H33 turns agent actions into replayable, post-quantum signed governance evidence — proving what an agent did, under what authority, and under which policy state.
AI agents execute thousands of decisions per minute across finance, infrastructure, and security domains. When something goes wrong, organizations face a reconstruction gap: no cryptographic record of what the agent did, what authority it held, or what policy governed its behavior at the moment of action.
Every agent operation produces a signed attestation recording the full governance context at execution time. These attestations are independently verifiable and deterministically replayable.
| Evidence Field | What It Proves |
|---|---|
| Action | The specific operation the agent executed, cryptographically bound to the attestation |
| Authority | Which key, role, or delegation chain authorized the action at execution time |
| Policy State | The exact policy version and constraints governing the agent when it acted |
| Timestamp | Cryptographically bound execution time, resistant to backdating |
| Signer Set | The complete set of signers that authorized or witnessed the operation |
Every field is post-quantum signed using three independent hardness assumptions (MLWE lattices, NTRU lattices, and stateless hash functions). Breaks require compromising all three simultaneously.
Every agent action attestation fits in 74 bytes: 32 bytes on-chain and 42 bytes in Cachee. The full governance proof is independently verifiable without contacting H33 infrastructure.
H33-Agent-Zero classifies and tags agent actions using fully homomorphic encryption. The classification engine never sees plaintext data — policies are enforced on encrypted inputs, and governance tags are produced without exposing the underlying operation.
Q-Sign produces governance signatures that are not just valid — they are replayable. Any party with access to the attestation chain can reconstruct the exact authorization state that existed when an agent was granted permission to act.
Any domain where autonomous systems make consequential decisions needs cryptographic operational history — not just logging.
Trading algorithms, portfolio rebalancers, and payment processors produce attestations for every execution. Regulators and auditors replay agent state independently.
Auto-scaling, deployment pipelines, and configuration managers produce cryptographic evidence of every change they make to production systems.
Incident responders, threat hunters, and access control systems attest every privilege escalation, quarantine decision, and remediation action.
Algorithmic trading systems produce post-quantum signed records of order placement, execution, and cancellation with full policy context.
Insurance claims processors attest every triage decision, payout authorization, and fraud flag. Disputes are settled with replay, not interpretation.
Regulatory monitoring systems produce replayable attestations of every compliance check, flag, and exception — proving what was known and when.
Watch an agent execute under policy, produce attestations, and replay its operational history from cryptographic evidence.
Traditional access control was designed for humans clicking buttons. AI agents operate at machine speed, making thousands of decisions per minute across distributed systems. The governance model must match the operational model. Here is how H33 cryptographic agent governance compares to conventional approaches.
| Dimension | Traditional Access Control | H33 Agent Governance |
|---|---|---|
| Authorization Model | Permissions-based: agent receives a role or token granting access to resources | Cryptographic proof: every action is signed with the authority that existed at execution time |
| Audit Mechanism | Log-based: vendor-controlled logs record API calls and resource access | Replay-grade: every action produces a post-quantum signed attestation that any party can verify independently |
| Compliance Verification | Periodic audit: compliance is checked on a schedule by reviewing log exports | Continuous attestation: every action is attested in real time with full policy context bound cryptographically |
| Trust Model | Trust-the-vendor: the platform operator controls the logs and can modify or delete entries | Independently verifiable: attestations are anchored on-chain and verifiable without contacting H33 |
| Policy Binding | Policy is checked at request time but not recorded; policy updates overwrite previous versions | Policy version is cryptographically bound to each attestation; historical policy state is always recoverable |
| Scope Enforcement | Scope is defined in the token; violations may not be detected until after the fact | Scope constraints are part of the attestation; violations are detected at attestation time and provable in replay |
| Quantum Resistance | Classical signatures (RSA, ECDSA) are vulnerable to quantum attack on authorization tokens | Three independent PQ hardness assumptions: MLWE lattices, NTRU lattices, and stateless hash functions |
| Forensic Utility | Reconstruction depends on log completeness and vendor cooperation | Deterministic replay from cryptographic evidence; no vendor dependency for reconstruction |
The fundamental difference: traditional access control answers "was the agent allowed?" H33 agent governance answers "what did the agent do, under what authority, under which policy, and can any independent party verify this forever?"
