AI agents are starting to act for businesses and the administration — spending, sending, deciding. The moment software acts on your behalf, every action raises the same question: who authorized it, within what limits, and can anyone verify it afterward? Answering that across an economy takes a shared trust layer — and that layer will belong to someone. A city can be the one that holds it — public infrastructure, not a private platform.
Cities already run the registers everyone trusts — of people, of companies, of property. Neutral public records of what's real. The trust layer for AI is the same kind of thing: it certifies who may act, and lets anyone verify what was authorized.
A city doesn't write AI law — that's set in Brussels and the member states. But it can do something law can't: provide the trust layer AI actually runs on. Regulation says what's allowed on paper; infrastructure decides what happens in practice. As the trust root, a city shapes adoption from the inside — anchoring the trust everyone relies on, and running its own Authority Server for its administration. For a city, that means:
The city maintains a registry of recognized authority holders — people, departments, companies — and certifies the operators that issue receipts, against an open standard. Just as a commercial register's object is the company, not its certificate, this registry's object is who may hold authority; cryptographic keys are only how that trust is exercised. The city never signs, nor sees, a private action.
The city also runs its own Authority Server for its agents — administrative workflows, citizen-facing services, procurement — proving human oversight by design: no receipt, no execution; revocation; auditability. It operates for itself, not for the private economy. This is also how a city earns the root: by first running it for its own.
Not a passive registry that only keeps records, and not a platform that stands behind every action — the city holds the balance: it anchors trust, others act under it.
The city doesn't build a new directory of everyone. It registers its own entities and the operators it certifies — and recognizes everyone else by anchoring to sources that already exist: EUDI for identity, the commercial register for companies, professional bodies for credentials. EUDI proves who you are; the city's registry records what authority you're recognized to hold.
Under the city's root, anyone can operate an Authority Server: the city for its own agents; vertical operators per sector — the path for SMEs; general providers like Suveren; and large businesses that want to run their own. All certified against the same open standard.
Identity rails (EUDI/eIDAS) prove who you are. They don't cover which agent may act for you, within which limits, with a receipt. That authority layer is what the city anchors — on top of European identity, not duplicating it.
Certification is published and appealable: any operator meeting the open conformance standard can be certified; misconduct is grounds for revocation. A register that admits on rules — not a gatekeeper that picks winners.
The city stands behind its certification process and the actions of its own Authority Server — not behind every private action. Its liability is governance, not transactions.
The city's own Authority Server goes from pilot to production and stays. The registry role is additive — the city runs both: operator for itself, root for everyone.
The city stands up an Authority Server for a few of its own AI-agent workflows and trusted partners — proving oversight by design.
That becomes real infrastructure: the city runs its own Authority Server for administrative AI — citizen services, procurement, internal agents — permanently, at scale.
On top of operating for itself, the city registers recognized authority holders and certifies the Authority-Server operators, so businesses and departments can issue trusted receipts too.
Vertical operators, providers, and departments issue receipts under city-recognized trust chains.
City roots interoperate with other cities, Austria-wide trust lists, and EUDI/eIDAS rails.
The protocol (HAP) and its conformance suite are open. Suveren is its reference implementation — a city can run its own Authority Server and registry on Suveren, and businesses can choose Suveren, a sector operator, or any certified provider. The city anchors trust; an open market provides the operators. No vendor lock-in is required to start.
It's the principle — born in Vienna — that decisions with real consequences must stay with accountable people, even as software takes on more of the work. Anchoring the public trust root is how a city turns it into infrastructure: when an agent acts, a named human still stands behind it.