H33 attests AI agent actions with post-quantum signatures, binding each action to its authority scope, policy state, and governance chain.
AI agents execute trades, process claims, manage infrastructure, and make security decisions autonomously. When something goes wrong, there are logs — but logs can be modified, truncated, or fabricated. There is no cryptographic proof of what the agent did, under what authority, at what time.
Every agent action produces an H33-74 attestation that binds six critical fields into a single, tamper-evident, post-quantum signed object.
| Field | Contents | Why It Matters |
|---|---|---|
| Action | What the agent did (trade, approve, deny, escalate) | Proves the specific action taken |
| Authority | Which authority scope authorized the action | Proves the agent was permitted to act |
| Scope | The boundaries of the agent's authorization | Proves the agent did not exceed its scope |
| Timestamp | Cryptographically bound time of action | Proves when the action occurred |
| Policy Hash | SHA3-256 of the governing policy at action time | Proves which version of the policy was active |
| Signer Set | ML-DSA + FALCON + SLH-DSA signatures | Three independent PQ families sign every action |
Agent attestations do not merely record what happened. They enforce boundaries. The attestation includes the authority scope, and any action outside that scope produces a cryptographic violation that cannot be hidden.
An agent attested with scope "trade equities under $10,000" produces a provable violation if it attempts a $50,000 trade. The violation is cryptographically bound to the attestation chain and cannot be deleted without breaking downstream hashes.
H33 attestations support negative authority proofs — cryptographic evidence that an agent did not have permission to perform a specific action at a specific time.
Every agent attestation links to its predecessor, forming a hash chain. Modify, delete, or reorder any action and the entire downstream chain invalidates.
{
"action": "trade.execute",
"agent_id": "agent-trading-01",
"scope": "equities:us:lt_10000",
"policy_hash": "b2e4f8a1c3...",
"predecessor": "7d3c1e5f9a...",
"timestamp": "2026-05-18T14:30:00Z",
"attestation": "H33-74://a3f8c1d2...",
"signers": ["ML-DSA-65", "FALCON-512", "SLH-DSA-SHA2-128f"]
}
Tamper detection is automatic. If any attestation in the chain is modified, every subsequent attestation's predecessor hash becomes invalid. The break point is precisely identifiable.
Agent attestation applies to any scenario where autonomous agents take actions that need accountability.
Every trade is attested with the agent's authority scope, risk limits, and the policy version that authorized it. Disputes are resolved from the attestation chain, not from logs.
Insurance claims processed by AI agents produce attestations proving the decision criteria, authority level, and policy state at the time of each approval or denial.
Agents managing cloud infrastructure, deployments, or access control produce attestations for every action — proving who authorized what change and when.
Threat response agents that block IPs, isolate systems, or revoke access produce cryptographic receipts proving the threat data, decision logic, and authority in effect.
Agent logs tell you what someone claims happened. Agent attestation provides cryptographic proof of what actually happened, under what authority, with tamper detection that is mathematically guaranteed.
| Property | Agent Logging | Agent Attestation (H33) |
|---|---|---|
| Tamper resistance | None — logs can be edited, deleted, or fabricated | Hash-chained — any modification breaks all downstream entries |
| Replay capability | Manual log analysis, no deterministic reconstruction | Deterministic replay of governance state at any timestamp |
| Scope enforcement | Logs record events but do not capture authority boundaries | Authority scope committed in every attestation, violations flagged |
| Negative proofs | Cannot prove an agent lacked permission for an action | Cryptographic proof of what the agent could NOT do at a given time |
| Independence | Verifier must trust the log operator's infrastructure | Independently verifiable by any third party, no trust in operator |
| Post-quantum protection | No cryptographic binding, no quantum resistance | Three PQ signature families, three independent hardness assumptions |
| Governance binding | Logs exist separately from policy; correlation is manual | Policy hash, scope, and governance state chained in every attestation |
The core difference is trust. Logs require you to trust the operator who controls the logging infrastructure. Attestation requires you to trust mathematics. If the SHA3-256 hash chain is intact and the three PQ signatures verify, the attestation is authentic — regardless of who the operator is, regardless of whether you have ever interacted with them before.
Agent attestation is not just signing actions. It is committing authority boundaries into an immutable chain so that scope, violations, and the absence of authority are all cryptographically provable.
Scope Commitment in the Governance State Root. When an agent is registered with H33, its authority scope is defined as a structured constraint (for example, equities:us:lt_10000). This scope is SHA3-256 hashed and included in the governance state root — a Merkle root that captures the complete governance state (all active agents, their scopes, the current policy version, and the chain's predecessor hash). Every attestation includes this governance state root. This means every single action the agent takes implicitly commits to its authority boundaries at the time of the action.
