# AI Evidence Infrastructure

## Cryptographic Action Receipts, Post-Exploitation Forensics, and the Actuarial Mechanics of Agentic Trust

blkbx — Technical Memo

---

As autonomous artificial intelligence agents transition from baseline productivity tools to high-fiduciary, decision-making entities, modern enterprises are confronting an unprecedented attribution crisis. When an AI system executes a financial transaction, modifies an enterprise database, or overrides a clinical diagnostic workflow, it operates within a complex, non-deterministic decision boundary that cannot be reconstructed or validated using legacy IT telemetry. This structural blind spot exposes organizations to severe regulatory penalties, uninsurable operational risks, and systemic litigation liabilities.

To bridge this gap, a new paradigm is required: AI Evidence Infrastructure. This infrastructure continuously records, validates, and seals tamper-evident operational receipts for consequential AI actions. By serving as a cryptographically secure "flight recorder" for artificial agents, AI Evidence Infrastructure transforms ephemeral, black-box model inference into verifiable, legally admissible, and audit-ready digital evidence.

---

## The AI Attribution Crisis and the Structural Market Gap

Legacy software auditing architectures are fundamentally ill-equipped to capture the non-deterministic, context-dependent nature of agentic workflows. Traditional observability tools, workflow platforms, and high-level compliance frameworks address adjacent dimensions of the enterprise AI lifecycle, yet they fail to establish a cryptographically unbroken chain of custody for individual decisions.

| Dimension | AI Observability | Workflow AI | Point-in-Time Certification | AI Evidence Infrastructure |
|---|---|---|---|---|
| Primary Objective | Performance optimization, debugging, latency tracking | State orchestration, process automation, routing | Independent point-in-time compliance validation | Cryptographic proof and post-hoc decision reconstruction |
| Data Integrity Model | Mutable database logs; vulnerable to administrative overrides | Stateful application variables; mutable and transient | Static document uploads; self-attested | Immutable hash-chained ledgers with multi-party anchoring |
| Verification Latency | Near-real-time streaming, no mathematical validation | Execution-bound; application-level routing | Periodic audits, disconnected from runtime | Instantaneous, local O(log n) Merkle inclusion proofs |
| Privacy Protection | Plaintext telemetry; raw payload logging | Direct state access; exposes PII | High-level metadata only | Selective disclosure (SD-JWT) and zero-knowledge proofs |
| Evidentiary Weight | Low; inadmissible due to mutability | Medium-low; lacks deterministic session signatures | Low; static policy intent | High; legally defensible chain of custody |

Traditional Application Performance Monitoring and OpenTelemetry frameworks operate on the assumption of database-driven mutability. Because administrators or malicious actors with system-level privileges can execute update or delete queries on these tables, traditional logs fail the core legal requirement of tamper-resistance.

Furthermore, observability platforms monitor system performance rather than semantic context. They record that an API call occurred, but they do not preserve the exact interaction between prompt context, retrieval-augmented generation (RAG) inputs, model weights, and agent orchestrators that collectively determined a consequential decision. If a model "lies to its own logs" due to prompt injection, retrieval poisoning, or instruction hierarchy conflicts, downstream system logs capture only the resulting authorized-looking system command.

---

## The Claims Forensics and Incident Reconstruction Wedge

The immediate, high-traction entry point for AI Evidence Infrastructure is the claims forensics and incident reconstruction wedge, tailored for Digital Forensics and Incident Response (DFIR) teams, legal counsels, and cyber insurance claims examiners.

### The Post-Exploitation Forensic Gap: CVE-2026-39987

In this attack vector, a deserialization flaw in a development tool's WebSocket handler grants an attacker initial remote code execution (RCE) on a developer workstation or build host. The attacker harvests temporary cloud credentials assigned to the instance profile, which possess legitimate read access to enterprise secrets managers.

Rather than executing noisy scripts, the attacker uses the harvested credentials to drive an internal, highly privileged LLM endpoint via natural language prompts, instructing the model to list, retrieve, and summarize high-value secrets, then exfiltrating them through the model's own HTTP response stream.

By contrast, an inline, per-decision AI Action Receipt captures the exact input context, model reasoning, and raw model output. By comparing the cryptographically signed record of what the LLM actually outputted against the raw API data, DFIR teams can mathematically prove that only a small, bounded subset of data was exfiltrated — saving millions in unnecessary notification costs and avoiding premium hikes by demonstrating definitive containment.