H33 agent governance constructs a directed acyclic graph (DAG) of agent actions, authority delegations, and policy states. Every node in the graph is a post-quantum signed attestation. The graph structure enables deterministic traversal for replay, audit, and forensic reconstruction.
Action Capture. When an AI agent performs an operation, the H33 governance layer intercepts the action at the API boundary. The layer captures the action type, input parameters, output results, the identity of the agent, and the current timestamp. This capture happens synchronously — the action is not considered complete until the attestation is produced. The captured data is hashed using SHA3-256 to produce a deterministic fingerprint of the operation.
Authority Binding. The governance layer then resolves the authority chain that authorized this agent to act. This includes the delegation path (which human or system granted the agent permission), the scope constraints (what operations the agent is authorized to perform), and the policy version governing the agent at execution time. The authority context is serialized and included in the attestation payload. If the agent is operating under a delegation chain — for example, a human approved a workflow that spawned sub-agents — the full chain is captured, not just the immediate caller.
Scope Constraint Verification. Before the attestation is signed, the governance layer verifies that the action falls within the agent's authorized scope. Scope constraints are defined as structured predicates: which operations are permitted, which resources can be accessed, which value thresholds apply, and which time windows are active. If the action violates any constraint, the attestation records an escalation proof — a cryptographic record that the scope boundary was crossed. This escalation proof is itself signed and linked to the governance graph, creating an immutable record of the violation.
Attestation Signing. The complete payload — action hash, authority context, scope verification result, and timestamp — is signed using three independent post-quantum signature families (ML-DSA-65, FALCON-512, and SLH-DSA-SHA2-128f). The resulting attestation is compressed into the 74-byte H33-74 Post-Quantum Attestation Primitive format: 32 bytes anchorable on-chain, 42 bytes stored in Cachee. The attestation is then linked to its parent in the governance DAG, creating a hash-chained lineage that enables deterministic replay from any point in the graph.
Escalation Proofs. When an agent attempts to exceed its scope, H33 does not simply block the action. It produces an escalation proof: a signed attestation that records what the agent attempted, what scope boundary was crossed, what authority the agent held, and the policy that defined the boundary. This escalation proof is linked to the governance graph and can be replayed independently. Organizations can configure escalation responses — block, allow-with-flag, or require-approval — and each response is itself attested.
AI agent governance is the practice of maintaining cryptographic records of every action an autonomous AI agent performs, including the authority that authorized it, the policy that governed it, and the scope constraints that bounded it. Unlike traditional logging, governance produces independently verifiable evidence that can be replayed by any party without vendor cooperation. As AI agents take on more consequential roles in finance, infrastructure, and security, organizations need provable operational history — not just access logs.
Role-Based Access Control (RBAC) determines whether an agent is allowed to perform an action at request time. Cryptographic governance records what the agent actually did, under what authority, and under which policy — and makes that record independently verifiable forever. RBAC is a gatekeeping mechanism; cryptographic governance is an evidence mechanism. H33 can work alongside RBAC: your existing access control system decides permissions, and H33 produces the cryptographic proof of what happened after the decision was made.
Yes. H33 agent governance operates at the API boundary, meaning it integrates with any agent framework that makes HTTP calls or produces observable outputs. Whether your agents run on OpenAI, Anthropic, LangChain, AutoGPT, custom frameworks, or internal tooling, H33 captures actions at the integration point. The governance layer does not require modifications to the agent itself — it wraps the agent's execution environment and produces attestations for every action that crosses the boundary.
When an agent attempts an action outside its authorized scope, H33 produces an escalation proof — a cryptographic record of the attempted violation. The escalation proof records what was attempted, what scope boundary was crossed, and what authority the agent held. Organizations can configure responses: block the action, allow it with a governance flag, or route it for human approval. Every response is itself attested, creating an unbroken chain of evidence regardless of the outcome.
H33 is not a blockchain. Attestations are produced by H33 infrastructure and can optionally be anchored on any blockchain (Bitcoin, Solana, Ethereum, L2s) via a 32-byte commitment. The anchoring provides an additional trust anchor but is not required for verification. Attestations are independently verifiable using the offline verifier CLI without any blockchain interaction. The governance graph is a DAG of signed attestations, not a distributed ledger.
