Cryptographic Action Attribution

2. Summary

Cryptographic Action Attribution governs the requirement for irrefutable, cryptographically signed proof of authorship for every governance-relevant action taken by an AI agent. This protocol establishes the foundation for non-repudiation in AI agent governance — the principle that once an action is recorded with a valid cryptographic signature, the originating agent (and by extension, the organisation responsible for that agent) cannot credibly deny having taken that action. Without AG-016, governance records are assertions. With AG-016, they are cryptographically verifiable facts. The capability becomes essential when agents operate across organisational boundaries, when governance records are presented to regulators, or when legal disputes arise about what actions were taken and by whom. AG-016 also requires that attribution survive key compromise — historical signatures made before a compromise must remain valid, preventing an adversary from retroactively invalidating an organisation's entire governance history.

3. Example

Scenario A — Unsigned AML Records Cannot Withstand Regulatory Scrutiny: A financial services firm deploys an autonomous compliance agent that screens transactions for anti-money laundering indicators. The agent reviews 50,000 transactions over six months and clears 49,847 as low-risk. Eighteen months later, a regulatory investigation reveals that 23 of the cleared transactions were part of a money laundering network. The regulator asks the firm to demonstrate which agent reviewed each transaction, what data was available at the time, and whether the clearance decision was genuinely made by the compliance agent or potentially inserted into the audit trail by a human operator seeking to bypass AML controls. Without cryptographic attribution, the firm can produce audit logs, but the regulator's forensic team points out that the logs are stored in a database that the operations team has write access to. Any record could theoretically have been inserted, modified, or back-dated.

What went wrong: Governance records were assertions without cryptographic proof. The audit trail had integrity (records were not tampered with) but lacked attribution (authorship could not be independently verified). Consequence: Regulatory finding for inadequate systems and controls, potential personal liability for senior managers under the FCA's Senior Managers and Certification Regime.

Scenario B — Shared Signing Key Undermines Individual Attribution: An organisation deploys five AI agents for different governance functions. To simplify key management, the operations team issues a single signing key pair shared across all five agents. When a regulatory investigation requires attribution of a specific compliance decision, the investigator finds that the signature proves the decision was made by "one of the five agents" but cannot determine which one.

What went wrong: The signing key was shared across multiple agents, violating the requirement for agent-specific keys. The signature proves organisational origin but not individual attribution. The organisation treated AG-016 as a record integrity measure rather than an attribution measure. Consequence: Regulatory finding for inadequate record-keeping. The regulator cannot assess whether the specific agent that made the compliance decision was fit for purpose. All historical records signed with the shared key have permanently degraded attribution value.

Scenario C — Software Key Extraction Enables Record Forgery: An organisation stores agent signing keys in encrypted files on the application server. A security breach compromises the server, and the attacker extracts the encrypted key files. Using the server's encryption key (also compromised), the attacker decrypts the signing keys and creates forged governance records — backdated clearance decisions for transactions that were never actually reviewed — signed with the legitimate agent keys. The forged records are indistinguishable from genuine records.

What went wrong: The signing keys were stored in software on a system vulnerable to compromise. The organisation had no external timestamp authority to prove when signatures were actually created. The lack of hash chain linking meant forged records could be inserted anywhere in the sequence. Consequence: Complete loss of trust in the governance record. Every signature made with the compromised keys is suspect. The organisation must disclose to regulators that its governance history may contain forged records.

Scenario D — Key Rotation Gap Leaves Unsigned Records: An organisation implements key rotation on a 90-day schedule. The rotation procedure revokes the old key and issues a new key without an overlap period — there is a window of approximately 30 seconds between old key revocation and new key activation. During a busy period, 47 governance decisions are processed during the rotation window and written to the audit trail without signatures.

What went wrong: The key rotation procedure had no overlap period. The application did not fail safely — when no signing key was available, it wrote unsigned records rather than blocking the action. No monitoring existed to detect unsigned records in real time. Consequence: 47 governance decisions with no cryptographic attribution, permanently unverifiable. Compliance review finding triggers remediation and potential SOC 2 audit qualification.

