The Problem: Agents Act Faster Than Humans Audit
An AI agent can execute thousands of actions per second. It can make API calls, modify data, trigger workflows, send communications, and allocate resources at machine speed. A human auditor reviewing those actions works at human speed: hours or days to examine what the agent did in milliseconds.
This is not a staffing problem. It is a structural asymmetry. No amount of additional auditors closes the gap between machine-speed execution and human-speed review. The audit backlog grows monotonically. The coverage ratio declines monotonically. At sufficient agent throughput, governance becomes purely theoretical.
The conventional response is logging. Log everything the agent does. Review the logs later. But logs have a fundamental problem: they describe events. They do not prove them. A log entry that says "agent checked permissions before executing" is a claim, not evidence. The log can be incomplete, selectively recorded, or retroactively modified. Logging is observation. Governance requires proof.
What "Proven" Means
"Proven" has a specific meaning in this context. It means that an independent party, with no access to the system that ran the agent, can reconstruct the exact authority state of that agent at any point in time and verify that every action was within scope.
This requires three things:
- Deterministic reconstruction — Given the same evidence, any verifier arrives at the same conclusion about what authority the agent had.
- Tamper evidence — If any piece of the evidence chain has been modified, the modification is detectable.
- Independence — The verifier does not need to trust the system that produced the evidence. Mathematical verification replaces institutional trust.
H33 achieves all three through the Agent Execution DAG.
The Agent Execution DAG
Every agent action produces a node in a Directed Acyclic Graph. The node contains:
- Action descriptor — What the agent did (structured, typed, canonicalized)
- Authority reference — Which scope object authorized this action
- Causal parents — Which previous actions this action depends on (edges in the DAG)
- Pre-state hash — System state before the action
- Post-state hash — System state after the action
- Timestamp — Cryptographically bound, not system-clock dependent
- PQ signature — Three-family post-quantum signature over the entire node
The DAG structure is critical. Unlike a linear log, a DAG captures concurrent and causally independent actions without imposing a false total ordering. If an agent performs two independent actions simultaneously, they appear as sibling nodes with a common parent, not as one "before" the other. This preserves the actual causal structure of the agent's execution.
Node {
action_id: "act_7f3a2b",
action_type: "api_call",
target: "payments/transfer",
scope_ref: "scope_4c9e1d",
parents: ["act_6e2a1c", "act_5d1b0a"],
pre_state: "sha3_a8f2c1...",
post_state: "sha3_b9e3d2...",
timestamp: 1747958400000,
signatures: {
ml_dsa: "...",
falcon: "...",
slh_dsa: "..."
}
}
Scope Enforcement
A scope object defines the boundary of an agent's authority. It is not a guideline. It is a cryptographically signed constraint set that the attestation layer enforces on every action.
Scope objects specify:
- Permitted action types — Which categories of actions the agent may perform
- Resource boundaries — Which resources (APIs, data stores, services) the agent may access
- Time windows — When the scope is valid (not before, not after)
- Delegation limits — Whether the agent may delegate authority to sub-agents, and with what constraints
- Value thresholds — Maximum values for financial operations or other quantitative limits
Before any action is added to the Execution DAG, the scope enforcement layer checks the proposed action against the active scope object. The check itself is attested. This means the evidence chain records not just "the agent did X" but "the agent's scope was checked against X and the result was permit/deny."
Scope is not advisory. The scope enforcement layer operates at the attestation level, not the application level. An agent cannot bypass scope by modifying its own code, because the attestation layer is architecturally independent of the agent's execution environment.
Negative Authority Proofs
Traditional access control systems prove what was authorized. They keep a record of permissions granted. But they cannot prove what was not authorized, because the absence of a grant in a traditional system could mean the grant was deleted, never existed, or existed in a different system.
H33 produces negative authority proofs: cryptographic attestations that demonstrate, at a specific point in time, that an agent did not have authority to perform a specific class of action.
