Every AI decision becomes a cryptographic receipt. Not a log entry. Not a dashboard metric. A post-quantum signed, governance-bound, independently verifiable, deterministically replayable attestation that proves exactly what happened, under what authority, within what scope, at what time.
An AI decision attestation is a cryptographic receipt generated for a single AI action. The distinction between a receipt and a log entry is fundamental to understanding why attestation matters for AI governance.
A log entry is a record that a system writes about itself into a storage system that it controls. The system decides what to log, when to log it, and how to format it. The storage system is typically a database or file system administered by the same organization that operates the AI system. Log entries can be created, modified, or deleted by anyone with administrative access. They are evidence that the system claims something happened. They are not proof.
An attestation receipt is a cryptographic object. It is hash-chained to every previous attestation in the sequence. It is signed with post-quantum algorithms that bind it to a specific governance state. It captures not just the action, but the complete authority context -- who authorized it, what scope boundaries constrained it, which policy version governed it, and which cryptographic signers endorsed it. Once created, an attestation cannot be modified without breaking the hash chain. It cannot be deleted without creating a detectable gap. It cannot be fabricated without possessing the private keys of the signing authorities.
This is the difference between telling someone what happened and proving it. Between a system's self-reported history and a mathematically verifiable record that any independent party can validate. When an enterprise deploys AI systems at scale, when regulators demand accountability, when insurers underwrite AI risk -- the question is whether the governance evidence can survive scrutiny from parties who do not trust the operator. Log entries cannot. Attestation receipts can.
Every AI decision attestation in H33 captures exactly six fields. These fields are not optional metadata. They are the structural definition of a governance receipt. If any field is absent, the attestation is invalid. Together, they provide the minimum information necessary for an independent party to verify that a specific AI action occurred within specific governance bounds.
Every AI deployment under H33 governance is described by a directed acyclic graph (DAG) that defines authority relationships. The root node represents the organization's maximum AI authority. Each edge represents a signed delegation that narrows scope. An AI agent's authority is the intersection of all delegations from root to its position in the graph. The graph is versioned, and its hash is captured in every attestation, binding each decision to the specific authority structure that governed it.
When an AI agent attempts an action, the attestation pipeline traverses the governance graph to determine whether the action falls within the agent's delegated scope. This traversal produces the authority chain that appears in the attestation's authority field. If the action falls outside scope, the attestation records the denial -- including the specific scope boundary that was violated and the negative authority proof that documents the restriction.
Each attestation includes the SHA3-256 hash of the immediately preceding attestation. This creates a chain where every record is cryptographically linked to every record before it. The implications are significant. Modifying any field in any attestation changes its hash. That changed hash propagates forward through the chain, invalidating every subsequent attestation. An attacker cannot selectively edit history. They cannot insert fabricated records into the middle of a chain. They cannot delete records without creating a gap that any verifier will detect.
The hash chain also provides temporal ordering without relying on trusted timestamps. Even if an attacker controls the system clock, the chain ordering is immutable once created. Attestation N always precedes attestation N+1. The governance state at attestation N is always the predecessor state for attestation N+1. This ordering is mathematical, not administrative.
Each attestation is signed using three independent post-quantum signature families: ML-DSA (NIST FIPS 204, lattice-based), FALCON (NTRU lattice-based), and SLH-DSA (stateless hash-based). An attacker would need to simultaneously break MLWE lattices, NTRU lattices, and stateless hash functions to forge a single attestation. This three-family approach means that a breakthrough against any single mathematical hardness assumption does not compromise the attestation chain. The entire signature bundle is compressed to 74 bytes via H33-74 while preserving full verifiability.
Consider an organization that deploys an AI agent for customer service. Over 30 days, the agent processes 50,000 interactions, each producing an attestation. An internal actor attempts to modify a single attestation from day 15 to change the scope field -- making it appear that the agent had broader authority than it actually did. The moment that attestation is modified, its hash changes. That changed hash invalidates attestation 25,001 (which references the original hash of attestation 25,000). That invalidation cascades through every subsequent attestation. An independent verifier checking the chain immediately detects the break at attestation 25,001 and can identify the exact record that was tampered with.
This is not a theoretical property. It is a mathematical guarantee. The agent attestation system produces these chains in production, and the governance replay demo allows you to observe tamper detection in action.
Cyber insurance for AI systems faces a fundamental evidence problem. When a claim is filed -- an AI agent made unauthorized transactions, a model produced biased outputs, an autonomous system exceeded its operational bounds -- the insurer must determine what actually happened. Today, that determination relies on logs, interviews, and forensic analysis of systems controlled by the insured party. The insured organization is both the subject of the investigation and the custodian of the evidence.