4. Requirement Statement

Scope: This dimension applies to all governance decisions and agent actions that may be required for regulatory proceedings, legal disputes, or compliance certification. This includes: mandate enforcement decisions (approvals and rejections), escalation events, configuration changes, human override actions, multi-party authorisation votes, and any action that creates, modifies, or deletes governance-relevant state. The scope extends to derived records — if a governance platform generates summary reports, compliance certificates, or regulatory filings based on underlying governance records, the derived output should be traceable to the signed source records. The chain of attribution must be verifiable from the final output back to the original signed action records. The scope also covers actions taken by human operators within the governance system. When a human approves an escalation, overrides an agent decision, or modifies a governance configuration, that action must also carry cryptographic attribution. AG-016 is not limited to agent actions — it covers all actions within the governance system that may be relevant to regulatory or legal proceedings.

4.1. A conforming system MUST sign every governance decision record with an agent-specific cryptographic key — each agent must have a unique key pair, and the private key must not be shared with any other agent or system component.

4.2. A conforming system MUST enable signature verification without the cooperation of the signing agent — a third party (regulator, auditor, legal counterparty) must be able to verify signatures using published public keys without requiring the agent to be running or the signing organisation to provide assistance.

4.3. A conforming system MUST ensure that key compromise does not retroactively invalidate historical signatures — the key management architecture must ensure that signatures made before a key compromise are still verifiable and trustworthy after the compromise is detected.

4.4. A conforming system SHOULD implement signature chains that link each record to the prior record through hash chaining, making it impossible to insert, remove, or reorder records without breaking the chain.

4.5. A conforming system SHOULD integrate an external timestamp authority (RFC 3161 compliant) for legal admissibility of signature creation times.

4.6. A conforming system SHOULD implement key rotation without creating gaps in signature coverage — during rotation, there must be an overlap period where both the old and new keys are valid.

4.7. A conforming system MAY implement exportable compliance certificates with embedded signature proof — self-contained documents suitable for submission to regulators.

5. Rationale

Cryptographic Action Attribution addresses a fundamental gap between record integrity and record attribution. AG-006 (Audit Trail Integrity) ensures that governance records cannot be tampered with after creation — that the audit trail is complete and unmodified. AG-016 addresses a different question: not "has this record been changed?" but "who created this record in the first place?" An audit trail can have perfect integrity — no records altered, no records deleted — and still be useless for regulatory or legal proceedings if the authorship of each record cannot be independently verified.

In traditional enterprise systems, action attribution relies on login sessions, IP addresses, and application logs. These are adequate for internal purposes but weak for adversarial proceedings. A cryptographic signature tied to an agent-specific key pair provides a level of attribution that withstands legal challenge, regulatory scrutiny, and forensic investigation. The critical distinction is between assertion and proof. An unsigned log entry asserts that Agent X took Action Y at Time Z. A signed log entry proves it — and the proof can be independently verified by any party with access to the public key.

This capability becomes essential in several contexts. When AI agents operate across organisational boundaries, each party needs verifiable proof of what actions the other party's agents took. When governance records are presented to regulators, the records must withstand forensic examination — a regulator's team will ask whether records could have been fabricated by a human with database access. When legal disputes arise, unsigned governance records may be inadmissible or given reduced weight compared to cryptographically signed evidence.

AG-016 also establishes the requirement for forward security: a key compromise affects future signatures but does not undermine past ones. This prevents an adversary from retroactively invalidating an organisation's entire governance history by compromising a single key, and shapes the key management architecture required for compliance.

6. Implementation Guidance

AG-016 establishes the agent key pair as the central cryptographic artefact. Each agent is issued a unique asymmetric key pair at deployment. The private key is stored in tamper-resistant hardware where possible. The public key is published to a verifiable registry. Every governance decision record is signed before being written to the audit trail.

Recommended patterns:

• HSM-backed signing service. Implement a dedicated signing service that holds agent private keys in hardware security modules. The agent submits the governance record to the signing service, which signs it and returns the signed record. The agent never has access to the private key — only the HSM can perform signing operations. The signing service maintains a registry of agent-to-key mappings and handles key rotation. This pattern provides the strongest key protection and may use cloud HSM services or on-premises HSM appliances.
• Chained signature ledger. Implement the governance record store as a hash-chained ledger where each record's signature includes the hash of the previous record. This creates a tamper-evident sequence — any insertion, deletion, or reordering of records breaks the chain and is immediately detectable. This pattern is particularly valuable for regulatory evidence because it proves not just individual record integrity but the completeness and ordering of the entire governance history.
• Timestamp-anchored signing. Integrate an RFC 3161 timestamp authority into the signing workflow. Each governance record is first signed by the agent's key, then the signature is submitted to the timestamp authority, which returns a timestamp token proving the signature existed at a specific time. The timestamp token is stored alongside the governance record and signature. This provides independent temporal proof suitable for legal proceedings where timestamp authenticity may be challenged.

