17 in a three-stage chain across multiple stores; no external, justiciable audit anchor outside the Microsoft trust circle; no vendor-spanning identity that also persists when a German mid-market company switches from Microsoft to open source; no pre-flight check whether a planned business decision even falls within the responsibility of the respective software unit.

And one thing that weighs heavily in the DACH region: no solution that addresses a Swiss or Austrian client without extraterritorial access risk. Anyone using Agent 365 as a control plane accepts that every inventory, every telemetry and every blocking decision runs on US enterprise infrastructure, with the associated extraterritorial access risks.

Salesforce Einstein Trust Layer — the walled-garden layer

Salesforce has built an architecture with the Einstein Trust Layer that combines five building blocks: data anchoring in the CRM, masking of personal data, toxicity detection, audit trail and zero-data-retention agreement with the underlying vendors (OpenAI, Azure). At TDX 2026, native observability and automated testing for Agentforce were added (Salesforce Developers).

What this solves: the main fear of CRM leaders — that customer data ends up in training data or gets pulled out of the CRM context.

What this does not solve: the vendor-spanning world. Anyone running Salesforce for CRM, SAP for ERP and a proprietary industry tool for production — i.e. the typical German mid-market company from 250 employees up — finds no vendor-spanning identity layer in the Salesforce Trust Layer that reaches beyond their own walls. And: here too no cryptographically provable forget process, no external audit anchor, no W3C-DID cross-vendor identity.

Anthropic — the instructive outlier

Two data points from the past weeks are instructive.

First: since 14 April Anthropic requires an identity check from end users in certain configurations via Persona Identities — photo ID and selfie (Apiyi help). This is bold and right in the sense of responsibility attribution. But it solves the wrong problem: it checks the identity of the human in front of the screen, not the identity and rights of the autonomous software that subsequently acts in their name.

Second: in spring 2026 a systemic vulnerability in the STDIO variant of the Model Context Protocol (MCP) was publicly documented, with risk of remote code execution (OX Security). A full fix at the protocol root had not been delivered by the editorial cut-off.

Takeaway for DACH mid-market: anyone betting on MCP architectures takes on supply-chain responsibility whose depth no one can seriously estimate today. A German company that has to defend itself against §43 GmbHG managing-director liability is on shaky ground with the argument “the standard wasn’t mature yet” in a dispute.

What none of the seven solves

If you put the seven stacks side by side — SAP Joule/Dremio/Prior Labs/Reltio included — a common gap stands out. None of them delivers:

A vendor-spanning, cryptographically anchored identity per autonomous software unit that aligns with a W3C-DID standard and persists across vendor switches.
A cryptographically provable deletion process under GDPR Article 17, reaching across at least three storage layers — working memory, vector index, long-term storage — and proving forgetting not by deletion but by an irrefutable differential record.
An external, vendor-independent audit anchor that records the decisions of autonomous software in a publicly verifiable order — justiciable under German law, checkable by a second piece of software without consulting the vendor.
A pre-check of every planned action against a stored competence profile, before the action is executed — i.e. a may-do, not just a can-do logic.
An asset-spanning consistency layer that ensures one and the same business event happens only once across multiple chains and multiple backends.

Points 1 to 5 are exactly the five pillars HEINI is architecturally built on from day one.

And they are exactly the layer that is missing between Stripe (provisioning), OKX (settlement), Microsoft Agent 365 (control plane), Salesforce (walled-garden permission) and SAP Joule/Dremio/Prior Labs (data consolidation).

Layers, not replacement

The temptation in this market phase is great to choose one of the stacks and ignore everything else. With the Agent 365 announcement on 1 May and the SAP consolidation on 4 May, this temptation grows: Microsoft makes it easy for IT leaders to commission “one layer for everything”. SAP makes it easy for CFOs to commission “one stack for everything”. Both fall short from a DACH mid-market view.

We see it this way: the trust stacks of these weeks are not wrong. They are incomplete. Anyone setting up a DACH mid-market company for the next ten years needs all layers together — and in the middle a business-process layer that does what the American and British vendors do not do: prove forgetting, check permission, place the audit anchor outside vendor trust.

HEINI is this middle layer.

Through Susi, the onboarding lead persona, competence profiles, permission rules and deletion deadlines are recorded cleanly once.
HEINI itself — as a system of specialised function workers — performs the work, with pre-flight permission check against the competence profile, signed audit trail on a neutral attestation layer, three-stage deletion cascade under GDPR Article 17 and a W3C-DID per worker.
Settlement, provisioning, the Microsoft control plane and also the SAP data consolidation are layers HEINI talks to, not ones HEINI replaces. A HEINI worker can register itself tomorrow in Agent 365 as managed third-party software and at the same time pull data from a SAP Business Data Cloud — keeping its vendor-neutral W3C-DID, its external audit trail and its forget proofs. Microsoft sees it but does not control what the German GDPR layer underneath does. SAP delivers the data but does not control whether the planned action is permissible against the competence profile.

This is exactly the point at which the control-plane strategy of a US enterprise and the data-stack strategy of a European enterprise meet German responsibility law. Observation is not the same as proof. Telemetry is not the same as forget. Data consolidation is not the same as permission check. And anyone relying on infrastructure subject to extraterritorial access as the sole audit source has a difficult case to make in a dispute before a German court.

This is the thesis we work on every day here in Münster and the western Münsterland: layers, not stack war. Business-process trust, not platform lock-in. Forget proof, not forget promise.

We welcome conversations with houses that see it the same way — and especially from the DACH crypto-identity scene, which shows that the DACH region is not technologically behind but can sovereignly take a different path.

HEINI Operations UG. Questions and feedback are explicitly welcome.

Update 4 May 2026: SAP has, with the acquisitions of Dremio and Prior Labs, announced the most complete data stack behind Joule to date. The piece has been updated accordingly — the argument remains unchanged, the gap does not shift.