Technical Memo

AI Evidence Infrastructure.

Cryptographic action receipts, post-exploitation forensics, and the actuarial mechanics of agentic trust.

A tamper-evident flight recorder for artificial agents — turning ephemeral, black-box model inference into verifiable, legally admissible, audit-ready digital evidence.

Contents
01The AI Attribution Crisis and the Structural Market Gap
02The Claims Forensics and Incident Reconstruction Wedge
03Cryptographic Design of the AI Action Receipt
04Infrastructure Placement and Integration Patterns
05Go-To-Market Sequence and Actuarial Value Chain
01 · The attribution crisis

Legacy telemetry cannot reconstruct a non-deterministic decision.

When an AI system executes a financial transaction, mutates an enterprise database, or overrides a clinical workflow, it acts inside a complex decision boundary that legacy IT telemetry cannot reconstruct. Observability platforms record that an API call occurred — not the exact interaction between prompt context, RAG inputs, model weights, and orchestrators that determined it.

Because administrators or attackers with system privileges can update or delete log tables, traditional logs fail the core legal requirement of tamper-resistance. When a model "lies to its own logs" via prompt injection or retrieval poisoning, downstream logs capture only the authorized-looking command — and the failure mode stays forensically unexplainable.

DimensionObservabilityWorkflow AICertificationEvidence Infrastructure
Primary objectivePerformance & latencyState orchestrationPoint-in-time validationCryptographic proof & reconstruction
Data integrityMutable DB logsMutable app variablesStatic self-attested uploadsImmutable hash-chained ledgers
VerificationStreaming, unvalidatedExecution-bound routingPeriodic auditsO(log n) Merkle inclusion proofs
PrivacyPlaintext telemetryDirect state / PII accessHigh-level metadataSD-JWT & zero-knowledge proofs
Evidentiary weightLow — mutableMedium-lowLow — policy intentHigh — defensible chain of custody
02 · Claims forensics wedge

Bounding the blast radius after a post-exploitation incident.

CVE-2026-39987

A deserialization flaw grants an attacker RCE, who then harvests cloud credentials and drives an internal privileged LLM via natural language — instructing it to list and exfiltrate secrets through the model's own response stream, bypassing endpoint detection.

With action receipts

An inline, per-decision receipt captures the exact input context, model reasoning, and raw output. Comparing the signed record against raw API data lets DFIR teams mathematically prove that only a bounded subset of data was exfiltrated — saving millions in notification costs.

03 · Cryptographic design

The AI Action Receipt schema.

Sequential, tamper-evident, and privacy-preserving — combining deterministic hash chaining, SD-JWT selective disclosure, and RFC 6962 Merkle trees.

event_id

UUID v7 — time-ordered, high-entropy identifier

prev_hash

Hash of the preceding receipt (genesis = 64 hex zeros)

canonical

RFC 8785 JSON canonicalization before hashing

timestamp

ISO 8601 UTC string + integer nanoseconds since epoch

numeric_fields

Stored & hashed as strings (no IEEE 754 drift)

disclosures

Salted commitments per claim (SD-JWT / RFC 9901)

kb_jwt

Key Binding JWT proving holder confirmation key

leaf_hash

0x00-prefixed leaf (RFC 6962 domain separation)

node_hash

0x01-prefixed internal node concatenation

anchor

Multi-chain on-chain commitment (AgentAudit)

Layer 1

Hash-chain architecture

Sequential integrity via UUID v7 identifiers, RFC 8785 canonicalization, dual-precision timestamps, and a genesis anchor of 64 hex zeros. Each receipt is cryptographically bound to its predecessor.

Layer 2

Selective disclosure (SD-JWT)

Each disclosable claim is wrapped in a salted commitment. Only the hash is exposed in the signed token; raw values and salts live in a decoupled vault. Ephemeral mapping and ZK proofs minimize correlation.

Layer 3

RFC 6962 Merkle trees

Receipts aggregate into a Merkle tree with domain-separated leaf (0x00) and node (0x01) hashing to block second-preimage attacks, enabling logarithmic inclusion proofs.

Benchmarked pipeline performance

> 130,000 logs / sec

Throughput (100k records)

~ 22 ms

Per-entry verification

~ 22 ms

Merkle proof generation

1,006 bytes

Average proof size

< 5 MB

Peak memory

1.0

Tampering detection (F1)

04 · Infrastructure placement

An async sidecar decoupled from inference.

The application container runs inferences normally and asynchronously writes a non-blocking drop-copy of the execution trace to a local socket. The Evidence Sidecar canonicalizes, hashes, signs, and builds the local hash chain — achieving complete failure isolation from the critical path.

A LangChain ComplianceCallbackHandler intercepts chain executions to capture structured logs validated against local policy engines. On-chain anchoring via AgentAudit (Base, Arbitrum, Optimism, Polygon, Mantle) makes post-hoc modification cryptographically impossible.

05 · Actuarial value chain

From forensic containment to underwriting credits.

Phase 1

Post-incident forensic pilots

Partner with DFIR firms and claims adjusters. Deployed as containment tooling, the system mathematically bounds the breach blast radius — which rows the LLM accessed, what was exfiltrated, and what was untouched.

Phase 2

Regulatory audit & NAIC readiness

A programmatic self-assessment benchmark automating compliance against the EU AI Act (Articles 12, 13, 10, 72) and the NAIC 12-state AI Systems Evaluation Tool pilot.

Phase 3

Actuarial integration & rating credits

Integrate evidence directly into underwriting, translating the active-insurance model of Coalition and At-Bay into Technology E&O and D&O liability lines via verified, continuous controls.

Take the full memo.

Download the complete technical memo — receipt schema, cryptographic layers, integration patterns, and the go-to-market sequence.

Download the memo (.md)

Record the action. Reveal the risk. Reconstruct the claim.