Anti-patterns to avoid:

• Using symmetric keys instead of asymmetric key pairs. Symmetric keys (shared secrets) cannot provide non-repudiation because both the signer and the verifier possess the same key. Any party with the verification key can also forge signatures. AG-016 requires asymmetric cryptography where the private signing key is held exclusively by the agent and the public verification key is published for independent verification.
• Storing private keys in application configuration. Private keys stored in configuration files, environment variables, or application databases are vulnerable to extraction through application compromise, configuration management exposure, or backup leakage. HSM storage or equivalent tamper-resistant hardware is strongly recommended for any production deployment.
• Treating cryptographic attribution as optional for low-risk actions. Organisations sometimes implement signing only for "high-risk" governance decisions. This creates gaps in the attribution chain. Regulatory investigations frequently focus on decisions that were considered low-risk at the time but proved consequential later. Comprehensive signing avoids this gap.
• Neglecting external timestamp authority integration. Without an independent timestamp, a cryptographic signature proves who signed a record but not when. An organisation with access to the signing key could theoretically create and sign records at any time and backdate them. External timestamp authority integration provides independent proof of when the signature was created.
• Failing to plan for key compromise. Organisations that implement AG-016 without a key compromise response plan may discover that a compromise invalidates their entire governance history. The compromise response plan should include: immediate key revocation, new key issuance, verification that historical signatures remain valid, notification to relying parties, and investigation of whether forged records were created during the compromise window.

Industry Considerations

Financial Services. Financial services firms face stringent record-keeping requirements under MiFID II (trade records), MAR (market abuse records), and national regulatory frameworks. AG-016 cryptographic attribution should be integrated with existing trade reporting and compliance record systems. The FCA's expectations for "adequate, orderly, and up-to-date" records extend to AI agent governance, and cryptographic attribution provides the strongest evidence of record authenticity. Firms should ensure that their AG-016 implementation meets the evidential standards required for FCA enforcement proceedings and Financial Ombudsman Service complaints.

Healthcare. Healthcare organisations processing clinical decisions through AI agents must maintain records that comply with HIPAA Security Rule audit control requirements (45 CFR 164.312(b)) and may face state-level medical records retention requirements. Cryptographic attribution provides verifiable proof that a specific clinical AI agent made a specific recommendation at a specific time — essential for clinical governance, malpractice litigation, and regulatory compliance. The signing architecture should be integrated with existing clinical audit systems and electronic health record platforms.

Critical Infrastructure. Critical infrastructure operators using AI agents for operational decisions (grid management, traffic control, water treatment) must maintain records that demonstrate the provenance of automated control actions. IEC 62443 requirements for security event logging extend to attribution. In incident investigations, regulators and safety authorities will need to determine exactly which automated system took which action and when. Cryptographic attribution provides the forensic foundation for this analysis and should be integrated with existing SCADA and operational technology logging systems.

Maturity Model

Basic Implementation — The organisation issues a unique asymmetric key pair to each deployed agent. Every governance decision record is signed with the agent's private key before being written to the audit trail. Public keys are stored in a configuration file or database accessible to auditors. Signature verification is possible using standard cryptographic libraries. Key storage is in software — encrypted key files or a key management service. This level meets the minimum mandatory requirements but has limitations: software-stored keys are vulnerable to extraction, there is no external timestamp authority, and there is no hash chain linking records sequentially.

Intermediate Implementation — All basic capabilities plus: private keys are stored in hardware security modules or equivalent tamper-resistant hardware. Key extraction is physically impossible. Signature chains link each record to the previous record through hash chaining, creating a sequential integrity guarantee. Key rotation is implemented with overlap periods and documented procedures. Public keys are published to a verifiable registry with change history. Signed records include structured metadata: agent identifier, action type, timestamp, and hash chain reference.

Advanced Implementation — All intermediate capabilities plus: external RFC 3161 timestamp authority integration provides independent proof of signature creation time. Exportable compliance certificates allow governance records to be verified by any third party without platform access. Key management procedures have been independently audited. The signature scheme has been validated against known attack vectors including chosen-message attacks, timing attacks on the signing process, and key recovery attempts. The organisation can demonstrate to regulators that every governance decision in its history is attributable to a specific agent at a specific time with cryptographic certainty.

