Attested Login Context Governance

2. Summary

Attested Login Context Governance requires that AI agent governance systems record trusted, tamper-evident evidence about the conditions under which each access session was established — including the device identity, network location, authentication method, device health posture, geographic location, and time of access. This context is not merely logged for informational purposes; it is attested (cryptographically signed or otherwise tamper-proofed) so that it can be relied upon for forensic investigation, regulatory reporting, and risk-based access decisions. When an incident occurs — a fraudulent mandate approval, an unauthorised configuration change, an unexplained override — the attested login context provides the evidentiary foundation for determining how access was obtained, from where, under what conditions, and whether those conditions were consistent with legitimate use.

3. Example

Scenario A — Missing Context Impedes Incident Investigation: A financial agent's mandate is modified at 02:47 UTC on a Saturday, raising the daily aggregate limit from £1,000,000 to £15,000,000. The audit log records the administrator's identity and the action but not the login context — no device identity, no network location, no authentication method. Investigation reveals that the administrator's credentials were compromised, but the organisation cannot determine: whether the access came from the administrator's registered device or an attacker's device, whether the access originated from the corporate network or an external location, whether MFA was used or bypassed, or whether the device was in a compliant state. Without this context, the incident response team cannot scope the breach, the regulator cannot assess the control failure, and the insurer contests the claim.

What went wrong: Login context was not recorded. The audit log captured the "who" and "what" but not the "where," "how," or "under what conditions." Consequence: Unscoped incident, extended investigation timeline (14 days instead of estimated 3 days), regulatory enforcement action for inadequate record-keeping, insurer denied claim citing insufficient evidence of control effectiveness.

Scenario B — Forged Login Context Misleads Investigation: An attacker compromises a governance administrator's credentials and accesses the platform from an overseas VPN. The governance system logs the access context but the log entry is stored in a mutable database. During the incident, the attacker (who also has database access) modifies the log entry to show the access originated from the administrator's usual office IP address and corporate device. The investigation concludes that the access was legitimate — the administrator is blamed for the mandate change, and the actual attacker is never identified.

What went wrong: The login context was logged but not attested — it was stored in a mutable format that the attacker could modify. Tamper-evident logging (cryptographic chaining, write-once storage, or independent attestation) would have detected the modification. Consequence: Incorrect attribution, legitimate employee wrongly blamed, actual attacker not identified, ongoing security risk, potential employment law liability.

Scenario C — Inconsistent Context Not Used for Risk Decision: A governance system logs rich login context — device identity, network, location, authentication method — but does not use it for access decisions. An administrator who normally logs in from London at 09:00 from a corporate laptop suddenly authenticates from Lagos at 03:00 from an unrecognised device. The context is logged but no alert or access restriction is triggered. The attacker, using stolen credentials, has 6 hours of undetected access during which they exfiltrate the complete agent governance configuration for 84 deployed agents.

What went wrong: Login context was captured but not consumed for risk-based decisions. The context data existed in the log but was not fed into a decision engine. The anomalous pattern (unprecedented location, unusual time, unknown device) was recorded but not acted upon. Consequence: 6-hour undetected breach, full governance configuration exfiltration, emergency rotation of all agent credentials and mandates.

4. Requirement Statement

Scope: This dimension applies to every governance session established by a human or service with an AI agent governance system. The scope includes all access methods: web browser sessions, API sessions, CLI sessions, mobile app sessions, and any other interface through which governance actions can be performed. The login context must be captured at session establishment and updated if context changes during the session (per AG-285). The scope is determined by the governance capability of the session — any session through which agent behaviour, configuration, or authority can be viewed or modified requires attested login context.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

4.1. A conforming system MUST capture and record the following login context for every governance session: (a) the authenticated identity (linked to AG-279 proofing), (b) the device identity (linked to AG-281 registry), (c) the authentication method and assurance level (e.g., FIDO2 AAL2, password-plus-OTP AAL1), (d) the network source (IP address, network type — corporate/VPN/public), (e) the geographic location derived from network or device signals, and (f) the UTC timestamp of session establishment.

4.2. A conforming system MUST store login context in a tamper-evident format — either cryptographically signed by the governance platform, stored in an append-only log with cryptographic chaining (hash chain or Merkle tree), or written to an immutable storage medium.

4.3. A conforming system MUST use captured login context as input to risk-based access decisions, evaluating whether the context is consistent with the identity's established patterns and the organisation's access policies.

4.4. A conforming system MUST flag and require step-up authentication or deny access when login context deviates significantly from established patterns — including impossible travel (geographic distance incompatible with elapsed time), first-time device, access outside normal hours for the specific identity, or access from a sanctioned jurisdiction.

4.5. A conforming system MUST retain attested login context for the same duration as the governance action logs it accompanies (minimum 7 years for regulated financial services, 5 years for other regulated sectors, 3 years otherwise).

