Non-Repudiation Evidence Governance

2. Summary

Non-Repudiation Evidence Governance requires that every critical AI agent governance action — mandate approval, configuration change, emergency override, and high-value transaction authorisation — produces cryptographic or equivalent evidence that the action was genuinely authorised by the attributed identity, such that the authoriser cannot credibly deny having performed it and no third party can forge the evidence. Non-repudiation is the capstone of the identity and authentication landscape: AG-279 verifies identity, AG-281 binds devices, AG-285 secures sessions, AG-286 attests context — and AG-287 combines these into irrefutable evidence that a specific person, on a specific device, in a specific context, at a specific time, authorised a specific action. Without non-repudiation, disputed governance actions devolve into "he said, she said" — the approver claims they never approved it, and the organisation cannot prove otherwise.

3. Example

Scenario A — Denied Approval Without Cryptographic Evidence: A mandate approval for a financial agent raising the per-transaction limit from £100,000 to £1,000,000 is recorded in the governance log with the approver's username and timestamp. Six months later, the agent executes a £950,000 transaction that is later determined to be fraudulent. The approver — a senior manager subject to FCA personal accountability — claims they never approved the mandate change. The governance log entry shows their username but the approver argues: "Someone used my account. I was on holiday that week. The log only proves my username was used, not that I performed the action." The organisation cannot produce evidence beyond the username in the log. The FCA investigation stalls on the attribution question.

What went wrong: The governance action was logged with identity attribution but without cryptographic non-repudiation evidence. A username in a log proves that the system received a request with that username attached — it does not prove the named person initiated the request. Without a digital signature from the approver's personal, device-bound key, the evidence does not rise to non-repudiation. Consequence: Unable to attribute the mandate approval, FCA enforcement action for inadequate governance controls, personal liability left unresolved, £950,000 in disputed loss.

Scenario B — Forged Evidence Creates False Attribution: An insider with database access to the governance platform creates a fabricated approval record, attributing a mandate change to a colleague. The fabricated record includes the colleague's username, a plausible timestamp, and the mandate change details. The colleague was on parental leave at the time. The fabrication is used to blame the colleague for a governance failure that the insider caused. The fabricated log entry is indistinguishable from a genuine entry because neither is cryptographically signed.

What went wrong: The governance log provided no cryptographic integrity protection for individual records. Any user with database write access could create or modify records. Genuine and fabricated entries were indistinguishable. Consequence: False attribution, potential wrongful termination, employment tribunal risk, governance integrity undermined.

Scenario C — Disputed Override in Safety-Critical Context: An emergency override disables a safety limit on a robotic agent in a manufacturing environment. The override was necessary to clear a production blockage, but it was performed without the required dual-approval protocol. The operator who performed the override claims they had verbal approval from the shift supervisor. The shift supervisor denies giving approval. The governance log shows the operator's action but no evidence of supervisory approval. Without non-repudiation evidence (e.g., the supervisor's digital signature on the override request), the dispute is unresolvable.

What went wrong: The override workflow accepted a verbal approval without requiring cryptographic evidence from the approver. The system recorded the operator's action but not the supervisor's authorisation in a non-repudiable form. Consequence: Unresolvable dispute, potential HSE investigation, inability to demonstrate compliance with safety override procedures.

4. Requirement Statement

Scope: This dimension applies to every AI agent governance action that has material consequences — defined as actions that: modify agent mandates or authority, approve or modify agent configurations, authorise emergency overrides, commit to financial value exceeding £10,000, affect safety controls, or modify access control policies. The scope extends to both the primary actor (who performed the action) and the approver (who authorised it, if different). It covers actions by humans, services, and agents where the action's attribution must be non-repudiable for regulatory, legal, or safety purposes.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

4.1. A conforming system MUST produce a digital signature over every material governance action, signed with a key that is uniquely bound to the acting identity and stored in tamper-resistant hardware (TPM, HSM, Secure Enclave, or equivalent).

4.2. A conforming system MUST include in the signed payload: the complete action specification (what was changed), the actor's identity (linked to AG-279 proofing), the device identity (linked to AG-281 registry), the session context (linked to AG-286 attested context), and a trusted timestamp from a Time Stamping Authority (TSA) or equivalent.

4.3. A conforming system MUST store non-repudiation evidence in a tamper-evident log that preserves the signature, the signed payload, and the certificate chain, enabling independent verification at any future point.