7. Evidence Requirements

Required artefacts:

• Signing key management procedure. Documented procedures for key generation, storage, rotation, and revocation, including the security controls on key storage (HSM specifications, access controls, audit logging).
• Sample signed record with verification proof. A complete governance record with its cryptographic signature, accompanied by step-by-step verification instructions that a third party can follow using standard tools.
• Key rotation procedure with continuity evidence. Documented rotation procedure showing overlap periods, evidence of rotation executions, and verification that no gaps in signature coverage occurred.
• Third-party verification instructions. Standalone documentation that enables an independent party to verify any signed record using only the public key and standard cryptographic tools, without platform access or proprietary software.

Retention requirements:

• Signed governance records and public key history: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Verification must be possible independently without platform cooperation.

8. Test Specification

Testing AG-016 compliance requires verification of both the signing process and the verification process, including adversarial scenarios.

Test 8.1: Signature Completeness

• Stimulus: Query the governance record store and verify that every record carries a valid cryptographic signature.
• Expected behaviour: 100% signature coverage — zero unsigned governance records.
• Pass criteria: Every governance record has a valid signature verifiable with the corresponding agent's public key.
• Fail criteria: Any governance record exists without a valid signature.

Test 8.2: Independent Verification

• Stimulus: Export a set of signed governance records and the corresponding public keys. Provide them to an independent party (or simulate independent verification in a separate environment with no access to signing infrastructure). Verify signatures using only public keys and standard cryptographic libraries.
• Expected behaviour: Every signature validates independently. No platform access, agent cooperation, or proprietary tools are required.
• Pass criteria: All exported signatures verify successfully using only public keys and standard tools.
• Fail criteria: Any signature requires platform cooperation or proprietary tools to verify.

Test 8.3: Key Compromise Resilience

• Stimulus: Rotate an agent's key pair (simulating compromise response). Verify that all signatures made with the old key before rotation remain valid. Verify that new signatures use the new key. Verify no gap in signature coverage during rotation.
• Expected behaviour: Historical signatures remain valid. New signatures use the new key. No unsigned records during rotation.
• Pass criteria: Key rotation preserves historical signature validity with zero gap in coverage.
• Fail criteria: Historical signatures become invalid after rotation, or a gap in coverage exists during the rotation window.

Test 8.4: Hash Chain Integrity

• Stimulus: If signature chains are implemented, verify the chain by checking that each record's hash includes the prior record's hash. Attempt to insert a record into the middle of the chain and verify detection. Attempt to remove a record and verify detection.
• Expected behaviour: Chain verification succeeds for the legitimate sequence. Insertion and deletion attempts break the chain and are detectable.
• Pass criteria: Any modification to the record sequence (insertion, deletion, reordering) is detectable through chain verification.
• Fail criteria: A record can be inserted, removed, or reordered without breaking the hash chain.

Test 8.5: Timestamp Authority Verification

• Stimulus: If external timestamp authority integration is implemented, verify that timestamp tokens are present on signed records and independently verifiable against the timestamp authority's public certificate.
• Expected behaviour: Timestamp tokens are present, valid, and consistent with record creation times.
• Pass criteria: Timestamp tokens verify independently and no backdating is possible.
• Fail criteria: Timestamp tokens are missing, invalid, or allow backdating.

Test 8.6: Forgery Resistance

• Stimulus: Attempt to create a governance record signed with a different key and insert it into the audit trail. If HSMs are used, attempt to extract the private key.
• Expected behaviour: The signature verification process detects the forgery. HSM key extraction is not possible.
• Pass criteria: No forged record passes signature verification. No private key extraction succeeds.
• Fail criteria: A forged record passes verification, or a private key is extractable.

Conformance Scoring

• Score 0: No cryptographic attribution exists — governance records are unsigned and authorship is asserted but not proven.
• Score 1: Signing exists but verification gaps remain — some records are signed but coverage is incomplete, or verification requires platform cooperation.
• Score 2: Full agent-key signing with third-party verifiable chain — every governance record is signed, verification is independent, and key management procedures are documented.
• Score 3: Verified with external timestamp authority integration and independent validation — an independent party has verified the complete signature chain, timestamp authority integration is operational, and the system has withstood adversarial testing.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU eIDAS	Electronic Signatures (EU 910/2014)	Direct requirement
SOX	Section 302 (Corporate Responsibility for Financial Reports)	Supports compliance
FCA SYSC	9.1 (Record-Keeping)	Direct requirement
GDPR	Article 30 (Records of Processing Activities)	Supports compliance
MiFID II	Trade Record-Keeping	Supports compliance

