Tamper-Evident Record Integrity

2. Summary

Tamper-Evident Record Integrity governs the cryptographic integrity of governance audit records — ensuring that records cannot be altered, deleted, or inserted after creation without detection. This protocol is the foundation of accountability in AI agent governance. Every other protocol that references "logging," "audit trail," or "evidence" depends on AG-006 to guarantee that those records are trustworthy. The distinction between tamper-proof and tamper-evident is important: no system can guarantee that records will never be modified, but AG-006 requires that any modification, no matter how small, is detectable after the fact. This is achieved through cryptographic chaining — each record includes a hash of the previous record, creating a chain where any alteration to any record breaks the chain from that point forward. The audit trail serves three audiences: regulators who need records meeting evidentiary standards, auditors who need records demonstrating control effectiveness, and legal counsel who need records admissible in court. All three require the same foundational guarantee — that the records presented today are identical to the records generated at the time of the governance decision.

3. Example

Scenario A — Post-Incident Record Alteration: An AI trading agent executes a series of trades that result in a significant loss. Internal investigation reveals that the governance system should have blocked several of the trades based on the mandate limits in effect at the time. An operations team member, seeking to avoid regulatory consequences, modifies the audit records to show that the mandate limits were higher — making the governance decisions appear correct.

The records are stored in a standard relational database with no cryptographic chaining. The modification is a simple UPDATE statement. No integrity mechanism detects the change. When the regulator requests the audit trail, the organisation produces the modified records. The regulator's analysis, based on the fabricated records, finds no governance failure.

What went wrong: Audit records were mutable. No cryptographic chaining existed to detect modification. The database's own transaction log may retain evidence of the UPDATE, but database logs are not routinely examined during regulatory reviews and are typically recycled on a short retention cycle. Consequence: Regulatory fraud. If the modification is later discovered, the organisation faces charges for falsifying regulatory records in addition to the original governance failure. Under SOX, this constitutes obstruction and carries criminal penalties.

Scenario B — Selective Deletion to Conceal Blocked Actions: An organisation's governance system correctly blocks a series of actions by an agent that is probing governance boundaries. The blocks are logged — each generating an audit record showing the blocked action, the mandate violation, and the rejection reason. A governance administrator, concerned that the volume of blocks will trigger a regulatory inquiry, deletes the block records from the audit trail. The remaining approved-action records show a clean operational history.

The audit trail uses per-record hashing (each record has a hash of its own content) but not chaining (records do not reference each other). The deletion removes the block records cleanly — no remaining record references the deleted records, so no verification failure occurs.

What went wrong: Per-record hashing without chaining allows deletion without detection. The integrity mechanism verified that existing records were unmodified but could not verify that the complete set of records was present. Chaining — where each record references the previous record's hash — would have caused a break at every deletion point. Consequence: Regulatory view of the agent's history is incomplete. Probing behaviour that should have triggered enhanced scrutiny is invisible. If the agent subsequently succeeds in a governance bypass, the deleted block records are unavailable for forensic analysis.

Scenario C — Clock Manipulation for Timestamp Falsification: An AI agent takes an action at 14:32:07 that is blocked by the governance system. The mandate expires at 15:00:00. An operator wants to re-submit the action after the mandate expires without obtaining a new mandate. The operator modifies the governance system's clock to read 14:55:00 — before the mandate expiry — and re-submits the action. The governance system approves the action under the (expired) mandate because its clock shows the mandate is still valid. The audit record is timestamped 14:55:00.

The records are hash-chained, so the content cannot be modified after creation. However, the timestamp was generated by the governance system's own clock, which was manipulated. No external timestamp authority verified the time independently. The record appears authentic — chained correctly, with a timestamp that pre-dates the mandate expiry.

What went wrong: Timestamps relied on the governance system's own clock, which was within the control of the operator. No external time authority provided an independent time reference. The hash chain guaranteed content integrity but not temporal accuracy. Consequence: An action was approved under an expired mandate. The audit trail's timestamps are incorrect but internally consistent. Detection requires comparison against an external time source.

