When a human makes a decision at work, there's usually a paper trail — an email, a ticket, a signed document. You can look back and know who approved what, and when.
AI agents don't have this yet.
An agent can delete a file, call an API, or modify a database — and unless the application specifically logs it, there's no reliable record of what happened. Existing logs are mutable, incomplete, and easy to miss. More importantly, they don't prove who authorized the action.
A cryptographic audit trail works differently. The core idea:
Every action gets a receipt. Before an agent takes any action, it generates a signed record containing the action name, the parameters, a timestamp, and a nonce. This receipt is signed with the agent's private key using Ed25519 — an asymmetric signing algorithm.
The receipt is tamper-evident. The signature is computed over a canonical representation of all the fields together. Change any single field after the fact — the timestamp, the action name, anything — and the signature becomes invalid. You can't fake a receipt without the private key.
Receipts are chained together. Each receipt includes a hash of the previous one, forming a chain. Remove or reorder any entry and the chain breaks. This is the same principle used in certificate transparency logs and blockchain structures.
The result: a log you can actually trust. Not just "something happened at this time," but "this specific agent, with this specific key, requested this specific action — and nothing has been changed since."
This matters more as agents take on more consequential work. The incidents happening today — agents deleting production environments, leaking tokens, dropping databases — aren't just bugs. They're symptoms of building on a protocol (MCP) that has no identity or accountability layer yet.
Cryptographic receipts are one piece of that puzzle.
Top comments (0)