Any party with access to the attestation evidence can download the open-source verifier CLI and reconstruct the agent's operational history. The verifier traverses the governance DAG, checks every signature against three independent post-quantum families, validates the hash chain integrity, and confirms that each action was authorized by the recorded authority under the recorded policy. The verifier requires no API key, no network connectivity, and no H33 account. Third-party implementations produce identical results.
A hedge fund deploys AI agents that execute trades across multiple venues. Each agent operates under a policy that defines maximum position sizes, permitted instruments, and trading hours. When a regulator requests evidence that a specific trade was authorized, the fund provides the attestation chain. The regulator downloads the verifier CLI and independently reconstructs the agent's state at the moment of execution: the delegation chain from the portfolio manager to the trading agent, the policy version that defined the position limit, and the scope constraint that permitted the instrument. The reconstruction is deterministic — every verifier produces the same result. No vendor cooperation required. No log interpretation. No ambiguity about what authority existed when the trade was placed.
An AI agent managing cloud infrastructure automatically scales a production database cluster during a traffic spike. The scaling action triggers a cascade: the agent provisions new instances, modifies security groups, and updates DNS records. When the post-incident review asks "who authorized this and under what policy?", the answer is in the governance graph. Each action in the cascade has its own attestation, linked to the parent action that triggered it. The review team replays the entire cascade from the initial traffic detection through the final DNS update, verifying that every step was within scope and that the policy governing auto-scaling was the version the team approved — not a version that was updated after the incident.
A financial institution runs a loan approval workflow involving three agents: a document extraction agent, a risk scoring agent, and an approval agent. Each agent passes its output to the next. When a borrower disputes a denial, the institution replays the entire workflow from the governance graph. The replay shows exactly what the document extraction agent parsed, what risk score was computed (on encrypted data via FHE), and what threshold the approval agent applied. The attestation chain proves that the denial was based on the correct inputs processed under the correct policy — not on stale data or an outdated risk model.
Traditional access control systems were designed for human users performing predictable tasks. Autonomous AI agents operate at machine speed, make contextual decisions, and chain actions across systems. The governance model must evolve accordingly. The table below compares traditional access control mechanisms with H33 cryptographic agent governance across the dimensions that matter most when agents act autonomously.
| Dimension | Traditional Access Control (RBAC / ABAC) | H33 Cryptographic Agent Governance |
|---|---|---|
| Enforcement point | Request-time gatekeeping. Checks whether the action is allowed before execution. | Continuous attestation. Every executed action is signed with three post-quantum signature families, creating immutable evidence of what actually happened. |
| Evidence model | Logs. Text-based, mutable, vendor-specific format. Requires trust in the logging infrastructure. | Cryptographic attestations. Each event is hash-chained to its predecessor. Tampering breaks the chain and is mathematically detectable. |
| Scope enforcement | Static roles and permissions. Changes require admin intervention and propagation delays. | Policy-bound execution envelopes. Scope constraints are embedded in the attestation and enforced at the cryptographic layer. Violations produce escalation proofs. |
| Independent verification | Not possible without vendor cooperation. Auditors must trust the access control system itself. | Any party can download the open-source verifier CLI and reconstruct the full operational history offline. No API key, account, or connectivity required. |
| Quantum resistance | No post-quantum security. Relies on classical algorithms (RSA, ECDSA) that are vulnerable to future quantum attacks. | Every attestation is signed with ML-DSA-65, FALCON-512, and SLH-DSA-SHA2-128f. Breaks only if MLWE lattices, NTRU lattices, and stateless hash functions are simultaneously broken -- three independent hardness assumptions. |
| Multi-agent support | Designed for single-user sessions. Multi-agent coordination requires custom extensions. | Built for agent-to-agent delegation. Authority chains, scope inheritance, and cross-agent attestation are first-class primitives. |
| Replay capability | No deterministic replay. Log review is manual, error-prone, and subject to interpretation. | Full deterministic governance replay. Reconstruct the exact operational state at any historical timestamp from cryptographic evidence alone. |
| Attestation size | N/A. No attestation primitive exists. | 74 bytes per attestation via the H33-74 Post-Quantum Attestation Primitive. 32 bytes on-chain, 42 bytes in cache. |
Traditional access control remains necessary for real-time gatekeeping. H33 agent governance does not replace it -- it adds a cryptographic evidence layer that makes every agent action independently verifiable, replayable, and tamper-evident. The two systems are complementary: RBAC decides whether an action should happen; H33 governance proves what did happen.