4. Requirement Statement

Scope: This dimension applies to all governance decisions, blocked actions, approved actions, and system events that may be required for regulatory review or legal proceedings. The scope includes every decision the governance system makes — not just blocks. Approved actions must be recorded with the same integrity as blocked actions. The record of what was permitted is as important as the record of what was prevented. A governance system that only logs blocks leaves an organisation unable to demonstrate what was approved and under what mandate. System events within scope include: mandate configuration changes, agent registration and deregistration, governance infrastructure failures and recoveries, human override decisions, escalation events, and any change to the governance system's own configuration. The scope extends to the lifetime of regulatory retention requirements — under SOX, a minimum of seven years; under FCA requirements, up to ten years; under GDPR, limited to the necessary period. AG-006 must ensure that cryptographic integrity is verifiable across the full retention period, including through any storage migrations, format changes, or system replacements that occur during that period.

4.1. A conforming system MUST generate an immutable audit record at the time of every governance decision.

4.2. A conforming system MUST cryptographically chain audit records such that any retrospective modification is detectable — each record includes a hash computed over the record's content concatenated with the hash of the previous record.

4.3. A conforming system MUST ensure that the audit chain is verifiable independently of the governance system that produced it.

4.4. A conforming system SHOULD write audit records to storage before the governed action proceeds — the audit write is synchronous, not asynchronous.

4.5. A conforming system SHOULD support hash chain verification exportable as a standalone certificate or file that can be verified without access to the governance system.

4.6. A conforming system SHOULD maintain in-memory audit buffering to preserve records during brief storage outages, flushing to persistent storage with correct hash chaining when storage recovers.

4.7. A conforming system MAY integrate with external timestamp authorities (qualified electronic time stamps under eIDAS or equivalent) for legal admissibility of audit records as independently timestamped evidence.

5. Rationale

The audit trail is the single artefact that determines whether an organisation can demonstrate governance to a regulator, defend itself in legal proceedings, or investigate an incident with confidence. Without tamper-evident records, the audit trail becomes an assertion that cannot be verified — and an assertion that cannot be verified is worthless in any legal or regulatory context.

The fundamental risk is post-hoc modification. When a governance failure occurs, the incentive to alter the record is powerful: altered records can make a failure appear to be correct operation, can conceal the scope of an incident, and can misdirect regulatory investigations. This is not a hypothetical concern — post-hoc modification of audit records is a documented risk in financial services, healthcare, and critical infrastructure. The entire discipline of forensic accounting exists because records are altered.

AG-006 extends tamper-evidence to AI governance records with the same rigour applied to financial records. The mechanism is cryptographic chaining: each record includes a hash of the previous record, creating a chain where any alteration to any record breaks the chain from that point forward. Modification of a record changes its hash, which invalidates the next record's previous-hash reference, which propagates forward through the chain. Deletion of a record breaks the chain at the deletion point — the following record references a hash that no longer exists. Insertion of a fabricated record requires recomputing all subsequent hashes, which is detectable if any party holds a copy of the original chain.

The consequences of AG-006 failure compound over time. Each day that tampered records go undetected is another day of false compliance reporting. When the tampering is eventually discovered — through backup comparison, forensic analysis, or whistleblower disclosure — the organisation faces not only the original governance failures but the additional charge of falsifying records to conceal them. Under SOX Section 802, knowingly altering or destroying audit records carries criminal penalties of up to 20 years imprisonment.

6. Implementation Guidance

Each audit record should include: timestamp, action identifier, agent identifier, mandate version, decision (approved/blocked), decision reason, and the hash of the previous record. The chain hash should use a minimum of HMAC-SHA256. Records should be written to persistent storage before returning the governance decision to the agent.

Recommended patterns:

• Sequential Hash Chain. Each record contains: record content + hash(previous_record_content + previous_record_hash). Verification traverses the chain from genesis record to most recent, recomputing each hash and comparing. This is simple, reliable, and well-understood. The limitation is that verification is O(n) — verifying a single record requires traversing from the genesis.
• Merkle Tree Audit. Organise records into a Merkle tree where leaf nodes are individual records and internal nodes are hashes of their children. This enables O(log n) verification of any individual record through a Merkle proof — the verifier needs only the record, the path from the record to the root, and the root hash. This pattern is more complex but enables efficient verification of individual records without traversing the entire chain.
• External Anchor Points. Periodically publish the current chain head hash to an external, immutable store — a public blockchain, a qualified timestamp authority, or a regulatory filing. This creates anchor points that are verifiable independently of the organisation. Any tampering between anchor points is detectable by comparing the chain state against the most recent external anchor.

