Cryptographic evidence for agentic AI
Decision records you can verify without trusting us.
Every autonomous action that passes through your gateway becomes a signed, hash-chained receipt. Anyone with the published format and the public key can check it offline.
Policy without proof is just a suggestion.
Three implementations, three languages, one verdict on 57 classical cases in the downloadable zero-dependency verifier. 28 post-quantum cases specified and reference-verified.
A verified bundle proves the integrity of every receipt present. It does not prove the operator recorded every action.
AI Systems Are
Operating Without Proof
Critical infrastructure increasingly runs on autonomous AI, with no cryptographic record of what each system did or whether it stayed within policy. Logs can be edited after the fact, and a policy document proves intent, not behavior.
Model Poisoning
Adversaries poison models during training, fine-tuning, or deployment. No cryptographic proof of origin means no way to verify what is actually running in production.
Silent Drift
Models change behavior post-deployment through prompt injection, weight modification, or gradient attacks. Output monitoring rarely catches it.
Forensic Evidence Gap
When incidents occur, the audit trail rarely survives scrutiny. Investigations rely on logs that can be tampered with. Auditors need tamper-evident evidence.
Paper Governance
Contracts define what an AI should do, but paper cannot constrain a running system. Governance that binds behavior lives in the runtime, backed by cryptography.
Architecture
Seal. Capture. Prove.
01
Seal
Policy Artifact
Ed25519 default · ML-DSA-65 hybrid
Bind approved behavior to a signed policy object at build time. The sealed hash is the single source of truth for what the agent is authorized to do. Any later drift from this reference is what the runtime boundary measures against.
Sealed at build time
02
Capture
Gateway runtime boundary
Launch Decision · Drift Detection
The gateway validates policy and seals each decision into a signed receipt. The agent holds no keys and cannot self-authorize; the handlers that carry out the decision are integration points wired per deployment.
Private runtime component
03
Prove
Evidence Bundle
Merkle proofs · Hash-linked receipts
Export a portable, tamper-evident proof package. Every receipt is signed and hash-linked. Anyone with the published format and the public key can verify it offline, using standard cryptography.
Portable and offline-verifiable
01
Seal
Policy Artifact
Ed25519 default · ML-DSA-65 hybrid
Bind approved behavior to a signed policy object at build time. The sealed hash is the single source of truth for what the agent is authorized to do. Any later drift from this reference is what the runtime boundary measures against.
Sealed at build time
02
Capture
Gateway runtime boundary
Launch Decision · Drift Detection
The gateway validates policy and seals each decision into a signed receipt. The agent holds no keys and cannot self-authorize; the handlers that carry out the decision are integration points wired per deployment.
Private runtime component
03
Prove
Evidence Bundle
Merkle proofs · Hash-linked receipts
Export a portable, tamper-evident proof package. Every receipt is signed and hash-linked. Anyone with the published format and the public key can verify it offline, using standard cryptography.
Portable and offline-verifiable
Standard cryptographic primitives. No special hardware. Fully offline-capable. See the full walkthrough
Runs Locally
No cloud dependency
O(1) Per Event
Bounded latency, real-time safe
Payload-Blind
Verifies without payloads
Any Platform
Model and provider agnostic
MCP-Native
Drops into the MCP layer
Tamper-Evident
Hash-linked chain
Agentic AI Governance at the Execution Boundary
Autonomous agents create action risk: unauthorized tool invocations, state modifications, and financial transactions that content filters cannot address. The tools you already run trace it, decide it, or block it. What they leave behind is a log that only you can vouch for. AGA is built for the case those tools cannot serve: when someone who doesn't trust you needs to verify the record independently.
Learn more about agentic AI governance
Autonomous Action Without Confirmation
Agentic AI systems invoke tools, modify state, and execute transactions without human approval at each step. Governance must operate at the speed of execution, not after the fact.
Frameworks Define Intent
Major governance frameworks call for runtime oversight, continuous monitoring, and auditable evidence. What satisfies that is a cryptographic record bound to each decision.
Monitoring Watches After Execution
Log aggregation and anomaly detection watch behavior after execution. A tamper-evident cryptographic record of each decision requires a control point that seals it at the speed of execution.
