AG-786
Cryptographic Governance State Sealing
EU AI Act
SOX
FCA
ISO 27001
Cryptographic Governance State Sealing governs the process by which the complete governance state of an autonomous agent is cryptographically signed and sealed when the threat level reaches a CRITICAL threshold (Level 5). The seal creates an immutable, verifiable snapshot of all governance parameters, configurations, operational boundaries, authority delegations, and active constraints at the precise moment of sealing. This snapshot serves as both a forensic anchor and a recovery baseline, ensuring that investigators and recovery processes can establish exactly what governance posture was in effect when a critical event occurred.
The sealing mechanism employs cryptographic hash functions and digital signatures to bind the governance state to a specific point in time. The seal digest incorporates not only the raw state values but also metadata about the sealing context: the triggering escalation event, the identity of the escalation engine that initiated the seal, the system clock attestation, and references to the most recent tamper-evident log entries (AG-006). This comprehensive binding ensures that the seal cannot be retrospectively fabricated or applied to a different governance state without detection.
State sealing is distinct from routine state logging. While AG-006 ensures that all governance state changes are recorded in a tamper-evident log, AG-786 creates a point-in-time cryptographic commitment that can be independently verified without access to the full log history. This is particularly valuable in regulatory investigations where a supervisory body needs to confirm that governance controls were active and correctly configured at a specific moment, without requiring disclosure of the entire operational history. The seal acts as a compact, verifiable proof of governance posture.
This protocol applies to all systems that implement threat level management under AG-784 and are capable of reaching the CRITICAL (Level 5) threshold. Specifically:
When an autonomous agent reaches a critical threat condition, the integrity of its governance state becomes a matter of urgent concern. Was the agent operating within its authorised boundaries? Were delegation controls active? Were logging mechanisms functional? These questions must be answered definitively, and the answers must be resistant to post-hoc manipulation by any party, including the system's own operators.
Concrete Failure Scenario: A multi-agent trading system escalates to Level 5 after detecting potential market manipulation activity. The incident triggers a regulatory investigation by the FCA. During the investigation, the firm's IT team performs routine maintenance that inadvertently modifies several governance configuration parameters. When the FCA requests evidence of what governance controls were in place during the incident, the firm can only provide current configuration files, which differ from the incident-time state. Without a cryptographic seal, the firm cannot prove that adequate controls were active during the event. The FCA concludes that governance controls may have been inadequate and initiates enforcement proceedings. With AG-786, the sealed state from the moment of Level 5 escalation provides independently verifiable proof of the exact governance posture, resolving the evidentiary question definitively.
The EU AI Act (Article 12) requires that high-risk AI systems maintain logs sufficient to enable post-hoc assessment of compliance. SOX Section 802 imposes criminal penalties for the destruction or alteration of records relevant to federal investigations. The FCA's SYSC 9.1.1 requires firms to maintain records sufficient to demonstrate compliance with regulatory requirements. AG-786 operationalises these obligations by creating cryptographic evidence that governance state has not been altered since the sealing event.
At the Basic level, the system generates a hash of governance state at Level 5 escalation and stores it alongside the state snapshot. The hash uses an approved algorithm (SHA-256 or stronger) but may not be signed with HSM-managed keys. Storage is in a single location. The sealing process may not be fully atomic, and metadata may be incomplete. No seal chaining or transparency log publication is implemented. Verification relies on comparing the stored hash against the current state.
At the Intermediate level, seals are digitally signed using HSM-managed keys and include full metadata (timestamp, triggering event, engine identity, state version, log reference). Sealed artifacts are replicated to at least two geographically separated storage locations. The sealing process is atomic, and modification or deletion requires multi-party authorisation. Seal chaining is implemented, creating a verifiable sequence. Verification is supported through AG-787 integration.
At the Advanced level, seal digests are published to an append-only transparency log. Threshold signing is implemented, requiring multiple independent key holders. The sealing engine has been validated through independent adversarial testing, including attempts to create forged seals, tamper with stored artifacts, and exploit race conditions in the sealing process. Cross-platform seal verification is supported in federated deployments. The complete seal chain is tamper-evident and can be verified end-to-end by external auditors without access to raw governance state data.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No cryptographic sealing mechanism exists. Governance state at critical thresholds is indistinguishable from state at any other time, and no forensic anchor is available for post-incident investigation. |
| 1 | Basic | A hash-based snapshot of governance state is generated at Level 5 escalation, but it may lack digital signatures from HSM-managed keys, full metadata, geographic replication, or atomicity guarantees. Verification is manual and ad-hoc. |
| 2 | Infrastructure-layer enforcement | Seals are generated atomically with HSM-signed digests, full metadata, geographic replication, multi-party deletion controls, and seal chaining. AG-787 verification integration is operational. The sealing process is deterministic and auditable. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities have been validated by independent adversarial testing, including seal forgery attempts, storage tampering, atomicity exploitation, and key compromise scenarios. Transparency log publication and threshold signing are operational and verified. |
Scenario: The governance state store has grown to contain 50,000 parameters due to a complex multi-agent deployment. The sealing engine takes 8 seconds to compute the digest, exceeding the 2-second requirement. During this window, the governance state changes as the system responds to the Level 5 event, resulting in a seal that does not reflect the state at the exact moment of escalation.