EU eIDAS — Electronic Signatures (EU 910/2014)

The eIDAS Regulation establishes a legal framework for electronic signatures across the EU. It defines three levels: simple electronic signatures, advanced electronic signatures, and qualified electronic signatures. AG-016 signatures map most directly to advanced electronic signatures, which must be: uniquely linked to the signatory, capable of identifying the signatory, created using data that the signatory can use under their sole control, and linked to the data signed in such a way that any subsequent change is detectable. For AI agents, "signatory" maps to the agent identity, and "sole control" maps to HSM-protected private keys that no human operator can extract. Organisations operating in the EU should assess whether their AG-016 implementation meets the eIDAS advanced signature standard, particularly if governance records may be presented as evidence in cross-border proceedings.

SOX — Section 302 (Corporate Responsibility for Financial Reports)

Section 302 requires corporate officers to certify the accuracy and completeness of financial reports. When AI agents contribute to financial reporting processes — whether through data aggregation, compliance screening, or transaction processing — the governance records that demonstrate how those agents operated become part of the evidence base for the Section 302 certification. AG-016 provides the cryptographic proof that these governance records are genuine and attributable. A SOX auditor reviewing AI agent governance will assess whether the records presented as evidence of agent behaviour are verifiable and whether their authenticity can withstand challenge.

FCA SYSC — 9.1 (Record-Keeping)

The FCA requires regulated firms to maintain records that are sufficient to enable the FCA to monitor compliance (SYSC 9.1). Records must be retained for prescribed periods and produced on request. For AI agent governance records, AG-016 ensures that records are not just retained but attributable — each record can be tied to a specific agent at a specific time with cryptographic certainty. The FCA has indicated through supervisory guidance that it expects firms to demonstrate the provenance of automated decisions, and cryptographic attribution provides the strongest form of provenance evidence.

GDPR — Article 30 (Records of Processing Activities)

Article 30 requires controllers and processors to maintain records of processing activities. When AI agents process personal data, the governance records of those processing activities must be maintained. AG-016 ensures that these records are cryptographically attributable, providing assurance that records accurately reflect the processing that occurred. This is particularly relevant when data subjects exercise their rights under Articles 15-22 and the controller must demonstrate what processing occurred and how decisions were made.

MiFID II — Trade Record-Keeping

MiFID II imposes detailed requirements for the retention and integrity of trade records, order records, and transaction reports. For AI agents involved in trading operations, AG-016 provides cryptographic proof that specific trading decisions were made by specific agents at specific times, directly supporting MiFID II record-keeping obligations and enabling forensic reconstruction of trading activity for regulatory review.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — affects the legal admissibility and regulatory credibility of the entire governance record for the period where attribution is absent or compromised

Consequence chain: Without cryptographic action attribution, governance records can be repudiated — an agent, operator, or vendor can credibly claim that a recorded decision was not made by them. Legal and regulatory proceedings relying on the audit trail are undermined because the records are assertions, not proofs. The audit trail becomes a record of what the platform claims happened, not a verifiable record of what actually happened. The failure mode is particularly dangerous because it is invisible until challenged. An organisation may operate for years with unsigned governance records and never encounter a problem — until a regulatory investigation, legal dispute, or compliance certification requires the records to withstand scrutiny. At that point, the absence of cryptographic attribution cannot be remediated retroactively. Historical records cannot be signed after the fact because the signing would prove only that the record existed at the time of signing, not that the attributed agent created it at the claimed time. The severity scales with the stakes of the decisions recorded. An unsigned record of a low-risk configuration change has limited consequences. An unsigned record of an AML clearance decision, a clinical recommendation, or a critical infrastructure control action may be legally inadmissible and regulatorily non-compliant. In the worst case — key compromise without forward security — every signature made with the compromised keys becomes suspect, and genuine records become cryptographically indistinguishable from forged records.

Cross-reference note: AG-006 (Audit Trail Integrity) ensures records cannot be tampered with after creation — together with AG-016 they provide complete record authenticity and integrity. AG-012 (Identity Assurance) ensures the underlying agent identity is verified and trustworthy, preventing key assignment to unverified agents. AG-015 (Organisational Namespace Isolation) provides the namespace boundary, preventing cross-tenant attribution confusion. AG-049 (Explainability) ensures that the reasoning behind attributed actions can be explained and audited. AG-007 (Governance Configuration Control) governs the configuration that determines what signed records contain.