The emerging problem: autonomous systems with no accountability trail
AI agents are being given real capabilities — sending emails, modifying records, executing transactions, managing resources. When something goes wrong, the first question is always: what exactly did the agent do, and in what order?
Standard application logs can tell you what happened. They can't tell you the sequence was recorded faithfully and hasn't been retroactively modified to remove problematic actions or shift blame.
Why this matters now
As AI agents take on more consequential actions — billing changes, data modifications, external API calls on behalf of users — the ability to produce a verifiable record of those actions becomes a product requirement, not a nice-to-have. Enterprise customers will ask for it. Regulators will require it.
What's different about AI agent audit trails
Human admin actions have a clear authorization chain: a person clicked a button, entered a password, confirmed a dialog. AI agents act programmatically, often in rapid sequence, often in response to inputs that may themselves be attacker-controlled (prompt injection).
This creates new audit requirements:
- Sequence integrity: actions should be recorded in the order they occurred, with no gaps
- Input capture: what prompt or input triggered the action?
- Causal chain: which parent action or decision node spawned this action?
- Non-repudiation: the agent cannot claim it didn't perform an action that's in the chain
What to instrument
agent.action.execute — any consequential action the agent performs
agent.tool.call — external tool/API calls with parameters
agent.decision.branch — decision points with the input that drove the decision
agent.context.access — when the agent reads sensitive context (user data, credentials)
agent.output.send — messages or outputs sent externally on user's behalf
agent.error.recovery — when the agent retries or handles errors (helps detect manipulation)
SDK example
// Log an AI agent action with full context
await client.logs.ingestLog({
actor: {
id: agentInstance.id,
type: 'ai_agent',
display_name: `${agent.name}:${agentRun.id}`,
},
action: 'agent.tool.call',
target: {
id: 'stripe_api',
type: 'external_service',
},
metadata: {
tool: 'create_subscription',
parameters: {
customerId: customer.id,
planId: selectedPlan.id,
// Don't log secrets — log identifiers
},
triggeredBy: {
runId: agentRun.id,
stepId: currentStep.id,
userMessage: userRequest.id, // reference, not content
},
outcome: result.status,
},
})
The chain property for agent sequences
For AI agents, the hash chain's sequential property is particularly valuable. Agents often perform actions in rapid bursts — evaluate context, call tool, process result, call next tool. The chain ensures:
- No action can be inserted retroactively without breaking all subsequent hashes
- No action can be removed without creating a detectable gap
- The sequence is fixed at write time — you can't reorder events to make a problematic sequence look innocuous
Prompt injection defense
If an agent is manipulated via prompt injection into taking unauthorized actions, those actions will appear in the chain. The chain makes the manipulation detectable — even if it couldn't be prevented.
Verification for AI agent runs
// Verify the action chain for a specific agent run
const report = await fetch('/api/v1/verify/report', {
headers: { Authorization: `Bearer ${apiKey}` },
// Filter to a specific run via metadata search
})
The result is a structured report: valid, totalLogs, validLogs, brokenAt, and a full errors array with the sequence number and reason for each failure.
Who this is for
- Products shipping AI agents with real-world capabilities (billing, data modification, external communications)
- Teams building AI features for enterprise customers who require auditability as a condition of deployment
- Platforms where agents act on behalf of users and need to demonstrate non-repudiation
- Any team that needs to answer "what did the agent do and why?" after an incident or customer complaint