4.4. A conforming system MUST ensure that non-repudiation evidence is independently verifiable — a third party (auditor, regulator, court) can verify the signature using the public key, the certificate chain, and the TSA timestamp without access to the governance platform.

4.5. A conforming system MUST NOT accept material governance actions that cannot produce non-repudiation evidence — if the actor's signing key is unavailable (e.g., hardware token not present), the action MUST be blocked.

4.6. A conforming system SHOULD implement dual-signature non-repudiation for the highest-risk actions (e.g., mandate changes exceeding £500,000, safety override approvals), requiring cryptographic signatures from both the actor and an independent approver.

4.7. A conforming system SHOULD implement long-term signature preservation using CAdES, XAdES, or PAdES formats that include timestamping and certificate chain embedding, ensuring signatures remain verifiable after certificates expire.

4.8. A conforming system SHOULD integrate non-repudiation evidence with the organisation's legal records management system, ensuring that evidence is classified, retained, and producible according to legal hold requirements.

4.9. A conforming system MAY implement blockchain or distributed ledger anchoring for non-repudiation evidence, providing an independent, publicly verifiable timestamp and integrity proof for governance actions.

5. Rationale

Non-repudiation is the property that prevents a party from denying a previously committed action. In physical transactions, non-repudiation is provided by handwritten signatures, witnessed by notaries, and preserved on paper. In digital transactions, non-repudiation requires cryptographic signatures — mathematical proof that a specific private key was used to sign a specific message.

For AI agent governance, non-repudiation serves three critical functions:

First, regulatory accountability. Regulations such as the FCA Senior Managers Regime, SOX officer certifications, and GDPR controller obligations assign personal responsibility to named individuals for governance decisions. If an individual can credibly deny having made a governance decision, personal accountability cannot be enforced. A digital signature from the individual's hardware-bound key provides evidence that cannot be credibly denied — the individual would need to prove that their physical hardware was compromised, which is a much higher evidentiary bar than "someone used my password."

Second, dispute resolution. When a governance action is contested — the approver claims they did not approve it, or the configuration was not what the administrator intended — non-repudiation evidence provides an objective record. The signature proves the identity. The signed payload proves the content. The timestamp proves the time. The device binding proves the device. The attested context proves the circumstances.

Third, forensic integrity. During incident investigation, the integrity of governance records is paramount. If governance records can be fabricated, the investigation can be misdirected. Cryptographic non-repudiation makes fabrication computationally infeasible — the attacker cannot produce a valid signature without the private key, which is stored in tamper-resistant hardware.

The requirement for hardware-bound keys (TPM, HSM, Secure Enclave) is deliberate. Software-stored keys can be extracted by malware, copied between devices, or stolen through memory dumps. A hardware-bound key never leaves the hardware — signing operations are performed inside the secure element, and only the resulting signature is output. This provides the "I could not have signed it from another device" property that is essential for non-repudiation.

6. Implementation Guidance

Non-repudiation evidence should be generated as an integral part of the governance action execution flow, not as a post-hoc addition. The signing step should be a mandatory gate — if the signature cannot be produced, the action does not proceed.

Recommended patterns:

• FIDO2/WebAuthn assertion as non-repudiation evidence. For web-based governance platforms, use FIDO2 assertions as the non-repudiation mechanism. When the user performs a material governance action, the platform generates a challenge containing the action specification (hash of the mandate change, configuration delta, or override details). The user's FIDO2 authenticator signs the challenge with its device-bound private key. The resulting assertion — including the challenge, the signature, the authenticator data, and the attestation — is stored as non-repudiation evidence. Example: approving a mandate change signs {action: "mandate_update", agent: "AG-FIN-042", field: "max_txn_value", old: 100000, new: 500000, timestamp: "2026-03-30T14:22:07Z"} with the approver's FIDO2 key.
• HSM-based action signing for server-side operations. For governance actions performed by services or automated systems (per AG-280), use an HSM to sign the action with a service-specific key. The HSM provides the tamper-resistant key storage and signing environment. Each service has a unique signing key. The signed action record includes the service identity, the action specification, and a TSA timestamp. Example: an automated compliance engine that approves low-risk mandate renewals signs each approval with its HSM-resident key.
• Timestamped evidence chain. For each material governance action, create an evidence chain: (1) the signed action (FIDO2 assertion or HSM signature), (2) the attested login context (per AG-286), (3) a trusted timestamp from an RFC 3161-compliant TSA, (4) the certificate chain for the signing key. Store the complete chain as a single evidence package. The package is independently verifiable by a third party using only the TSA's public key, the signing key's certificate chain, and the evidence package.
• Long-term evidence preservation. Use CAdES-A (Archival) or equivalent long-term signature format that embeds the timestamp, certificate chain, and revocation information within the signature. This ensures the evidence remains verifiable decades after the certificates expire. Apply successive timestamps before existing timestamps expire, creating a chain of timestamps that preserves the evidence's verifiability through multiple certificate lifecycle periods.
• Dual-signature governance for high-risk actions. For mandate changes exceeding £500,000, safety override approvals, and access policy modifications: require signatures from both the initiator and an independent approver. Both signatures must be from hardware-bound keys. The evidence package includes both signatures, both identities, both device attestations, and a single TSA timestamp binding them together.