This is implemented through scope completeness. The scope object defines the complete boundary of the agent's authority. Anything not explicitly permitted is provably denied. The scope object is signed and immutable for its validity period. An independent verifier can examine the scope object, confirm it was in effect at the time in question, and verify that the action type in question is not present in the permitted set.
Negative proofs are critical for three scenarios:
- Insurance claims — "The agent could not have performed the harmful action because its scope did not include that action type during the incident window."
- Regulatory defense — "We can prove the agent was restricted from accessing that data category. Here is the cryptographic evidence."
- Liability attribution — "If the agent did perform the action despite scope restrictions, the attestation chain shows exactly where the scope check failed, which means the failure is in the enforcement layer, not in the agent's intent."
Replay: Reconstruct Authority at Any Timestamp
The Execution DAG is a complete, deterministic record of every action, every scope check, and every authority state transition. This means any independent verifier can reconstruct the exact authority state of any agent at any point in time.
The replay process is mechanical:
- Start at the DAG root (agent initialization)
- Walk the DAG forward to the target timestamp
- At each node, verify the PQ signatures
- At each scope-check node, verify the scope object was valid at that time
- At the target timestamp, output the authority state: which scope was active, what was permitted, what was denied
H33's replay engine processes 10,000-action sessions in 2.5 milliseconds. Replay determinism is 100.0%: every run of the replay engine on the same DAG produces byte-identical output.
The Insurance Value
When an AI agent causes financial harm, the insurance claim process requires answering a specific question: was the agent operating within its authorized scope at the time of the incident?
Without cryptographic governance, this question is unanswerable with certainty. You have logs that say what happened. You have configuration files that say what should have happened. But you cannot prove that the configuration was in effect at the exact moment of the incident, that the logs were not modified after the fact, or that the agent actually checked the configuration before acting.
With the Execution DAG, the insurer can independently verify the answer. They do not need to trust the policyholder's system. They take the DAG, run the replay engine, and get a deterministic answer: at timestamp T, the agent's scope included (or did not include) the action that caused the claim.
This transforms cyber insurance from a trust-based assessment to an evidence-based verification. Premiums can be tied to governance quality. Claims can be adjudicated on cryptographic evidence rather than competing narratives.
| Property | Traditional Agent Logging | H33 Execution DAG |
|---|---|---|
| What it records | Events (what happened) | Actions + authority + causal structure |
| Tampering | Logs can be modified or deleted | DAG nodes are PQ-signed; tampering breaks chain |
| Scope enforcement | Application-level (bypassable) | Attestation-level (architecturally independent) |
| Negative proofs | Cannot prove absence of authority | Scope completeness enables negative proofs |
| Replay | Log aggregation (approximate) | Deterministic reconstruction (exact) |
| Independence | Trust the system operator | Any verifier, no trust required |
| Insurance value | Supporting documentation | Independently verifiable evidence |
Frequently Asked Questions
What is an Agent Execution DAG?
A cryptographic data structure where every agent action is a signed node, every causal dependency is an edge, and the complete structure is PQ-signed and independently verifiable. It captures what the agent did, why, what authority it invoked, and what scope constraints were in effect.
What are negative authority proofs?
Cryptographic attestations that an agent did NOT have authority to perform a specific action. The scope object defines the complete authority boundary. Anything not explicitly permitted is provably denied. This is critical for insurance claims and regulatory investigations.
How does scope enforcement work for AI agents?
Scope enforcement binds agent authority to a signed scope object defining permitted actions, resource boundaries, time windows, and delegation limits. The attestation layer checks every action against the active scope before the action enters the Execution DAG. The check itself is attested.
Can agent governance be replayed at any timestamp?
Yes. The DAG is deterministic. Any verifier can reconstruct the exact authority state of any agent at any timestamp. The replay engine processes 10,000-action sessions in 2.5ms with 100.0% determinism.
Why does AI agent governance matter for insurance?
When an agent causes harm, the insurance question is: was it operating within authorized scope? Without cryptographic governance, this is a trust-based assessment. With the Execution DAG, the insurer independently replays authority state at the exact moment of the incident using mathematical verification, not institutional trust.