Impact: HIGH. The sealed state may not match the actual governance posture at the escalation moment, undermining the evidentiary value of the seal. Regulatory investigations relying on the seal may draw incorrect conclusions.
Mitigation: Implement incremental state hashing where the governance state digest is maintained continuously and only a final signature is required at sealing time. Pre-compute intermediate hash states to reduce sealing latency.
Scenario: The sealing engine crashes after writing the seal metadata but before writing the digital signature. A partial seal artifact exists in storage, appearing to downstream systems as a valid but unsigned seal. Verification systems encounter the artifact and either reject it (causing confusion) or accept it without signature validation (compromising security).
Impact: CRITICAL. A partial seal may be mistaken for a valid seal or may block subsequent sealing attempts if the system believes a seal already exists for that event. In either case, governance integrity is compromised.
Mitigation: R7 mandates atomic sealing. Implement write-ahead logging and two-phase commit for the seal artifact, ensuring that either all components (digest, signature, metadata) are written or none are. Use transactional storage or temporary staging areas with atomic rename on completion.
Scenario: A system administrator with storage access deletes sealed artifacts prior to a regulatory audit to conceal evidence of a governance failure during a Level 5 incident. Because the seals are stored only in systems under the organisation's direct control, the deletion goes undetected.
Impact: CRITICAL. The evidentiary purpose of sealing is defeated. The organisation cannot demonstrate what governance controls were in place during the incident, and the deliberate destruction of records may constitute an offence under SOX Section 802.
Mitigation: R5 mandates geographically separated storage. R9 recommends transparency log publication. At Advanced maturity, seal digests published to an append-only transparency log cannot be deleted, providing evidence that seals existed even if the primary and secondary artifacts are destroyed.
Scenario: The HSM signing key used for seal generation is compromised through a supply chain attack. An adversary can now generate forged seals that appear valid, potentially backdating them to cover periods when governance controls were inadequate.
Impact: CRITICAL. All seals generated with the compromised key are suspect. Historical seals cannot be trusted for forensic or regulatory purposes.
Mitigation: R10 recommends threshold signing, which requires multiple independent keys. Key rotation procedures should be implemented per AG-016. Seal chaining (R8) provides some protection, as inserting a forged seal into the chain would break the chain's integrity unless the attacker controls all previous seals.
| Requirement | EU AI Act | SOX | FCA SYSC | ISO/IEC |
|---|---|---|---|---|
| R1: 2-second sealing latency | Art. 9(4)(b) — Mitigation | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R2: Comprehensive state digest | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.24 |
| R3: HSM-signed seals | Art. 15 — Accuracy/security | Sec. 302 | SYSC 13.7.5 | ISO/IEC 27001:2022 A.8.24, FIPS 140-2 |
| R4: Seal metadata completeness | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| R5: Geographic replication | Art. 15 — Robustness | Sec. 802 | SYSC 13.7.5 | ISO/IEC 27001:2022 A.8.14 |
| R6: Deletion controls | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.10 |
| R7: Atomic sealing | Art. 15 — Accuracy | Sec. 404 | SYSC 6.1.2 | ISO/IEC 25010:2023 |
| Protocol | Relationship |
|---|---|
| AG-784 (Adaptive Threat Level Escalation) | Trigger: Level 5 escalation initiates the sealing process. |
| AG-785 (Threat Level Auto-Decay and Stabilisation) | Blocking: Auto-decay from Level 5 is blocked while a seal is active. |
| AG-787 (Governance Seal Integrity Verification) | Complementary: AG-787 governs the verification of seals created by AG-786. |
| AG-788 (Federated Threat Level Propagation) | Context: Federated peers may generate independent seals for correlated events. |
| AG-789 (HMAC-Signed Threat Broadcast Authentication) | Security: Seal-related broadcasts in federated contexts must be authenticated. |
| AG-790 (Multi-Source Weighted Threat Composite Scoring) | Input: Composite scores contribute to the escalation that triggers sealing. |
| AG-791 (Pipeline-Integrated Threat Event Ingestion) | Input: Pipeline events feed the escalation that triggers sealing. |
| AG-001 (Operational Boundary Enforcement) | Sealed content: Operational boundaries are included in the sealed state. |
| AG-006 (Tamper-Evident Record Integrity) | Reference: The seal includes a reference to the most recent log entry. |
| AG-012 (Agent Identity Assurance) | Attribution: The sealing engine's identity is recorded in seal metadata. |
| AG-016 (Cryptographic Action Attribution) | Key management: Signing key lifecycle is governed by AG-016. |
| AG-017 (Multi-Party Authorisation Governance) | Control: Seal deletion requires multi-party authorisation. |
Document generated under Patent 7 governance framework. Classification: INTERNAL. Review cycle: Quarterly.