Anti-patterns to avoid:

• Username-plus-timestamp as non-repudiation. A governance log entry containing a username and timestamp is evidence of a database insert, not evidence of human authorisation. It can be fabricated by anyone with database access and does not provide non-repudiation.
• Password-based signing. Using a password-derived key for signing provides weak non-repudiation because passwords can be shared, stolen, or guessed. The signer can credibly deny signing by claiming their password was compromised. Hardware-bound keys eliminate this denial because the key cannot be extracted from the hardware.
• Software-stored signing keys. Keys stored in software (files, databases, key stores without hardware protection) can be copied, exfiltrated, or shared. Non-repudiation requires that the key is physically bound to a device and cannot be duplicated.
• Non-repudiation evidence without timestamp authority. A signature without a trusted timestamp allows the signer to claim "the signature was created at a different time than claimed — someone replayed an old action." A TSA timestamp from an independent authority binds the signature to a specific moment, defeating replay claims.
• Evidence stored only in the governance platform. If non-repudiation evidence exists only in the governance platform's database, a compromise of the platform can destroy the evidence. Evidence should be replicated to independent storage (e.g., legal records management system, separate tamper-evident archive).

Industry Considerations

Financial Services. eIDAS provides a legal framework for electronic signatures. For financial agent governance in EU/UK jurisdictions, qualified electronic signatures (QES) per eIDAS provide the highest legal standing for non-repudiation. Financial firms should consider whether material governance actions warrant QES. MiFID II requirements for recording of orders extend to the agent governance actions that authorise order execution.

Healthcare. Electronic signatures for clinical governance actions (e.g., authorising a clinical AI agent's treatment recommendation parameters) may be subject to 21 CFR Part 11 (FDA) or Annex 11 (EU GMP) requirements for electronic records and signatures. These require that signatures are attributable, legible, contemporaneous, original, and accurate (ALCOA).

Legal. Non-repudiation evidence may be produced in litigation or regulatory proceedings. The evidence format should be designed for admissibility: independently verifiable, with a documented chain of custody, and preserved in a format that does not depend on proprietary software for verification.

Maturity Model

Basic Implementation — Material governance actions are digitally signed using software-stored keys (e.g., PKCS#12 certificates in a software keystore). Signatures include the action specification, identity, and timestamp. Signed records are stored in the governance audit log. The evidence is verifiable using the organisation's internal CA. This meets minimum mandatory requirements but software-stored keys weaken non-repudiation because they can be extracted.

Intermediate Implementation — Signing keys are stored in hardware (TPM for user keys, HSM for service keys). FIDO2 assertions or equivalent hardware-attested signatures are used for human-initiated governance actions. TSA timestamps from an independent authority are included in the evidence. The evidence package includes the certificate chain and is independently verifiable. Long-term signature preservation (CAdES or equivalent) ensures verifiability beyond certificate expiry. Evidence is replicated to an independent archive.

Advanced Implementation — All intermediate capabilities plus: dual-signature governance for actions exceeding defined risk thresholds. Qualified electronic signatures (eIDAS QES) for the highest-risk actions. Blockchain or distributed ledger anchoring provides public verifiability of evidence integrity. Independent adversarial testing confirms that evidence cannot be forged, replayed, or attributed to the wrong identity. The organisation can produce, in response to regulatory or legal requests, independently verifiable cryptographic proof of who authorised every material governance action, on what device, at what time, and under what circumstances.