Anti-patterns to avoid:

• Hashing records individually without chaining. Per-record hashes detect modification but not deletion or insertion. Only chaining — where each record's hash includes the previous record's hash — provides complete tamper evidence across the full record set.
• Writing audit records asynchronously. If audit records are written after the governed action executes, a system crash between action execution and record write creates an unlogged action. Records must be written synchronously — before the action proceeds — to guarantee completeness.
• Storing records in mutable storage without additional protection. A standard relational database allows UPDATE and DELETE. Storing hash-chained records in such a database provides tamper evidence (chain verification will detect tampering) but not tamper prevention. Consider append-only storage, write-once media, or external archival copies for defence in depth.
• Relying on system clocks for timestamps without external verification. System clocks can be manipulated by privileged operators. External timestamp authority integration (a MAY requirement but strongly recommended) provides independent time proof that cannot be manipulated by the organisation.
• Not testing chain verification regularly. A chain that was valid at creation but has been corrupted by storage failure, migration error, or silent bit rot may not be detected until the records are needed — at which point the integrity failure undermines their value. Regular automated chain verification catches integrity issues while they can still be investigated.

Industry Considerations

Financial Services. SOX Section 802 makes alteration or destruction of audit records a criminal offence carrying up to 20 years imprisonment. Financial services firms should implement AG-006 at the Advanced level as a baseline. External timestamp authority integration is strongly recommended for legal admissibility. The retention period should be at minimum seven years (SOX) and up to ten years (FCA) depending on jurisdiction.

Healthcare. HIPAA requires that audit controls be implemented for information systems maintaining electronic protected health information. Tamper-evident logging of access to patient data by AI agents is a direct HIPAA requirement. The audit trail must demonstrate who accessed what data, when, and under what authority. Chain integrity ensures that access records cannot be altered to conceal unauthorised access.

Critical Infrastructure. NERC CIP (for power systems) and equivalent standards for other critical infrastructure sectors require event logging with integrity protection. An AI agent operating in a critical infrastructure context must produce audit records that can withstand regulatory scrutiny following an incident — including incidents where the agent's actions contributed to a safety event. Tamper-evident records ensure that the post-incident investigation is based on accurate data.

Maturity Model

Basic Implementation — Every governance decision generates an audit record including timestamp, agent identifier, action details, decision, and reason. Records are stored in append-only storage (write-once database, append-only log file). Each record includes a hash of the record's own content. Integrity verification checks that each record's stored hash matches its recomputed hash. This level detects modification of individual records but does not detect deletion of records or insertion of fabricated records into the sequence, because records are not chained to each other.

Intermediate Implementation — Records are cryptographically chained: each record includes a hash computed over the record's content concatenated with the hash of the previous record. This creates a hash chain where modification of any record invalidates all subsequent hashes. Deletion of a record breaks the chain at the deletion point. Insertion of a fabricated record requires recomputing all subsequent hashes, which is detectable if any party holds a copy of the original chain. Records are written to storage before the governed action proceeds — the audit write is synchronous, not asynchronous. Hash chain verification is exportable as a standalone file or certificate that can be verified without access to the governance system.

Advanced Implementation — All intermediate capabilities plus: records are signed with cryptographic keys per AG-016 (action attribution). External timestamp authority integration provides legally admissible proof that records existed at a specific time, independent of the organisation's own clocks. Multiple independent copies of the hash chain are maintained — at minimum, one within the governance system and one in an external archive that the governance system cannot modify. In-memory buffering maintains the chain during brief storage outages, flushing to persistent storage on recovery. Independent verification has confirmed chain integrity across simulated tampering, deletion, and insertion attacks.

7. Evidence Requirements

Required artefacts:

• Hash chain algorithm documentation. The specific algorithm used, the record fields included in the hash, and the chaining mechanism. This must be sufficient for an independent party to reimplement and verify the chain.
• Sample audit chain with verification proof. A real chain segment with step-by-step verification demonstrating that integrity can be confirmed by recomputing hashes and comparing against stored values.
• Independent verification procedure. Documentation enabling a third party to verify chain integrity without access to the governance system — including the verification algorithm, expected hash format, and any required keys or parameters.
• In-memory buffer implementation evidence. Evidence that governance decisions during storage outages are not lost, including test results demonstrating buffer behaviour under simulated outage conditions.