4.6. A conforming system SHOULD capture additional context signals where available: device health posture (per AG-281), TLS session characteristics, browser/client version, and screen resolution/display configuration.

4.7. A conforming system SHOULD implement continuous context attestation that updates the recorded context at regular intervals during the session (at least every 15 minutes) and at the time of each high-risk governance action.

4.8. A conforming system SHOULD provide a context dashboard that displays the login context for all active governance sessions, enabling security teams to identify anomalous sessions in real time.

4.9. A conforming system MAY implement context attestation by the client device — the device signs a context assertion (including its identity, location, and posture) that the governance platform verifies independently, providing a second source of context evidence alongside server-side capture.

5. Rationale

Login context serves three purposes: forensic evidence, risk-based access control, and regulatory compliance. Each purpose requires that the context be reliable — that is, tamper-evident, accurate, and comprehensive.

As forensic evidence, login context answers the questions that investigators ask first: where did the access come from? What device was used? What authentication method was employed? Was the device in a healthy state? Without this evidence, incident investigation relies on indirect indicators (network logs, device logs from other systems) that may be incomplete, inconsistent, or unavailable. Attested login context — cryptographically signed or hash-chained — provides evidence that cannot be retroactively modified by an attacker who has access to the log storage.

As input to risk-based access control, login context enables the governance system to distinguish between normal and anomalous access patterns. An administrator who always logs in from London at 09:00 from a corporate laptop presenting an access from Lagos at 03:00 from an unknown device is a high-risk anomaly. Without context capture and analysis, the governance system treats all authenticated sessions identically, regardless of the risk signals. With context analysis, the system can require step-up authentication, limit the session's authority, or deny access entirely for anomalous contexts.

For regulatory compliance, login context is increasingly expected by regulators as evidence of control effectiveness. The FCA expects firms to demonstrate that they can reconstruct the circumstances of any governance action. GDPR Article 5(1)(f) requires appropriate security, which includes knowing who accessed what, from where, and under what conditions. SOX auditors expect to see comprehensive access records for systems that affect financial controls.

AG-286 requires that login context is not just logged but attested — providing a higher standard of evidence than plain-text logs that can be modified. This is essential because in governance breach scenarios, the attacker often has sufficient access to modify plain-text logs. Attested context resists this.

6. Implementation Guidance

Login context attestation should be implemented as an integral part of the session establishment flow, not as an afterthought or a separate logging system. The context is captured, attested, and stored as part of the authentication process.

Recommended patterns:

• Cryptographically chained context log. Store login context in an append-only log where each entry includes a cryptographic hash of the previous entry (hash chain). Any modification to a historical entry breaks the chain, which is detectable on verification. Implement an independent verification process that periodically validates the chain integrity. Example: each login context record contains {session_id, identity, device_id, auth_method, ip, location, timestamp, hash(previous_record)}. A weekly automated verification confirms chain integrity. Any break in the chain triggers a security alert.
• Device-signed context assertions. At session establishment, the client device signs a context assertion using a TPM-bound key. The assertion includes: device identity (per AG-281 registry), current IP address, approximate location (if available), device posture (OS version, patch level, encryption status, MDM compliance), and timestamp. The governance platform verifies the assertion signature against the device registry and stores it alongside the server-observed context. Discrepancies between device-asserted and server-observed context trigger additional scrutiny. Example: the device asserts it is in London on the corporate network; the server observes the connection from a London IP. Consistent. If the device asserts London but the server observes a Bucharest IP, the discrepancy triggers an alert.
• Risk engine integration. Feed login context into a risk scoring engine that evaluates each session establishment against the identity's historical baseline and the organisation's policy. Risk factors include: first-time device (+30 risk points), access outside 06:00-22:00 local time (+15 points), non-corporate network (+20 points), impossible travel (>500 km since last session ended less than 1 hour ago, +50 points), access from a high-risk jurisdiction (+40 points). Risk scores above defined thresholds trigger: step-up authentication (score 30-60), restricted session authority (score 60-80), or access denial (score 80+). Thresholds are tuned based on false-positive rates.
• Immutable storage with independent access control. Store attested login context in a storage system that is independent of the governance platform's primary database — for example, a separate write-once storage account with credentials held only by the security team. This prevents an attacker who compromises the governance platform from modifying the context logs.

Anti-patterns to avoid:

• Plain-text context logging without tamper evidence. Writing login context to a standard application log or database table without cryptographic protection. An attacker with database access can modify historical context records to cover their tracks.
• Context capture without consumption. Logging rich context data but never feeding it into access decisions. Context that is logged but not acted upon provides forensic value but misses the opportunity to prevent incidents in real time.
• Client-only context capture. Relying solely on the client to report its own context without server-side verification. A compromised client can report false context. Always cross-reference client-reported context with server-observed signals.
• Over-collection of context without minimisation. Capturing highly granular location data (GPS coordinates to 6 decimal places), detailed browsing history, or other context that exceeds what is necessary for risk assessment and forensic investigation. Apply AG-284 minimisation principles to context capture.
• Context retention misaligned with action retention. Retaining governance action logs for 7 years but login context logs for only 1 year. When a regulator requests evidence of a 5-year-old governance action, the context that explains the circumstances of that action is missing.

