AI Evidence Infrastructure.
Cryptographic action receipts, post-exploitation forensics, and the actuarial mechanics of agentic trust.
A tamper-evident flight recorder for artificial agents — turning ephemeral, black-box model inference into verifiable, legally admissible, audit-ready digital evidence.
Legacy telemetry cannot reconstruct a non-deterministic decision.
When an AI system executes a financial transaction, mutates an enterprise database, or overrides a clinical workflow, it acts inside a complex decision boundary that legacy IT telemetry cannot reconstruct. Observability platforms record that an API call occurred — not the exact interaction between prompt context, RAG inputs, model weights, and orchestrators that determined it.
Because administrators or attackers with system privileges can update or delete log tables, traditional logs fail the core legal requirement of tamper-resistance. When a model "lies to its own logs" via prompt injection or retrieval poisoning, downstream logs capture only the authorized-looking command — and the failure mode stays forensically unexplainable.
| Dimension | Observability | Workflow AI | Certification | Evidence Infrastructure |
|---|---|---|---|---|
| Primary objective | Performance & latency | State orchestration | Point-in-time validation | Cryptographic proof & reconstruction |
| Data integrity | Mutable DB logs | Mutable app variables | Static self-attested uploads | Immutable hash-chained ledgers |
| Verification | Streaming, unvalidated | Execution-bound routing | Periodic audits | O(log n) Merkle inclusion proofs |
| Privacy | Plaintext telemetry | Direct state / PII access | High-level metadata | SD-JWT & zero-knowledge proofs |
| Evidentiary weight | Low — mutable | Medium-low | Low — policy intent | High — defensible chain of custody |
Bounding the blast radius after a post-exploitation incident.
CVE-2026-39987
A deserialization flaw grants an attacker RCE, who then harvests cloud credentials and drives an internal privileged LLM via natural language — instructing it to list and exfiltrate secrets through the model's own response stream, bypassing endpoint detection.
With action receipts
An inline, per-decision receipt captures the exact input context, model reasoning, and raw output. Comparing the signed record against raw API data lets DFIR teams mathematically prove that only a bounded subset of data was exfiltrated — saving millions in notification costs.
The AI Action Receipt schema.
Sequential, tamper-evident, and privacy-preserving — combining deterministic hash chaining, SD-JWT selective disclosure, and RFC 6962 Merkle trees.
event_id
UUID v7 — time-ordered, high-entropy identifier
prev_hash
Hash of the preceding receipt (genesis = 64 hex zeros)
canonical
RFC 8785 JSON canonicalization before hashing
timestamp
ISO 8601 UTC string + integer nanoseconds since epoch
numeric_fields
Stored & hashed as strings (no IEEE 754 drift)
disclosures
Salted commitments per claim (SD-JWT / RFC 9901)
kb_jwt
Key Binding JWT proving holder confirmation key
leaf_hash
0x00-prefixed leaf (RFC 6962 domain separation)
node_hash
0x01-prefixed internal node concatenation
anchor
Multi-chain on-chain commitment (AgentAudit)
Hash-chain architecture
Sequential integrity via UUID v7 identifiers, RFC 8785 canonicalization, dual-precision timestamps, and a genesis anchor of 64 hex zeros. Each receipt is cryptographically bound to its predecessor.
Selective disclosure (SD-JWT)
Each disclosable claim is wrapped in a salted commitment. Only the hash is exposed in the signed token; raw values and salts live in a decoupled vault. Ephemeral mapping and ZK proofs minimize correlation.
RFC 6962 Merkle trees
Receipts aggregate into a Merkle tree with domain-separated leaf (0x00) and node (0x01) hashing to block second-preimage attacks, enabling logarithmic inclusion proofs.
Benchmarked pipeline performance
> 130,000 logs / sec
Throughput (100k records)
~ 22 ms
Per-entry verification
~ 22 ms
Merkle proof generation
1,006 bytes
Average proof size
< 5 MB
Peak memory
1.0
Tampering detection (F1)
An async sidecar decoupled from inference.
The application container runs inferences normally and asynchronously writes a non-blocking drop-copy of the execution trace to a local socket. The Evidence Sidecar canonicalizes, hashes, signs, and builds the local hash chain — achieving complete failure isolation from the critical path.
A LangChain ComplianceCallbackHandler intercepts chain executions to capture structured logs validated against local policy engines. On-chain anchoring via AgentAudit (Base, Arbitrum, Optimism, Polygon, Mantle) makes post-hoc modification cryptographically impossible.
From forensic containment to underwriting credits.
Post-incident forensic pilots
Partner with DFIR firms and claims adjusters. Deployed as containment tooling, the system mathematically bounds the breach blast radius — which rows the LLM accessed, what was exfiltrated, and what was untouched.
Regulatory audit & NAIC readiness
A programmatic self-assessment benchmark automating compliance against the EU AI Act (Articles 12, 13, 10, 72) and the NAIC 12-state AI Systems Evaluation Tool pilot.
Actuarial integration & rating credits
Integrate evidence directly into underwriting, translating the active-insurance model of Coalition and At-Bay into Technology E&O and D&O liability lines via verified, continuous controls.
- 01J.S. Held — AI Disputes
- 02When the AI lies to its own logs
- 03CVE-2026-39987 — Marimo LLM post-exploitation
- 04AI Act Record-Keeping (TrueScreen)
- 05Aon flags AI governance gaps (TechInformed)
- 06draft-nandakumar-agent-sd-jwt-02 (IETF)
- 07NAIC Model Bulletin (WaterStreet)
- 08NAIC pilot expansion (Fenwick)
- 09NAIC pilot guide (Monitaur)
Take the full memo.
Download the complete technical memo — receipt schema, cryptographic layers, integration patterns, and the go-to-market sequence.
Download the memo (.md)Record the action. Reveal the risk. Reconstruct the claim.