Retention requirements:

• Audit chain and verification data: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise. Chain integrity must remain verifiable across the full retention period.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-006 compliance requires verifying that the cryptographic chain detects all forms of tampering — modification, deletion, and insertion — and that the chain remains verifiable independently and across storage lifecycle events.

Test 8.1: Modification Detection

• Stimulus: Write a sequence of audit records. Modify a single byte in one record in the middle of the sequence. Run the chain verification.
• Expected behaviour: The verification fails at the modified record and identifies the specific record that was altered.
• Pass criteria: Any single-byte modification to any record in the chain is detected. The specific modified record is identified.
• Fail criteria: Any modification to a record goes undetected by chain verification.

Test 8.2: Deletion Detection

• Stimulus: Write a sequence of audit records. Delete one record from the middle of the sequence. Run the chain verification.
• Expected behaviour: The verification fails at the point of deletion — the record following the gap references a previous hash that no longer exists.
• Pass criteria: Deletion of any record from the chain is detected. The point of deletion is identified.
• Fail criteria: A record can be deleted without breaking chain verification.

Test 8.3: Insertion Detection

• Stimulus: Write a sequence of audit records. Insert a fabricated record into the middle of the sequence. Run the chain verification.
• Expected behaviour: The chain breaks — the inserted record's hash does not match the expected chain, and the following record's previous-hash reference is incorrect.
• Pass criteria: Insertion of any fabricated record is detected by chain verification.
• Fail criteria: A fabricated record can be inserted into the chain without detection.

Test 8.4: Independent Verification

• Stimulus: Export the hash chain to a standalone format. Provide the export to an independent party with no access to the governance system.
• Expected behaviour: The independent party can verify chain integrity using only the exported data — no callback to the governance system required.
• Pass criteria: Chain integrity is fully verifiable from the exported data alone by an independent party.
• Fail criteria: Verification requires access to the governance system or relies on system-internal state not present in the export.

Test 8.5: Outage Resilience

• Stimulus: Simulate a brief storage outage (30-60 seconds). Submit governance decisions during the outage.
• Expected behaviour: Governance decisions during the outage are buffered in memory. The buffer is flushed to persistent storage with correct hash chaining when storage recovers. No governance decisions are lost.
• Pass criteria: All governance decisions during the outage are present in the chain after recovery, with correct hash chaining.
• Fail criteria: Any governance decision during the outage is lost, or the chain is broken at the outage boundary.

Test 8.6: Retention Integrity

• Stimulus: Verify that records remain verifiable after storage migration (e.g., moving from one database to another). Verify that chain integrity survives format conversion, compression, and archival.
• Expected behaviour: Chain verification succeeds after migration, conversion, or archival. Records remain identical to their original form.
• Pass criteria: Chain integrity is preserved across all storage lifecycle events tested.
• Fail criteria: Any storage lifecycle event corrupts the chain or renders records unverifiable.

Conformance Scoring

• Score 0: No audit records exist — governance decisions are not logged.
• Score 1: Audit records exist but without cryptographic chaining — individual records can be verified but deletion and insertion are undetectable.
• Score 2: Hash-chained audit trail with independently verifiable integrity — modification, deletion, and insertion are all detectable through chain verification.
• Score 3: Verified by independent integrity testing and external timestamp integration — an independent party has confirmed chain integrity under simulated tampering, and external timestamps provide legally admissible time proof.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
SOX	Section 302, Section 404, Section 802 (Record Integrity)	Direct requirement
EU AI Act	Article 12 (Record Keeping)	Direct requirement
FCA SYSC	9.1.1R, 9.1.2G (Record Keeping)	Direct requirement
eIDAS	Electronic Timestamps and Trust Services	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance
HIPAA	Audit Controls (45 CFR 164.312(b))	Supports compliance

SOX — Section 302, Section 404, Section 802

Section 302 requires CEO and CFO certification that financial reports are accurate and that internal controls are effective. Section 404 requires management assessment and auditor attestation of internal controls. For AI agent governance, the audit trail is the primary evidence that controls operated effectively during the reporting period. If the audit trail can be tampered with, the certification is based on unreliable evidence. SOX auditors specifically evaluate whether audit records are protected against modification — tamper-evident chaining is a direct response to this requirement.

