Skip to main content

Cryptographic evidence for agentic AI

Decision records you can verify without trusting us.

Every autonomous action that passes through your gateway becomes a signed, hash-chained receipt. Anyone with the published format and the public key can check it offline.

Policy without proof is just a suggestion.

Three implementations, three languages, one verdict on 57 classical cases in the downloadable zero-dependency verifier. 28 post-quantum cases specified and reference-verified.

What verification proves

A verified bundle proves the integrity of every receipt present. It does not prove the operator recorded every action.

The Problem

AI Systems Are
Operating Without Proof

Critical infrastructure increasingly runs on autonomous AI, with no cryptographic record of what each system did or whether it stayed within policy. Logs can be edited after the fact, and a policy document proves intent, not behavior.

Model Poisoning

Adversaries poison models during training, fine-tuning, or deployment. No cryptographic proof of origin means no way to verify what is actually running in production.

Silent Drift

Models change behavior post-deployment through prompt injection, weight modification, or gradient attacks. Output monitoring rarely catches it.

Forensic Evidence Gap

When incidents occur, the audit trail rarely survives scrutiny. Investigations rely on logs that can be tampered with. Auditors need tamper-evident evidence.

Paper Governance

Contracts define what an AI should do, but paper cannot constrain a running system. Governance that binds behavior lives in the runtime, backed by cryptography.

Architecture

Seal. Capture. Prove.

01

Seal

Policy Artifact

Ed25519 default · ML-DSA-65 hybrid

Bind approved behavior to a signed policy object at build time. The sealed hash is the single source of truth for what the agent is authorized to do. Any later drift from this reference is what the runtime boundary measures against.

Sealed at build time

02

Capture

Gateway runtime boundary

Launch Decision · Drift Detection

The gateway validates policy and seals each decision into a signed receipt. The agent holds no keys and cannot self-authorize; the handlers that carry out the decision are integration points wired per deployment.

Private runtime component

03

Prove

Evidence Bundle

Merkle proofs · Hash-linked receipts

Export a portable, tamper-evident proof package. Every receipt is signed and hash-linked. Anyone with the published format and the public key can verify it offline, using standard cryptography.

Portable and offline-verifiable

Standard cryptographic primitives. No special hardware. Fully offline-capable. See the full walkthrough

Runs Locally

No cloud dependency

O(1) Per Event

Bounded latency, real-time safe

Payload-Blind

Verifies without payloads

Any Platform

Model and provider agnostic

MCP-Native

Drops into the MCP layer

Tamper-Evident

Hash-linked chain

Agentic AI Governance at the Execution Boundary

Autonomous agents create action risk: unauthorized tool invocations, state modifications, and financial transactions that content filters cannot address. The tools you already run trace it, decide it, or block it. What they leave behind is a log that only you can vouch for. AGA is built for the case those tools cannot serve: when someone who doesn't trust you needs to verify the record independently.

Learn more about agentic AI governance

Autonomous Action Without Confirmation

Agentic AI systems invoke tools, modify state, and execute transactions without human approval at each step. Governance must operate at the speed of execution, not after the fact.

Frameworks Define Intent

Major governance frameworks call for runtime oversight, continuous monitoring, and auditable evidence. What satisfies that is a cryptographic record bound to each decision.

Monitoring Watches After Execution

Log aggregation and anomaly detection watch behavior after execution. A tamper-evident cryptographic record of each decision requires a control point that seals it at the speed of execution.

AGA Closes the Gap

Attested Governance Artifacts seal policy before execution, render and seal each decision at a control point where the agent holds no keys, and produce signed receipts that verify offline.

Differentiation

Where Existing Systems Stop

Existing tools cover fragments of the governance problem.
AGA closes the gaps they leave open.

Logging / SIEM

Provides: Event capture, anomaly alerts

Gap: Logs can be altered or deleted; no governance

Policy-as-Code

Provides: Declarative rules, drift alerts

Gap: Advisory only; no runtime binding

TEE / SGX

Provides: Hardware-isolated execution

Gap: Verification depends on vendor attestation infrastructure

Blockchain Audit

Provides: Immutable ledger, timestamping

Gap: No runtime governance; latency constraints

AGA (this system)

Provides: Sealed policy, signed runtime decisions, portable cryptographic proof

Gap: By design: proves the decision record; effecting the action is a per-deployment integration point

What AGA Adds

Sealed Reference Hashes

A signed, tamper-evident snapshot of the authorized behavior, captured at build time. A cryptographic commitment that cannot be revised after the fact, so any later deviation from it is detectable at verification.

Mandatory Runtime Boundary

The gateway validates policy and seals the decision at the control point. The subject holds no signing keys and cannot self-authorize. Whether the action is blocked is a per-deployment property.

Signed Decision Receipts

Every governance decision produces a signed receipt, hash-linked into an append-only chain. Each receipt verifies on its own against the published format.

Offline-Verifiable Evidence

Evidence bundles contain everything needed to verify compliance. No network, no callback, no trust in the producing system.

AGA extends attestation with sealed runtime decisions and portable cryptographic proof.

What AGA makes possible, and what it makes impossible

What Becomes Possible

  • Prove exactly which policy applied to each decision, when, and by whom

  • Verify compliance offline in air-gapped or contested environments

  • Detect drift between authorized and actual behavior at runtime

  • Export tamper-evident evidence that any third party can audit

What Becomes Impossible

  • A sealed policy artifact cannot be modified without invalidating its cryptographic signature

  • A valid receipt cannot be produced without the gateway's signing key

  • A receipt cannot be deleted or reordered without breaking the hash-linked chain

  • A tampered evidence bundle cannot pass verification against the issuer's pinned public key

Where This Fits

Built for Environments Where
Logging Is Not Enough

Defense & DoD

Autonomous systems, contested ops

Disconnected and contested environments can't phone home to verify compliance. AGA seals policy before the mission and produces evidence bundles that verify offline, on air-gapped networks.

SCADA / ICS

Critical infrastructure

Industrial control systems fail when governance adds latency or unpredictable resource use. AGA measures and decides within deterministic timing and produces tamper-evident audit trails built for OT.

Regulated industries

Finance, healthcare, legal

Examiners ask for proof, not assertions. AGA's signed receipts and offline-verifiable evidence give trading oversight, HIPAA AI systems, and EU AI Act programs a record built to withstand scrutiny.

Enterprise AI

Agentic AI at scale

Multi-agent deployments need proof of which authorized model ran under which sealed policy. AGA chains MCP decision receipts into portable audit trails where any alteration is detectable.

Standards Alignment

Architecture designed for environments requiring:

Architectural design alignment. Not certification or compliance advice.

NIST
AI RMF 1.0
CISA
Secure by Design
NSA
AI/ML Supply Chain
EU AI Act
High-Risk Systems
CoSAI
MCP Security Analysis
SLSA
Supply Chain Integrity
SSDF
NIST SP 800-218
NIST
SP 800-207 (Zero Trust)
Implementation Path

From Evaluation to Integration

01

Evaluate

Download the standalone demo. Run the Offline Verifier. Inspect the evidence bundle and receipt chains.

See the Walkthrough
02

Explore

Read the protocol specification. Review the reference implementation. 384 automated tests. Full documentation.

View Technology
03

Integrate

Language-agnostic protocol with a TypeScript/Node.js reference implementation. Build in your stack.

Read the Specification
04

Collaborate

For defense, critical infrastructure, or enterprise AI governance, start with a technical evaluation.

Request Info