Skip to content
INSIGHTS // ACCREDITATION

Audit is the feature: tamper-evident decision trails for agentic systems

2026-05-09 8 MIN READ

When a commercial team ships an agent and it makes a wrong call, the cost is an apology and a patch. When a federal system makes a wrong call, someone will eventually ask, in writing, exactly how it happened — and "the AI decided" is not an answer that ends the conversation. The decision trail is what ends it. Treat audit as the feature, not the paperwork.

The one question audit has to answer

Strip away the frameworks and an audit trail for an agentic system exists to answer a single question: which version of which policy made which decision, on what inputs, and what did a human do about it. Every design choice flows from making that question answerable for any decision the system ever made, months or years later, without anyone's memory involved.

That phrasing matters because each clause is a requirement. "Which version" means you tracked the policy as it changed. "Which policy" means the rules the agent followed are an explicit, named artifact and not implicit in a prompt nobody saved. "Which decision" means decisions are discrete and individually addressable. "On what inputs" means you captured the context the decision was made on. "What did a human do" means approvals and overrides are part of the record. Miss any clause and the trail has a hole an accreditor will find.

Provenance: capture it at decision time or never

Provenance cannot be reconstructed. The moment a decision is made is the only moment all the relevant state exists in one place — the input, the policy version, the model identifier, the tool calls and their results, the agent's reasoning, the outcome. Write all of it then, as one record, tied to a decision ID. Trying to reassemble this later from separate logs is how you end up with a trail that is 90 percent complete and therefore worthless for the one decision under scrutiny.

Concretely, every consequential decision the system makes should emit a record containing, at minimum:

  • Decision ID and timestamp — addressable, ordered, unique.
  • Policy version — the exact tagged version of the rules, prompt, and tool definitions in force.
  • Model identity — which model and version produced the output.
  • Inputs — the context the decision was made on, redacted as required but complete enough to reproduce.
  • Trace — the steps the agent took, including tool calls and their returns.
  • Outcome — what the system decided or did.
  • Human action — who approved, overrode, or was notified, and when.

Tamper-evident, not just logged

A log file an administrator can edit is not evidence; it is a note. For decisions that carry weight, the trail has to be tamper-evident: each record carries a cryptographic hash, and each record's hash includes the previous record's hash, so the entries form a chain. Alter or remove a record in the middle and every hash after it no longer reconciles. You cannot quietly rewrite history, and anyone with the chain can verify it has not been rewritten.

This is deliberately the same idea that secures other ledgers, applied at a modest scale. You do not need a distributed network or a token. You need an append-only, hash-chained store and a verification routine that recomputes the chain and reports the first broken link. The cost is small. The property — being able to demonstrate the record was not altered — is exactly what turns a log into something an authorizing official will accept.

Why this is accreditation readiness, not bureaucracy

An authorization to operate is, at bottom, someone with their name on the line accepting risk on behalf of the government. They accept it more readily when they can see what the system does, prove what it did, and trust that the record was not tampered with. A tamper-evident decision trail directly supplies the evidence the controls ask for: accountability, traceability, integrity of audit data. Built in from the start, it shortens the path to an ATO because the assessor is checking a property you already have rather than asking you to add one.

Built in late, it does the opposite. Retrofitting provenance onto a system that did not capture it at decision time means either accepting that early decisions are unaccountable — a finding — or rebuilding the decision path. We have watched both happen. The teams that sail through assessment are the ones for whom audit was a load-bearing wall, present in the first design review, not a finish applied at the end.

The principle

Audit is not what you do to a finished system to make it compliant. It is a property you design the system to have, and it changes the architecture: decisions become discrete and addressable, policy becomes a versioned artifact, the trail becomes append-only and verifiable. A system built this way is easier to debug, easier to improve with evidence, and easier to defend — because for any decision it ever made, you can produce which version of which policy made it, on what inputs, and what the human did. That is the feature.

Across the agents the founders have put into production — more than 150 across federal, SLED, and commercial work — the ones operating in government are the ones where this was non-negotiable from day one. Tamper-evident logs, scoped credentials, and PII redaction are infrastructure in everything we ship, because for the federal mission they are not enhancements. They are the cost of being allowed to run.


If you need an agentic system that can survive an audit and reach an ATO, designing the decision trail in from the start is the work we do. Start a conversation, or have us train your team to build and reason about it.