Violation Attestation Receipts. When an agent attempts an action outside its committed scope, the attestation engine produces a violation attestation rather than a standard action attestation. The violation receipt includes: the attempted action, the active scope constraint at the time of the attempt, the specific constraint that was violated, and the predecessor hash linking it into the chain. The violation attestation is signed with the same three PQ families and cannot be deleted without breaking the chain. This means scope violations are permanently recorded with the same tamper resistance as valid actions.
Negative Authority Proofs. Negative proofs answer the question: "can you prove the agent could NOT have done X at time T?" The proof is constructed by traversing the attestation chain to time T, extracting the governance state root at that timestamp, and verifying that the scope constraint committed in that root explicitly excludes action class X. For example, if the scope at time T was equities:us:lt_10000 and the disputed action was a $50,000 trade, the negative proof demonstrates that the committed scope excludes trades at or above $10,000. The proof is independently reproducible: any party with access to the attestation chain can derive the same conclusion.
Chain Integrity and Tamper Detection. Every attestation includes the SHA3-256 hash of its predecessor. This creates a linear hash chain where modifying any entry invalidates all subsequent entries. Tamper detection is not a monitoring system — it is a mathematical property of the chain. Two independent parties verifying the same chain will get identical results. If they do not, the divergence point identifies the exact attestation that was modified. The three PQ signatures on each attestation ensure that even a quantum-capable adversary cannot forge attestations to repair a broken chain.
Common questions about cryptographic attestation for AI agents.
Agent attestation is the process of producing a cryptographic receipt for every action an AI agent takes. Each receipt records what the agent did, under what authority scope, at what timestamp, under what policy version, and with what governance chain state. The receipt is signed with three independent post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) and compressed into a 74-byte H33-74 Post-Quantum Attestation Primitive bundle. The result is tamper-evident, independently verifiable, and quantum-resistant proof of every agent action.
Logs record events as text entries in a database controlled by the agent's operator. They can be edited, deleted, reordered, or entirely fabricated without any external party being able to detect the tampering. Agent attestation produces cryptographic receipts chained via predecessor hashes — a structure where modifying any entry invalidates every subsequent entry. Attestations are independently verifiable by any third party without trusting the operator, and they include authority scope constraints, policy versions, and governance links that traditional logs simply do not capture.
Negative authority proofs are cryptographic evidence that an agent did NOT have permission to perform a specific action at a specific time. For example, you can prove that an agent was not authorized to access customer PII during a breach window, or that an agent could not execute trades above a threshold during a disputed period. The proof is derived by extracting the governance state root from the attestation chain at the relevant timestamp and verifying that the committed scope constraint explicitly excludes the disputed action class.
Yes. H33 agent attestation is platform-independent. The attestation API accepts any agent action payload via REST, regardless of whether the agent runs on AWS, Azure, GCP, on-premises infrastructure, or edge devices. The attestation binds to the action itself, not to the platform hosting the agent. Whether your agents are built with LangChain, AutoGen, CrewAI, custom frameworks, or any other tooling, H33 attests the actions identically through the same API endpoint.
The agent's authority scope is committed as part of the governance state root in every attestation. The scope constraint is hashed into the attestation chain with each action. Any action that exceeds the scope produces a violation attestation with a flag that is cryptographically bound to the chain and cannot be removed without breaking downstream hashes. The absence of violation attestations for a given action class, combined with the scope constraints committed in every entry, constitutes cryptographic proof that the agent operated within its authorized boundaries for that class of actions.
Every attestation includes a SHA3-256 predecessor hash linking it to the previous attestation in the governance chain. If any attestation is modified, deleted, or reordered, the predecessor hash of the next attestation becomes invalid, and every subsequent attestation in the chain is also invalidated. The break point is precisely identifiable, revealing the exact attestation that was tampered with. This property is automatic and requires no monitoring or detection software. Additionally, the three post-quantum signatures on each attestation prevent a quantum-capable adversary from forging replacement attestations to repair a broken chain.
Expanded scenarios where agent attestation provides capabilities impossible with traditional logging.
An AI trading agent executes thousands of trades per day across multiple asset classes. A regulator investigates a specific 30-minute window where unusual activity occurred. With logs, the operator produces a filtered export — but the regulator has no way to verify that the export is complete, unmodified, or that it accurately reflects the agent's authority at the time. With H33 attestation, the regulator independently replays the governance chain for that window and sees, with cryptographic certainty, what the agent's scope was, what trades it executed, whether any violations occurred, and what policy version was active. The reconstruction is deterministic: the regulator and the operator get byte-identical results.