Decision attestation restructures this relationship. The attestation chain is independently verifiable. An insurer does not need to trust the organization's logs. They do not need access to the organization's infrastructure. They can download the attestation chain, run an independent verifier, and determine with mathematical certainty whether the AI system was operating within its governance bounds during the claim period.
Negative authority proofs are particularly valuable for insurance. An insurer underwriting an AI deployment can verify that the agent's governance graph explicitly excludes specific high-risk capabilities. The exclusion is not a configuration setting that might have been changed. It is a cryptographic proof, hash-chained and signed, that documents exactly what the agent could not do at every point in time.
For claim verification, attestation chains provide the evidence infrastructure that transforms AI risk underwriting from questionnaire-based assessment to evidence-based verification. The insurer knows what governance was in place, can prove it independently, and can replay specific decisions to assess whether actions fell within policy bounds.
A structural comparison of what traditional AI logging provides versus what cryptographic decision attestation delivers.
| Dimension | Traditional AI Logging | H33 Decision Attestation |
|---|---|---|
| Record type | Database row in operator-controlled system | Hash-chained, PQ-signed cryptographic receipt |
| Tamper resistance | Access controls (bypassable by admins) | Hash chain -- modify one record, invalidate all downstream |
| Governance context | Action description, timestamp, user ID | Action + authority chain + scope + policy hash + signer set |
| Verification model | Trust the operator's logging infrastructure | Independent verification, no vendor trust required |
| Temporal integrity | Wall-clock timestamps (mutable) | Cryptographically bound ordering via hash chain |
| Scope evidence | None -- logs record actions, not boundaries | Positive and negative scope proofs per attestation |
| Policy binding | Policy version may or may not be logged | SHA3-256 policy hash in every attestation |
| Replay capability | Non-deterministic -- depends on log completeness | Deterministic -- same inputs produce identical outputs |
| Quantum resistance | None | Three independent PQ hardness assumptions |
| Storage per record | Variable (typically hundreds of bytes to kilobytes) | 74 bytes (H33-74 compressed attestation) |
Every attestation contains sufficient context for deterministic replay. This means that given an attestation and the governance graph state it references, any independent verifier implementation can reconstruct the governance decision and arrive at the identical verdict. The same action, evaluated against the same governance graph, with the same policy hash, always produces the same result.
This property is what separates attestation from logging. A log entry tells you what the system reported. A replayable attestation lets you independently verify what the system should have decided -- and whether the reported decision matches. If the replay produces a different result than the recorded attestation, either the attestation was fabricated or the governance graph was modified between execution and verification. Both cases are detectable.
Deterministic replay is governed by the HATS protocol, which defines the verification semantics, field ordering, transcript construction, and expected outputs for every attestation type. Any implementation that conforms to HATS produces identical replay results. This is not an aspiration. It is a machine-testable property, verified against canonical conformance vectors. See the HATS standard and conformance testing documentation for details.
$ h33 replay --attestation ./chain/attestation-25847.json \
--governance-graph ./snapshots/graph-v47.json
Attestation ID: attest_25847_f8a3c1...
Action: model_inference (gpt-4-turbo)
Authority chain: root → dept_engineering → team_ml → agent_review
Scope check: PASS (action within delegated bounds)
Policy hash: SHA3-256:9b4e7f2a... (matches policy v12)
Replay verdict: CONSISTENT (matches recorded attestation)
Signatures: VALID (ML-DSA + FALCON + SLH-DSA)
Decision attestation integrates at the infrastructure layer, below applications, below models, below agent frameworks. This means that attestation coverage is independent of which AI platform, model provider, or agent framework an organization uses. The attestation pipeline intercepts actions at the governance boundary and produces receipts regardless of the upstream technology.
For organizations operating multi-agent systems, attestation provides a unified governance record across all agents, all models, and all tool invocations. Each agent's actions are attested within its own scope, and cross-agent delegations are captured in the governance graph. The result is a single, coherent attestation chain that documents the complete decision history of the entire AI deployment.
For regulated industries, attestation chains feed directly into compliance infrastructure, providing the machine-verifiable evidence that regulatory frameworks demand. For insurers, attestation bundles provide the independently verifiable claims evidence that transforms AI risk assessment. For enterprise security teams, operational integrity monitoring built on attestation provides continuous proof that AI systems are operating within governance bounds.
Watch an AI agent produce attestation receipts for every decision, then replay the governance chain independently.