7. Evidence Requirements

Required artefacts:

• Non-repudiation evidence archive. The complete set of signed governance action records, including signatures, signed payloads, TSA timestamps, and certificate chains. Format: structured archive with independently verifiable evidence packages.
• Key management policy. Documented policy for the lifecycle of non-repudiation signing keys, including generation (in hardware), binding to identities, certificate issuance, rotation schedule, and revocation procedures.
• HSM/TPM attestation records. Evidence that signing keys are stored in tamper-resistant hardware, including hardware attestation certificates from the manufacturer.
• TSA configuration and certificate. Evidence that timestamps are provided by an RFC 3161-compliant TSA, including the TSA's certificate and the organisation's agreement with the TSA provider.
• Evidence verification test results. Results from periodic (at least annual) testing that non-repudiation evidence can be independently verified using only public information (TSA certificate, CA certificate chain).

Retention requirements:

• Non-repudiation evidence: minimum 10 years for regulated financial services (aligned with eIDAS qualified signature retention); minimum 7 years for other regulated sectors; minimum 5 years otherwise. Evidence must remain verifiable for the entire retention period through long-term signature preservation.

Access requirements:

• Producible to regulators, auditors, or legal proceedings within 48 hours of request. Evidence must be producible in a format that is independently verifiable without access to the governance platform.

8. Test Specification

Test 8.1: Signature Production on Material Action

• Stimulus: Perform a material governance action (mandate approval, configuration change, emergency override). Examine the governance log for the corresponding non-repudiation evidence.
• Expected behaviour: A digital signature over the complete action specification is present, signed by the actor's hardware-bound key, with a TSA timestamp and certificate chain.
• Pass criteria: Every material governance action produces complete non-repudiation evidence.
• Fail criteria: Any material action lacks a signature, timestamp, or certificate chain.

Test 8.2: Action Rejection Without Signing Capability

• Stimulus: Attempt to perform a material governance action without the signing key available (e.g., FIDO2 authenticator not connected, HSM unreachable).
• Expected behaviour: The action is blocked with a structured error indicating that non-repudiation evidence cannot be produced.
• Pass criteria: No material governance action proceeds without successful signature production.
• Fail criteria: A material action proceeds without a signature.

Test 8.3: Independent Evidence Verification

• Stimulus: Extract a non-repudiation evidence package from the archive. Provide it to an independent verifier (different system, different organisation) along with only the TSA's public certificate and the CA's root certificate. Request verification.
• Expected behaviour: The independent verifier confirms: (a) the signature is valid, (b) the signing certificate chains to a trusted CA, (c) the TSA timestamp is valid, (d) the signed payload matches the claimed action.
• Pass criteria: Evidence is independently verifiable without access to the governance platform.
• Fail criteria: Verification fails or requires access to the governance platform.

Test 8.4: Signature Forgery Resistance

• Stimulus: Attempt to create a valid-looking non-repudiation evidence package for a governance action that never occurred — forge a signature using a different key, construct a fabricated payload, or backdate a timestamp.
• Expected behaviour: Verification of the forged evidence fails because: the signature does not match the claimed signer's public key, the certificate chain is invalid, or the TSA timestamp cannot be verified.
• Pass criteria: No forged evidence passes verification.
• Fail criteria: Forged evidence passes verification.

Test 8.5: Dual-Signature Enforcement (Where Required)

• Stimulus: Attempt to execute a governance action that requires dual signatures (e.g., mandate change exceeding £500,000) with only one signature.
• Expected behaviour: The action is held pending until the second signature is provided, or rejected after a timeout.
• Pass criteria: Dual-signature actions cannot proceed with only one signature.
• Fail criteria: A dual-signature action proceeds with only one signature.

Test 8.6: Long-Term Evidence Verifiability

• Stimulus: Verify non-repudiation evidence that was created before the signing certificate expired. The certificate has since expired and been replaced.
• Expected behaviour: The evidence remains verifiable because the CAdES-A (or equivalent) format includes the timestamp and certificate chain from the time of signing, proving the certificate was valid at the time the signature was produced.
• Pass criteria: Evidence remains verifiable after certificate expiry through long-term preservation.
• Fail criteria: Evidence becomes unverifiable after the signing certificate expires.

Test 8.7: Evidence Tamper Detection

• Stimulus: Attempt to modify the stored non-repudiation evidence — change the action specification within the signed payload, alter the timestamp, or substitute the signature.
• Expected behaviour: Verification of the tampered evidence fails because the signature no longer matches the modified payload.
• Pass criteria: Any modification to the evidence is detectable through verification failure.
• Fail criteria: Modified evidence passes verification.