A healthcare AI agent assists with diagnosis recommendations. A malpractice claim alleges the agent recommended a treatment outside its authorized scope. With attestation, the hospital produces the agent's governance chain showing that its authority scope at the time of the disputed recommendation was explicitly limited to diagnostic suggestions within a specific specialty. The negative authority proof demonstrates the agent could not have recommended treatments in the disputed category — either the agent operated within scope and the recommendation was authorized, or the chain shows a violation attestation proving the scope breach was detected and recorded in real time.
Post-quantum attested. Governance-chained. Independently verifiable. Prove what your agents did — not what they logged.
Agent logging records what operators claim happened. Agent attestation produces cryptographic proof of what actually happened, under what authority, at what time, with what policy state — independently verifiable by any party.
| Property | Agent Logging | H33 Agent Attestation |
|---|---|---|
| Data integrity | Logs can be edited, deleted, reordered, or fabricated without detection | Hash-chained attestations — tampering with any entry invalidates all downstream entries |
| Authority binding | Logs do not capture what authority scope was active when the action occurred | Authority scope is committed as part of every attestation's governance state root |
| Policy version tracking | Logs may reference a policy version but the reference can be altered | SHA3-256 hash of the active policy is cryptographically bound to each attestation |
| Negative proofs | Impossible — cannot prove an action did NOT occur from mutable logs | Negative authority proofs from scope constraints committed in the attestation chain |
| Independent verification | Requires trusting the operator who controls the logging infrastructure | Any third party verifies independently using the public verifier binary |
| Tamper detection | Requires external monitoring; sophisticated tampering may evade detection | Automatic — predecessor hash chain breaks at the exact tampered entry |
| Quantum resistance | Not applicable — logs are plaintext | Three independent PQ signature families protect every attestation |
| Deterministic replay | Not possible — log analysis produces interpretations, not proofs | Deterministic reconstruction of governance state at any historical timestamp |
| Dispute resolution | He-said-she-said — each party presents their interpretation of logs | Both parties replay the same chain and get byte-identical results |
| Gap detection | Missing log entries may go unnoticed without external correlation | Any gap in the hash chain is immediately detectable with precise location |
The fundamental problem with logging is that the entity controlling the logs is usually the entity being audited. This creates an inherent conflict of interest that no amount of access controls can resolve. Agent attestation removes the operator from the trust model entirely. The cryptographic evidence is self-certifying: the mathematics proves integrity, not the operator's claims. An independent verifier needs nothing from the operator except the attestation chain itself — and any modification to that chain is immediately detectable.
How H33 produces a cryptographic receipt for every AI agent action, creating a hash-linked governance chain that is tamper-evident, independently verifiable, and quantum-resistant.
Every agent action produces a 74-byte H33-74 Post-Quantum Attestation Primitive. The attestation contains six fields: the action description (what the agent did), the authority scope (what the agent was permitted to do), the scope boundaries (the limits of the agent's authorization), a cryptographically bound timestamp, a SHA3-256 hash of the governing policy at action time, and the signer set (ML-DSA-65, FALCON-512, and SLH-DSA-SHA2-128f signatures). These six fields are hashed together, signed with three PQ families, and compressed into the 74-byte envelope. Each attestation also includes a predecessor hash linking it to the previous attestation in the governance chain.
The governance chain is a hash-linked sequence of attestations, starting from a genesis attestation. Each attestation's predecessor hash is the SHA3-256 hash of the previous attestation's complete bundle. This creates a chain where modifying, deleting, or reordering any entry produces a hash mismatch at the exact point of tampering, and every subsequent attestation is also invalidated. The chain is append-only by construction: there is no mechanism to insert entries in the middle without breaking the hash linkage. The governance chain is independent of any blockchain — it is a self-certifying data structure that can optionally be anchored on-chain for public verifiability.
The authority scope committed in each attestation defines what the agent is permitted to do. When an agent action exceeds the committed scope, the attestation engine produces a violation attestation with a violation flag that is cryptographically bound to the chain. The violation flag cannot be removed without breaking downstream hashes. This means scope violations are permanently recorded and immediately detectable. The absence of violation attestations for a given action class, combined with the scope constraints committed in every entry, constitutes a cryptographic proof that the agent operated within its authorized boundaries.
Integration is a single REST API call per agent action. The agent's orchestration layer sends a JSON payload containing the action description, the agent identifier, and any relevant metadata. H33 returns the 74-byte attestation bundle, which the caller stores or anchors. The attestation API is platform-independent: it works with LangChain, AutoGen, CrewAI, custom frameworks, or any agent architecture that can make HTTP requests. Attestation latency is 42 microseconds per action, which fits within the decision loop of even high-frequency trading agents.
