Half the Audit Trail

Brandon Bennett

Brandon Bennett

2 min read
Share

AgentSystems Notary proves what an AI agent did. But that's only half the audit trail.

The other half is: "what was the agent authorized to do?"

In high-stakes AI, an action without authorization is a problem. An authorization without an action is a paper trail. The two only mean something together — and most AI systems log them in completely different places, neither of them tamper-evident.

The agent's outputs go to one log. The control plane's approval decisions (HITL sign-off, policy engine verdict, admin authorization) go to a separate operator-controlled database. Both are self-attested. Neither can be independently verified.

If a dispute arises — a loan denial gets challenged, a treatment recommendation goes wrong, a regulator asks who approved a high-stakes agent action — the operator can produce both records, but neither carries proof.

A useful framing I've heard from security and governance leaders building this stack:

Audit without runtime control is forensics. Control without audit is unverifiable trust.

The stack only works if both layers are independently verifiable.

Pre-execution records

Notary's pre_execution_record feature captures the authorization decision in the same tamper-evident hash receipt as the agent's action.

When a control plane makes an authorization decision — Agno's @approval decorator, a HITL workflow — that decision flows into Notary. It becomes part of the canonicalized payload that gets hashed. The hash is stored to independent storage alongside the agent's action.

A pre_execution_record might look like:

{
    "approved_by": "human_admin_xyz",
    "policy_id": "loan-approval-v2",
    "decision": "allowed",
    "constraints": ["amount-under-50000"],
    "approved_at": "2026-04-15T14:30:00Z"
}

Three things now sit in the tamper-evident record together: what the agent was asked to do, what was authorized, and what the agent did. An auditor can verify all three. A regulator can prove all three match.

Aligned with AIUC-1

Today, the AIUC-1 governance framework released its Q2-2026 quarterly update. The tamper-evident logging control (E015) now explicitly requires the full execution chain to include "approval/authorization events (e.g., human-in-the-loop approvals)."

The change came from feedback from dozens of GRC, security, and AI governance leaders making the same point: pre-execution authorization is part of the audit trail, not separate from it.

The standard now formally requires what pre_execution_records implement.

What this means

For organizations deploying high-stakes AI: you can prove not just what your agent did, but what it was authorized to do — and that the two match.

For anyone building control planes: pre_execution_records make your authorization decisions independently verifiable. Your approval system stops being something operators have to be trusted on.

For regulators: the chain of custody now includes the human or policy that authorized the action, not just the action itself.

If you buy high-stakes AI, it may be time to start asking not just "show me what the agent did" but "show me who authorized it — and prove both."

Read more

Preppr Brings AI Accountability to Emergency Management with AgentSystems Notary

Preppr Brings AI Accountability to Emergency Management with AgentSystems Notary

Preppr supports emergency management, business continuity, healthcare, public sector, and critical infrastructure teams in designing and delivering tabletop exercises and crisis simulations. One of our products, Preppr Collaborate, uses autonomous AI agents to gather and synthesize insights directly from community and organizational stakeholders on behalf of a Preppr customer. Across

By Justin Snair, CEO @ Preppr