Conformance Scoring

• Score 0: No non-repudiation evidence — governance actions are logged with usernames and timestamps only.
• Score 1: Digital signatures are produced but using software-stored keys, without TSA timestamps, and evidence is not independently verifiable.
• Score 2: Hardware-bound signing keys produce signatures over complete action specifications. TSA timestamps are included. Evidence is independently verifiable and stored in a tamper-evident archive. Long-term signature preservation is implemented.
• Score 3: All Score 2 capabilities plus: dual-signature for high-risk actions, qualified electronic signatures where legally required, blockchain anchoring for public verifiability, and independent adversarial testing confirming forgery resistance.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
eIDAS 2.0	Article 25-34 (Electronic Signatures)	Direct requirement
EU AI Act	Article 12 (Record-Keeping)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
SOX	Section 302/404 (Officer Certifications / Internal Controls)	Direct requirement
MiFID II	Article 16(6-7) (Record-Keeping)	Supports compliance
GDPR	Article 5(2) (Accountability Principle)	Supports compliance
NIST SP 800-63C	Assertion Assurance Levels	Supports compliance

eIDAS 2.0 — Article 25-34 (Electronic Signatures)

eIDAS provides the legal framework for electronic signatures in the EU/UK. Article 25(1) establishes that electronic signatures shall not be denied legal effect solely on the ground that they are in electronic form. Qualified electronic signatures (Article 25(2)) have the equivalent legal effect of handwritten signatures. For AI agent governance actions with legal significance (mandate approvals, contract-related agent actions), QES provides the strongest non-repudiation. AG-287's requirements align with eIDAS's framework for electronic signature creation, verification, and preservation.

SOX — Section 302/404 (Officer Certifications / Internal Controls)

SOX Section 302 requires officers to certify financial reports, creating personal accountability. Section 404 requires effective internal controls. For AI agents performing financial operations, the mandate approval that authorises the agent's financial authority is a critical control. Non-repudiation evidence for that approval is the evidence that the control operated — that a specific, identified person authorised the agent's financial mandate, and that authorisation cannot be denied.

MiFID II — Article 16(6-7) (Record-Keeping)

MiFID II requires investment firms to keep records of services, activities, and transactions sufficient to enable regulators to monitor compliance. Non-repudiation evidence for governance actions that authorise agent trading activity satisfies the "sufficient records" requirement by providing cryptographic proof of who authorised what.

GDPR — Article 5(2) (Accountability Principle)

The accountability principle requires the controller to demonstrate compliance with GDPR principles. Non-repudiation evidence for governance actions affecting personal data processing (e.g., approving an agent's data handling configuration) provides the demonstrable compliance evidence.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — affects the ability to attribute and hold individuals accountable for all governance actions within the affected scope

Consequence chain: Without non-repudiation evidence, governance actions can be denied by the purported actor and fabricated by an insider. The immediate consequence is that disputed governance actions cannot be resolved — the organisation cannot prove who approved a mandate, who changed a configuration, or who authorised an override. The regulatory consequence is enforcement action for inadequate governance controls: the FCA requires attributable governance, SOX requires demonstrable internal controls, and eIDAS provides the legal framework for electronic evidence. The legal consequence is that the organisation's governance records may be inadmissible or insufficient in litigation or regulatory proceedings. The personal accountability consequence is that senior managers subject to the Senior Managers Regime, SOX officer certifications, or equivalent cannot be held accountable for decisions they can plausibly deny. The financial consequence scales with the value of the disputed governance action — a disputed mandate approval for a £10,000,000 agent creates £10,000,000 in unattributable authority.

Cross-references: AG-016 (Cryptographic Action Attribution) provides the cryptographic foundation that AG-287 extends to full non-repudiation with timestamping and long-term preservation. AG-279 (Human Identity Proofing Governance) ensures the identity behind the signature is genuine. AG-281 (Device Identity Binding Governance) ensures the signing key is bound to a specific device. AG-285 (Session Binding Governance) ensures the signature was produced within an authenticated session. AG-286 (Attested Login Context Governance) provides corroborating context evidence. AG-282 and AG-283 protect the biometric and voice/video factors that may complement the cryptographic signature. AG-288 (Shared Account Prohibition Governance) ensures each signature is attributable to one person, not a shared identity. AG-029 (Credential Integrity Verification) ensures the signing credential has not been compromised.