As AI agents gain autonomy across industries, cryptographic receipts become the minimum standard for accountability, compliance, and dispute resolution.
An insurance company deploys AI agents to process underwriting decisions. When a policyholder disputes a coverage denial, the insurer produces the agent's attestation chain showing the exact policy version, risk model, and authority scope that were active when the denial was issued. The attestation proves the decision was within scope and under a specific, versioned policy — not retroactively justified. Regulators and the policyholder independently verify the same chain.
Cloud infrastructure agents automatically scale, patch, and reconfigure systems. When a service outage occurs, the attestation chain reconstructs the exact sequence of automated decisions: what was changed, when, under what authority, and whether any action exceeded the agent's scope. Post-incident review uses deterministic replay rather than log forensics, reducing investigation time from days to minutes and producing non-repudiable evidence for customer SLA claims.
When AI agents handle document review, communication screening, or contract analysis, the attestation chain proves exactly what the agent reviewed, when, under what legal hold parameters, and whether the agent accessed any material outside its authorized scope. This is critical for legal hold compliance and privilege assertions. The attestation provides cryptographic evidence that the AI's review scope was properly constrained, which is increasingly required by courts accepting AI-assisted discovery.
Procurement agents autonomously negotiate prices, select vendors, and approve purchase orders. Attestation binds each procurement decision to the agent's authorized spending limit, approved vendor list, and compliance requirements at the time of the decision. When an audit reveals an unusual purchase, the attestation chain provides cryptographic proof of whether the agent operated within policy or whether a scope violation occurred — eliminating ambiguity about authorization.
Detailed answers about how cryptographic attestation replaces logging as the accountability mechanism for autonomous AI agents.
Agent attestation is the process of producing a cryptographic receipt for every action an AI agent takes. Each receipt records what the agent did, under what authority scope, at what timestamp, under what policy version, and with what governance chain state. The receipt is signed with three independent post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) and compressed into a 74-byte H33-74 Post-Quantum Attestation Primitive that is tamper-evident, independently verifiable, and quantum-resistant. The attestation is hash-linked to the previous action, creating an append-only governance chain.
Logs record events as text entries in a database controlled by the agent's operator. They can be edited, deleted, reordered, or entirely fabricated without any external party detecting the tampering. Agent attestation produces cryptographic receipts chained via predecessor hashes. Modifying any entry invalidates every subsequent entry in the chain. Attestations are independently verifiable by any third party without trusting the operator, and they include authority scope constraints, policy versions, and governance links that traditional logs do not capture. Logs are narratives; attestations are mathematical proofs.
Negative authority proofs are cryptographic evidence that an agent did NOT have permission to perform a specific action at a specific time. For example, you can prove that an agent was not authorized to access customer PII during a breach window, or that an agent could not execute trades above a certain threshold during a disputed period. The proof is derived by extracting the governance state root from the attestation chain at the relevant timestamp and verifying that the committed scope constraint explicitly excludes the disputed action class. This is impossible with traditional logs because log absence proves nothing.
Yes. H33 agent attestation is platform-independent. The attestation API accepts any agent action payload via REST, regardless of whether the agent runs on AWS, Azure, GCP, on-premises infrastructure, or edge devices. The attestation binds to the action itself, not to the platform hosting the agent. Whether your agents are built with LangChain, AutoGen, CrewAI, custom frameworks, or any other tooling, H33 attests the actions identically through the same API endpoint. The only requirement is the ability to make an HTTP POST with a JSON payload.
The agent's authority scope is committed as part of the governance state root in every attestation. The scope constraint is hashed into the attestation chain with each action. Any action that exceeds the scope produces a violation attestation with a flag that is cryptographically bound to the chain and cannot be removed without breaking downstream hashes. The absence of violation attestations for a given action class, combined with the scope constraints committed in every entry, constitutes cryptographic proof that the agent operated within its authorized boundaries for that class of actions throughout the entire attested period.
Every attestation includes a SHA3-256 predecessor hash linking it to the previous attestation in the governance chain. If any attestation is modified, deleted, or reordered, the predecessor hash of the next attestation becomes invalid, and every subsequent attestation in the chain is also invalidated. The break point is precisely identifiable, revealing the exact attestation that was tampered with. This property is automatic and requires no monitoring or detection software. Additionally, the three post-quantum signatures on each attestation prevent a quantum-capable adversary from forging replacement attestations to repair a broken chain.