Writing/

Storytelling vs. Evidence: Why Agent Logs Aren't Evidence

A conceptual exploration of why traditional application logs aren't evidence, what a tamper-evident audit trail for AI agents requires, and why signatures matter.

When we deploy autonomous AI systems to make decisions—like approving loans, processing transactions, or routing medical diagnostics—we rely on logs to trace their actions. But traditional server logs are nothing more than a narrative written after the fact. If a log file can be edited, deleted, or backdated, it is a story, not a record. To establish real security and accountability, you need a tamper-evident audit trail for AI agents that can be verified mathematically.

In this post, we’ll explore the fundamental difference between system testimony and cryptographic evidence, and examine what is actually required to prove what an AI agent did.


Testimony vs. Evidence: The Logging Fallacy

Most engineering teams confuse testimony with evidence.

If you ask your database administrator, “Did our pricing agent charge this customer $500 instead of $50?”, they might point you to a database entry or a log file on AWS CloudWatch that says:

2026-06-13 10:15:30 [INFO] Agent applied holiday surcharge. Price: $500.

This is testimony. It is the system self-reporting what it thinks happened.

While testimony can be helpful for debugging, it has zero evidentiary value in a high-stakes audit. Because that log file is stored as plain text or in a mutable database, anyone with root SSH access, database permissions, or AWS admin credentials can modify it. If a bug in the code accidentally overcharged a client, a rogue developer or a compromised credential could alter the log to cover up the error, change the price tag, or erase the trace entirely.

True evidence requires a mathematical guarantee that the record is complete, untampered with, and authored by the authorized agent at the exact time stated.

AttributeTestimony (Traditional Logs)Evidence (Verifiable Logs)
Trust Model”Trust the operator / cloud provider""Verify the cryptography”
IntegrityMutable (can be edited/deleted)Tamper-evident (detection is instant)
AuthenticityUnsigned (easily spoofed)Cryptographically signed (Ed25519)
AuditabilityRequires system/database accessVerifiable offline with a public key

The Three Cryptographic Layers of Tamper-Evidence

A true tamper-evident audit trail for AI agents cannot rely on access controls or firewalls. It must be secure by design, using cryptography to enforce immutability.

To achieve this, protocols like AXR employ a three-layered cryptographic architecture:

┌────────────────────────────────────────────────────────┐
│  Layer 1: Ed25519 Signatures (Content Integrity)       │
├────────────────────────────────────────────────────────┤
│  Layer 2: Hash Chains (Sequence Integrity)             │
├────────────────────────────────────────────────────────┤
│  Layer 3: Out-of-Band Anchoring (History Integrity)    │
└────────────────────────────────────────────────────────┘

Layer 1: Signatures Break on Edit (Content Integrity)

Every time an agent makes a decision, it generates a structured receipt containing its claims (inputs, outputs, code hash, timestamp). This receipt is serialised into a canonical byte format and signed using an asymmetric Ed25519 private key.

If anyone tries to change a single character in that receipt—even a single decimal point in a transaction fee—the signature breaks mathematically.

Layer 2: Chains Break on Deletion (Sequence Integrity)

If an agent executes three steps, an adversary might not try to modify a step—they might simply delete step #2 entirely to hide an unwanted action.

To prevent this, each step receipt includes a previous_receipt_hash field containing the SHA-256 cryptographic hash of the preceding receipt. This creates a secure, sequential hash chain (much like block headers in a blockchain or commits in a git repository).

If an attacker deletes step #2, the previous_receipt_hash in step #3 no longer matches step #1. The chain breaks, and the verifier instantly flags the deletion.

Layer 3: Anchoring Prevents Rewrites (History Integrity)

What if an attacker rewrites the entire log from scratch, recalculating all the signatures and hashes using a compromised key? To a local verifier, the chain would look mathematically perfect.

To solve this, we use out-of-band anchoring, drawing inspiration from Certificate Transparency (CT).

In the HTTPS world, Certificate Transparency logs do not prevent bad SSL certificates from being created, but they force CA authorities to publish every certificate to an append-only, publicly verifiable log. If a rogue certificate is created, it stands out immediately because it cannot be quietly inserted into the historical tree.

For AI agents, we do the same:

  1. The agent’s local receipts are accumulated into a Merkle tree.
  2. The root hash of this Merkle tree is periodically committed (anchored) to an independent, append-only backend (OpenTimestamps, Rekor, or RFC 3161). For AXR’s own build journal, that anchored root is also witness-cosigned and published on the AXR Devlog.
  3. Once a root hash is anchored, it is mathematically impossible to rewrite the historical logs without changing the root hash.

An auditor can compare the local receipt chain against the anchored root. If a silent rewrite occurred, the roots will not match, exposing the tampering instantly.


Why “Secure” Cloud Logs Aren’t Enough

Many enterprise teams believe that using cloud logging services (like AWS CloudWatch with KMS encryption or Google Cloud Logging) is equivalent to having a tamper-evident audit trail.

This is a dangerous assumption.

Cloud logging relies on operational security, not cryptographic security. It depends on:

  • The cloud provider’s internal security controls.
  • The correctness of your IAM policies.
  • The security of your access keys.

If a bad actor gains administrative access to your cloud console, or if an attacker steals an IAM credential with deletion permissions, they can disable logging, delete log groups, or rotate encryption keys. The security boundary is external to the log itself.

With a cryptographic audit trail, the security is intrinsic to the data. Because the agent itself signs each receipt before it ever leaves the memory environment, the log is secure even if it is stored on an unencrypted, public server. The hosting environment has no power to modify the signature, because it does not hold the private signing key.


Designing for the Skeptical Auditor

When you present your AI agent’s execution logs to a client, regulator, or partner, you should expect them to be skeptical — and for high-risk systems, EU AI Act Article 12 increasingly makes that scrutiny a legal expectation, not just a courtesy.

If your audit process requires them to log into your custom dashboard, you are asking them to trust you. If your audit process requires them to trust a proprietary compliance platform, you are asking them to trust a third party.

By adopting an open-source, mathematically verifiable standard like AXR, you change the dynamic entirely. You hand the auditor:

  1. A raw, standard JSON Lines log file (receipts.jsonl).
  2. Your public key.
  3. A link to an open-source, zero-dependency verifier.

They can download the verifier, run it locally on their own isolated machine, and verify the math themselves.

That is the transition from promises to proof.


Step Up to Verifiable Assurance