AGA Closes the Gap
Attested Governance Artifacts seal policy before execution, render and seal each decision at a control point where the agent holds no keys, and produce signed receipts that verify offline.
Where Existing Systems Stop
Existing tools cover fragments of the governance problem.
AGA closes the gaps they leave open.
| Layer | Provides | Gap |
|---|---|---|
| Logging / SIEM | Event capture, anomaly alerts | Logs can be altered or deleted; no governance |
| Policy-as-Code | Declarative rules, drift alerts | Advisory only; no runtime binding |
| TEE / SGX | Hardware-isolated execution | Verification depends on vendor attestation infrastructure |
| Blockchain Audit | Immutable ledger, timestamping | No runtime governance; latency constraints |
| AGA (this system) | Sealed policy, signed runtime decisions, portable cryptographic proof | By design: proves the decision record; effecting the action is a per-deployment integration point |
Logging / SIEM
Provides: Event capture, anomaly alerts
Gap: Logs can be altered or deleted; no governance
Policy-as-Code
Provides: Declarative rules, drift alerts
Gap: Advisory only; no runtime binding
TEE / SGX
Provides: Hardware-isolated execution
Gap: Verification depends on vendor attestation infrastructure
Blockchain Audit
Provides: Immutable ledger, timestamping
Gap: No runtime governance; latency constraints
AGA (this system)
Provides: Sealed policy, signed runtime decisions, portable cryptographic proof
Gap: By design: proves the decision record; effecting the action is a per-deployment integration point
What AGA Adds
Sealed Reference Hashes
A signed, tamper-evident snapshot of the authorized behavior, captured at build time. A cryptographic commitment that cannot be revised after the fact, so any later deviation from it is detectable at verification.
Mandatory Runtime Boundary
The gateway validates policy and seals the decision at the control point. The subject holds no signing keys and cannot self-authorize. Whether the action is blocked is a per-deployment property.
Signed Decision Receipts
Every governance decision produces a signed receipt, hash-linked into an append-only chain. Each receipt verifies on its own against the published format.
Offline-Verifiable Evidence
Evidence bundles contain everything needed to verify compliance. No network, no callback, no trust in the producing system.
AGA extends attestation with sealed runtime decisions and portable cryptographic proof.
What AGA makes possible, and what it makes impossible
What Becomes Possible
Prove exactly which policy applied to each decision, when, and by whom
Verify compliance offline in air-gapped or contested environments
Detect drift between authorized and actual behavior at runtime
Export tamper-evident evidence that any third party can audit
What Becomes Impossible
A sealed policy artifact cannot be modified without invalidating its cryptographic signature
A valid receipt cannot be produced without the gateway's signing key
A receipt cannot be deleted or reordered without breaking the hash-linked chain
A tampered evidence bundle cannot pass verification against the issuer's pinned public key
Built for Environments Where
Logging Is Not Enough
Defense & DoD
Autonomous systems, contested ops
Disconnected and contested environments can't phone home to verify compliance. AGA seals policy before the mission and produces evidence bundles that verify offline, on air-gapped networks.
SCADA / ICS
Critical infrastructure
Industrial control systems fail when governance adds latency or unpredictable resource use. AGA measures and decides within deterministic timing and produces tamper-evident audit trails built for OT.
Regulated industries
Finance, healthcare, legal
Examiners ask for proof, not assertions. AGA's signed receipts and offline-verifiable evidence give trading oversight, HIPAA AI systems, and EU AI Act programs a record built to withstand scrutiny.
Enterprise AI
Agentic AI at scale
Multi-agent deployments need proof of which authorized model ran under which sealed policy. AGA chains MCP decision receipts into portable audit trails where any alteration is detectable.
Architecture designed for environments requiring:
Architectural design alignment. Not certification or compliance advice.
From Evaluation to Integration
Evaluate
Download the standalone demo. Run the Offline Verifier. Inspect the evidence bundle and receipt chains.
See the WalkthroughExplore
Read the protocol specification. Review the reference implementation. 384 automated tests. Full documentation.
View TechnologyIntegrate
Language-agnostic protocol with a TypeScript/Node.js reference implementation. Build in your stack.
Read the SpecificationCollaborate
For defense, critical infrastructure, or enterprise AI governance, start with a technical evaluation.
Request Info