Section 802 makes the stakes explicit: knowingly altering, destroying, mutilating, concealing, or falsifying records with the intent to impede a federal investigation carries criminal penalties of up to 20 years imprisonment. For AI governance, this means that any system that allows audit records to be altered without detection creates not just a compliance risk but a criminal liability exposure for the individuals responsible.

EU AI Act — Article 12 (Record Keeping)

Article 12 requires that high-risk AI systems "allow for the automatic recording of events (logs) over the lifetime of the system." The logs must be "appropriate to the intended purpose of the system" and must enable "monitoring of the operation of the high-risk AI system." Critically, Article 12 requires that logs be retained "for a period that is appropriate in view of the intended purpose" and that they "facilitate the post-market monitoring" of the system. AG-006 ensures that these logs are tamper-evident — meeting the implicit requirement that retained logs accurately reflect what actually occurred.

FCA SYSC — 9.1.1R, 9.1.2G (Record Keeping)

SYSC 9.1.1R requires firms to "arrange for orderly records to be kept of its business and internal organisation" including records sufficient to enable the FCA to "monitor the firm's compliance with the requirements under the regulatory system." For AI agent governance, this means the audit trail must be reliable — the FCA must be able to trust that the records reflect actual governance decisions. SYSC 9.1.2G specifically notes that records should be "readily accessible" and capable of being reproduced — hash chain verification with export capability meets both requirements.

eIDAS — Electronic Timestamps and Trust Services

The EU eIDAS regulation establishes the legal framework for electronic identification and trust services, including electronic timestamps. AG-006's optional integration with external timestamp authorities (qualified electronic time stamps under eIDAS) provides legal admissibility of audit records as evidence. A qualified electronic time stamp under eIDAS creates a legal presumption of accuracy regarding the date and time it indicates and the integrity of the data to which it is bound.

HIPAA — Audit Controls (45 CFR 164.312(b))

HIPAA requires that covered entities implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. For AI agents processing health data, tamper-evident audit records ensure that access logs cannot be altered to conceal unauthorised access to patient information. Chain integrity provides the evidentiary foundation for HIPAA compliance investigations.

ISO 42001 — Clause 6.1

Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Tamper-evident record keeping is a fundamental risk treatment for accountability failure, ensuring that the organisation can demonstrate its governance posture at any historical point through verifiable records.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — compromised audit integrity undermines the evidentiary foundation of all governance controls

Consequence chain: Without tamper-evident record integrity, audit records can be altered to conceal governance failures, blocked actions can be removed from the record, and regulatory submissions can be fabricated. The audit trail becomes worthless for any legal or compliance purpose. The failure mode is silent and catastrophic: unlike other governance failures that produce visible symptoms — blocked transactions, escalation alerts, system errors — a tampered audit trail looks exactly like a legitimate one. The organisation produces records showing correct governance. The regulator reviews those records and finds compliance. The actual governance failures are hidden. The only defence against this failure mode is cryptographic proof that the records are original. The consequences compound over time — each day that tampered records go undetected is another day of false compliance reporting. When the tampering is eventually discovered through backup comparison, forensic analysis, or whistleblower disclosure, the organisation faces not only the original governance failures but the additional charge of falsifying records to conceal them. Under SOX Section 802, this carries criminal penalties of up to 20 years imprisonment. Under GDPR, falsified records of data processing create exposure under Article 83 for inadequate technical measures. The business consequence includes regulatory enforcement action, criminal prosecution of responsible individuals, complete loss of regulatory trust, and potential withdrawal of operating licences.

Cross-reference notes: AG-006 records governance decisions while AG-007 (Governance Configuration Control) records governance configuration changes — both must be tamper-evident for the complete governance history to be trustworthy. AG-016 (Cryptographic Action Attribution) proves who authored each record while AG-006 proves records are unmodified — together they provide both integrity and attribution. AG-049 (Governance Decision Explainability) ensures records are understandable while AG-006 ensures they are authentic — integrity without explainability produces tamper-evident records that no one can interpret.