H33 agent governance operates as an attestation layer that sits at the API boundary between your agents and the systems they interact with. It does not modify agent behavior or replace existing access control. Instead, it creates an independently verifiable cryptographic record of every action.
When an AI agent performs an action, H33 captures the operational context and produces a cryptographic attestation in three stages. First, the action metadata -- including the agent identity, the authority that authorized it, the policy governing it, and the scope constraints bounding it -- is serialized into a canonical frame. Second, this frame is signed with three independent post-quantum signature families: ML-DSA-65 (FIPS 204, lattice-based), FALCON-512 (NTRU lattice-based), and SLH-DSA-SHA2-128f (FIPS 205, hash-based). Third, the attestation is hash-chained to the previous attestation in the agent's operational history using SHA3-256, creating a tamper-evident directed acyclic graph (DAG) of governance evidence.
Each agent operates within a policy-bound execution envelope that defines its permitted scope: which APIs it may call, which data it may access, which operations it may perform, and under what conditions. These constraints are not enforced by the agent itself -- they are encoded in the attestation infrastructure. When an agent attempts an action outside its authorized scope, the system produces an escalation proof: a cryptographic record of the attempted violation, the policy that was violated, and the response taken. Organizations configure escalation responses -- block, flag, or route for human approval -- and every response is itself attested.
Every agent action produces a 74-byte attestation via the H33-74 Post-Quantum Attestation Primitive. Of those 74 bytes, 32 are a SHA3-256 commitment that can be anchored on any blockchain (Bitcoin, Solana, Ethereum, L2s). The remaining 42 bytes are stored in the H33 cache layer. The full signature bundle -- containing all three PQ signatures, the canonical frame, and the hash-chain linkage -- is available for offline verification. This architecture means governance evidence is permanent, compact, and verifiable by any third party without H33 infrastructure.
H33 agent governance integrates at the API boundary, not inside the agent. This means it works with any agent framework -- OpenAI, Anthropic, LangChain, AutoGPT, custom internal tooling -- without modifying agent code. A single API call wraps an agent action with a PQ attestation. The governance layer adds less than 42 microseconds of latency per operation on production hardware, making it invisible to end users and agents alike.
Cryptographic agent governance addresses the accountability gap that emerges whenever autonomous systems act on behalf of humans or organizations.
AI agent governance is the practice of maintaining cryptographic records of every action an autonomous AI agent performs, including the authority that authorized it, the policy that governed it, and the scope constraints that bounded it. Unlike traditional logging, governance produces independently verifiable evidence that can be replayed by any party without vendor cooperation.
Role-Based Access Control (RBAC) determines whether an agent is allowed to perform an action at request time. Cryptographic governance records what the agent actually did, under what authority, and under which policy -- and makes that record independently verifiable forever. RBAC is a gatekeeping mechanism; cryptographic governance is an evidence mechanism. They are complementary: RBAC decides what should happen, governance proves what did happen.
Yes. H33 agent governance operates at the API boundary, meaning it integrates with any agent framework that makes HTTP calls or produces observable outputs. Whether your agents run on OpenAI, Anthropic, LangChain, AutoGPT, custom frameworks, or internal tooling, H33 captures actions at the integration point. No agent code modification is required.
When an agent attempts an action outside its authorized scope, H33 produces an escalation proof -- a cryptographic record of the attempted violation, including the specific policy that was breached, the action that was attempted, and the scope boundary that was crossed. Organizations configure responses: block the action, allow it with a governance flag, or route it for human approval. Every response is itself attested, ensuring the escalation handling is also part of the verifiable evidence chain.
H33 is not a blockchain. Attestations are produced by H33 infrastructure and can optionally be anchored on any blockchain (Bitcoin, Solana, Ethereum, L2s) via a 32-byte SHA3-256 commitment. The governance graph is a directed acyclic graph (DAG) of signed attestations, not a distributed ledger. Blockchain anchoring adds an optional layer of public timestamping but is not required for governance verification.
Any party with access to the attestation evidence can download the open-source verifier CLI and reconstruct the agent's operational history. The verifier requires no API key, no network connectivity, and no H33 account. It checks every signature against all three PQ families, validates the hash chain integrity, and confirms policy compliance. Third-party verifier implementations produce identical results, ensuring no single party controls the truth of the governance record.