Building an Agent That Can Prove It Didn't Cheat

For AI agent behavioral records, attestation works like this:

1. At the time of each consequential action, the agent produces a structured record: the input that prompted the action, the action taken, the authorization basis (the specific clause in the behavioral pact that authorized the action), and a timestamp.

2. The agent signs this record using its private key — a key that is held by the agent's execution environment and has a public key registered with the attestation infrastructure.

3. The signed record is appended to an append-only audit log. Append-only means new records can be added but existing records cannot be modified. Any modification of an existing record would invalidate the signature.

4. Any party who needs to verify the agent's behavior can retrieve the relevant records from the audit log, verify each signature against the agent's registered public key, and confirm that the record was produced by the agent at the claimed time.

The result is a behavioral record that the agent's execution environment cannot falsify after the fact (the record was signed at the time of action) and that the audit log infrastructure cannot modify without detection (the signatures would be invalidated). The record is as trustworthy as the signing key's integrity, which is maintained through standard key management practices.

The Authorization Basis Problem

Most agent logging captures what the agent did. Almost none of it captures why — the authorization basis for each action. This is the critical gap between a log and an attestation.

For a behavioral record to prove that an agent did not cheat — that is, that it acted within its authorized behavioral scope — the record must connect each action to the specific authorization that permitted it. This connection is the authorization basis.

An authorization basis is a reference to the specific clause in the agent's behavioral pact that authorized the action, plus the condition that was satisfied. For example:

Action: Submitted refund request for order #48291, amount $127.50 Authorization basis: Pact clause 3.2 — "The agent may submit refund requests for orders placed within 90 days, up to {{REFUND_THRESHOLD}}" Condition satisfied: Order date 2026-02-17 (within 90 days of action date 2026-05-17), amount $127.50 < {{REFUND_THRESHOLD}} ($500)

With this record, any reviewer can verify: was this action authorized under the pact? The answer is yes — the clause is specified, the conditions for that clause are documented, and the action satisfies those conditions.

Without the authorization basis, the record shows that a refund was submitted but cannot demonstrate that the submission was within scope. The record proves the action happened. It does not prove the action was authorized.

The Confidence Dimension

A complete behavioral attestation for language model-based agents includes one more dimension that is often overlooked: the agent's confidence in the action.

An agent that takes an action with high confidence has made a different kind of decision than an agent that takes the same action with low confidence. The high-confidence action represents a clear determination that the action is authorized and appropriate. The low-confidence action represents a judgment call under uncertainty — the kind of decision that should be flagged for review.

Including confidence in the attestation record makes it possible to identify actions that were within technical scope but represented significant uncertainty — the cases where the agent probably should have escalated but did not. Over time, the distribution of confidence levels in the attestation record is a signal about whether the agent's escalation triggers are calibrated correctly.

An attestation record that shows an agent consistently taking actions at low confidence — making judgment calls that it is not certain about — without escalating is a behavioral signal that the escalation calibration is too narrow. This is exactly the kind of systemic issue that individual action review misses but aggregate analysis of the attestation record surfaces.

Building Proof, Not Just Records

The distinction between a log and a proof is worth stating precisely. A log is a record of what happened. A proof is evidence that supports a specific claim. Building an agent that can prove it did not cheat means building an agent whose behavioral record constitutes evidence for the specific claim: "this agent's actions were within its authorized behavioral scope."

This requires three things that standard logging does not provide:

Tamper evidence. The record must be structured so that any modification is detectable. Cryptographic signing with the agent's key, combined with an append-only log with a Merkle tree structure, provides this property. Any modification of a historical record invalidates the hash chain.

Authorization traceability. Each action in the record must trace to a specific authorization in the behavioral pact. Without this connection, the record proves the action happened but not that the action was authorized.

Independent verifiability. The proof must be verifiable by parties outside the agent's execution environment — counterparties, regulators, auditors — without access to the agent's internal state. This requires the public components of the attestation infrastructure (the public key, the pact specification, the verification methodology) to be accessible to any party who might need to evaluate the record.

What This Changes for Enterprise Deployments

For enterprises deploying AI agents, attestation infrastructure changes the accountability equation in three concrete ways.

Dispute resolution becomes tractable. When an agent's behavior is disputed, the question becomes: "does the attestation record support the claimed authorization?" This is a verifiable question, not a political one. The time-to-resolution on disputes drops from weeks to hours.

Regulatory compliance becomes demonstrable. Regulators do not accept claims of compliance — they accept evidence of it. An attestation record that shows every action was within the authorized behavioral scope, with the authorization basis documented and signed, is the kind of evidence that satisfies regulatory inquiry. An organization that can produce this record is in a fundamentally stronger position than one that can only produce claims.

Vendor accountability becomes structural. An agent vendor that commits to behavioral attestation — and whose agents produce attestation records that can be independently verified — is making a qualitatively different kind of commitment than one that offers contractual SLAs without behavioral proof. The attestation infrastructure is the mechanism that makes the commitment credible rather than rhetorical.

The Infrastructure Investment

Building attestation infrastructure is not trivial. It requires key management infrastructure for the agent's signing key, an append-only audit log with cryptographic integrity guarantees, a structured attestation format that captures action, authorization basis, confidence, and timestamp, and verification tooling that allows third parties to validate records against the public key and pact specification.

This investment is a one-time architectural decision, not an ongoing operational burden. Once the infrastructure is in place, every agent that runs on it produces attestation records automatically. The marginal cost of attestation per action is small. The marginal value — in dispute resolution speed, regulatory compliance, and counterparty trust — is significant and compounding.

The agents that have this infrastructure today are building behavioral records that will differentiate them in a market that increasingly demands proof, not claims. That differentiation is worth the infrastructure investment.