### Forensic Readiness and "AI Lying to Its Own Logs"

In complex, multi-agent deployments, prompt injection, retrieval poisoning, and instruction hierarchy conflicts can manipulate agent execution without triggering standard anomaly filters. If audited solely using legacy application logs, a malicious action appears as a standard, authorized user transaction. AI Evidence Infrastructure mitigates this by capturing the exact, untampered prompt-and-response transcripts, establishing a legally defensible chain of custody that meets "reasonable forensic certainty" standards.

---

## Cryptographic Design of the AI Action Receipt

The system generates structured receipts that are sequential, tamper-evident, and privacy-preserving through a multi-layered cryptographic architecture combining deterministic hash chaining, Selective Disclosure JSON Web Tokens, and RFC 6962-compliant Merkle Trees.

### Layer 1: Hash-Chain Architecture and Genesis Parameters

The foundation of the evidence trail is a sequential hash chain, where each event's cryptographic signature is inextricably bound to the preceding event, guaranteeing sequential integrity and preventing insertion, deletion, or reordering.

- **UUID Version 7** — primary event identifier ensuring time-ordered sorting and high-entropy uniqueness.
- **RFC 8785 JSON Canonicalization** — serializes the JSON receipt to eliminate platform-dependent whitespace and key-ordering discrepancies before hashing.
- **Dual-Precision Timestamps** — both an ISO 8601 UTC string and an integer nanoseconds-since-epoch string to prevent replay and clock-skew attacks.
- **Genesis Event Anchor** — the first record anchors its `prev_hash` to 64 hexadecimal zeros.

All numerical values, pricing data, and transaction quantities are strictly stored and hashed as string types to eliminate IEEE 754 floating-point representation anomalies.

### Layer 2: Privacy-Preserving Selective Disclosure (SD-JWT / RFC 9901)

To resolve the tension between data retention mandates (EU AI Act's six-month floor) and data privacy regulations (GDPR Article 5), the AI Action Receipt implements Selective Disclosure JSON Web Tokens (SD-JWT / RFC 9901) combined with Agent Cards (SD-Card format per draft-nandakumar-agent-sd-jwt-02).

Each disclosable claim is wrapped in a salted cryptographic commitment. In the base token signed by the agent, only the hash commitment is exposed; raw claim values and high-entropy salts are stored in a secure, decoupled vault. Ephemeral mapping and zero-knowledge proofs minimize correlation across contexts, and a multi-party quorum governs controlled re-identification under judicial oversight.

### Layer 3: Logarithmic Verification via RFC 6962 Merkle Trees

To enable scalable, real-time verification, individual Action Receipts are aggregated into an RFC 6962-compliant Merkle Tree with domain-separated hashing to protect against second-preimage attacks:

- **Leaf Node Hashing** — a leading `0x00` byte prefix is prepended to the canonical payload before hashing.
- **Internal Node Hashing** — a leading `0x01` byte prefix is prepended before concatenating two child hashes.

Odd batches duplicate the final leaf to balance the tree. Auditors verify inclusion in a globally committed state with logarithmic complexity.

| Performance Metric | Benchmarked Value |
|---|---|
| Throughput (100,000 records) | > 130,000 logs / second |
| Per-Entry Verification Latency | ~ 22 milliseconds |
| Merkle Proof Generation Latency | ~ 22 milliseconds |
| Average Cryptographic Proof Size | 1,006 bytes |
| Peak Memory Consumption | < 5 megabytes |
| Tampering Detection Accuracy (F1) | 1.0 (1%–50% corruption ratios) |

---

## Infrastructure Placement and Integration Patterns

To avoid introducing performance bottlenecks to the critical execution path, the logging layer is decoupled from model inference and deployed as an independent runtime sidecar.

### The Async Sidecar and Gateway Interfaces

The primary application container executes model inferences and tool operations normally (500 ms – 5 s). Upon completing an action, it asynchronously writes a non-blocking "drop-copy" of the execution trace to a shared local Unix domain socket or loopback interface. The Evidence Sidecar reads this stream, canonicalizes the data, executes cryptographic hashing and token signing, and builds the local hash chain — achieving complete failure isolation.

For orchestration frameworks like LangChain, a dedicated `ComplianceCallbackHandler` intercepts chain executions at the harness level to capture structured JSON logs, continuously validated against local policy engines. Codebases can be scanned preemptively using an open-source Model Context Protocol (MCP) server (such as `mcp-eu-ai-act`) to identify missing instrumentation gates prior to deployment.

### Agnostic Anchoring and AgentAudit Integration

The AgentAudit architecture supports chain-agnostic anchoring across multiple public mainnets (Base, Arbitrum, Optimism, Polygon, Mantle) using a dedicated TypeScript SDK (`@agentaudit/sdk`) in a dual-trust model. On-chain anchoring makes post-hoc modification or historical deletion cryptographically impossible, satisfying the most stringent interpretation of regulatory non-repudiation.

---

## Go-To-Market Sequence and Actuarial Value Chain

### Phase 1: Post-Incident Forensic Pilots

The initial sequence targets post-incident scenarios, partnering with premier DFIR firms and specialized insurance claims adjusters. Deployed as an immediate post-incident containment tool, the system provides an instant, mathematically verifiable bounding of the breach blast radius — demonstrating exactly which database rows the LLM accessed, what data was read back to the attacker, and what was left untouched.

### Phase 2: Regulatory Audit and NAIC Readiness

Under the EU AI Act, fully applicable on August 2, 2026, deployers of high-risk AI systems must establish continuous, automatic logging enabling post-hoc decision reconstruction. Concurrently, the NAIC is conducting a 12-state AI Systems Evaluation Tool pilot through late 2026. The AI Evidence Infrastructure serves as a programmatic "self-assessment benchmark," automating compliance reporting against NAIC Exhibits and the EU AI Act's Articles 12, 13, 10, and 72.

### Phase 3: Actuarial Integration and Rating Credits

The final phase integrates the evidence infrastructure directly into the commercial insurance underwriting value chain, replicating the active insurance model popularized by cybersecurity underwriters like Coalition and At-Bay — translating that underwriting logic to Technology E&O and D&O liability lines through verified, continuous controls and premium incentives.

---

## Conclusions

The transition to autonomous agentic AI demands a fundamental evolution in software auditing standards. Traditional observability frameworks and point-in-time compliance certifications are structurally incapable of resolving the visibility and accountability challenges of non-deterministic, generative decision workflows.

By establishing an immutable, privacy-preserving, and computationally efficient evidence layer, AI Evidence Infrastructure bridges the critical gap between active technology deployment, regulatory compliance, and risk transfer — establishing the foundational Trust Layer required to scale agentic enterprise operations safely and confidently.

---

## References

1. J.S. Held — Artificial Intelligence (AI) Disputes — https://www.jsheld.com/areas-of-expertise/artificial-intelligence-ai/artificial-intelligence-ai-disputes
2. When the AI lies to its own logs — https://andreafortuna.org/2026/05/04/when-ai-lies-to-its-own-logs-forensic-readiness/
3. CVE-2026-39987 (Marimo LLM post-exploitation) — https://www.deepinspect.ai/blog/cve-2026-39987-marimo-llm-post-exploitation
4. AI Act Record-Keeping — https://truescreen.io/insights/ai-act-record-keeping-requirements/
5. Aon flags AI governance gaps — https://techinformed.com/aon-flags-ai-governance-gaps-as-insurance-scrutiny-rises/
6. draft-nandakumar-agent-sd-jwt-02 — https://datatracker.ietf.org/doc/draft-nandakumar-agent-sd-jwt/
7. What the NAIC Model Bulletin Means for Insurance AI — https://www.waterstreetcompany.com/what-the-naic-model-bulletin-means-for-insurance-ai/
8. NAIC Expands AI Systems Evaluation Tool Pilot (Fenwick) — https://www.fenwick.com/insights/publications/naic-expands-ai-systems-evaluation-tool-pilot-program-to-12-states-key-updates-for-insurers-and-ai-vendors-supporting-insurers
9. NAIC AI Systems Evaluation Tool Pilot (Monitaur) — https://www.monitaur.ai/blog-posts/naic-ai-systems-evaluation-tool-pilot-a-guide-for-insurers