Industry Considerations

Financial Services. FCA supervisory expectations include the ability to reconstruct the circumstances of financial decisions. For AI agent governance in financial services, attested login context provides the evidence trail. MiFID II recording obligations extend to the conditions under which trading-related decisions were made. Login context for agent mandate approvals should be treated with the same rigour.

Healthcare. HIPAA audit controls (Section 164.312(b)) require recording and examining activity in information systems containing PHI. Login context for governance sessions affecting clinical AI agents satisfies this requirement.

Public Sector. Government security standards (e.g., NCSC Cyber Essentials Plus, FedRAMP) require audit logging that includes access context. Attested login context exceeds these baselines by providing tamper-evident evidence.

Maturity Model

Basic Implementation — Login context (identity, device, authentication method, IP, timestamp) is captured at session establishment and stored in the governance audit log. The log is stored in a database with access controls but is not cryptographically protected against internal modification. Login context is available for incident investigation but is not used for real-time access decisions. Retention matches governance action log retention. This meets minimum mandatory requirements but lacks tamper evidence and risk-based consumption.

Intermediate Implementation — Login context is stored in a cryptographically chained append-only log. Device-signed context assertions complement server-observed context. A risk engine evaluates context at session establishment, triggering step-up authentication or access restriction for anomalous patterns. Context is updated at the time of high-risk governance actions. An independent verification process validates chain integrity weekly. Context is retained in immutable storage with independent access controls.

Advanced Implementation — All intermediate capabilities plus: continuous context attestation every 15 minutes during active sessions. Real-time context dashboard for security operations. Client-device-signed context assertions verified against device registry. Context risk scoring is continuously tuned based on threat intelligence and false-positive analysis. Independent adversarial testing confirms that context records cannot be forged, modified, or deleted. The organisation can demonstrate to regulators an unbroken, tamper-evident chain of context evidence for every governance session.

7. Evidence Requirements

Required artefacts:

• Login context schema. The complete schema of captured context fields for each governance session type. Format: structured specification.
• Tamper-evidence mechanism. Technical description and configuration evidence for the tamper-evident storage mechanism (hash chain, Merkle tree, immutable storage). Format: architecture documentation and configuration export.
• Chain integrity verification records. Results of periodic chain integrity verification showing that no historical records have been tampered with.
• Risk engine configuration. The complete set of risk factors, scoring weights, and threshold actions used for context-based access decisions.
• Context anomaly incident records. Records of detected context anomalies, the access decision made (step-up, restriction, denial), and the investigation outcome.

Retention requirements:

• Attested login context: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise. Must match the retention of the governance actions the context accompanies.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Context Capture Completeness

• Stimulus: Establish a governance session via each supported access method (web browser, API, mobile app, CLI). Examine the recorded context for each.
• Expected behaviour: Each session's context record contains all mandatory fields: identity, device identity, authentication method/AAL, network source, geographic location, and UTC timestamp.
• Pass criteria: All mandatory fields are populated for every access method. No fields are missing or null.
• Fail criteria: Any mandatory context field is missing for any access method.

Test 8.2: Tamper Evidence Integrity

• Stimulus: Attempt to modify a historical login context record in the storage system — change the recorded IP address, alter the timestamp, or delete the record.
• Expected behaviour: The modification either fails (immutable storage) or is detected by the chain integrity verification (broken hash chain).
• Pass criteria: No historical context record can be silently modified. Any modification is detected.
• Fail criteria: A historical context record is modified without detection.

Test 8.3: Anomalous Context Detection — Impossible Travel

• Stimulus: Establish a governance session from London. End the session. Within 30 minutes, establish a new session from a location 5,000 km away (e.g., New York).
• Expected behaviour: The system detects impossible travel (5,000 km in 30 minutes) and either requires step-up authentication or denies access.
• Pass criteria: The anomaly is detected and the appropriate risk response is triggered.
• Fail criteria: The session is established without any additional challenge despite impossible travel.

Test 8.4: First-Time Device Detection

• Stimulus: Authenticate to the governance platform from a device that has never been used for governance access by this identity.
• Expected behaviour: The system flags the first-time device and requires step-up authentication before granting governance access.
• Pass criteria: First-time device access triggers additional verification.
• Fail criteria: First-time device access proceeds without any additional verification.

Test 8.5: Risk Score Threshold Enforcement

• Stimulus: Create a login scenario that accumulates risk points above the access-denial threshold (e.g., first-time device + impossible travel + access from sanctioned jurisdiction + outside normal hours).
• Expected behaviour: The risk score exceeds the denial threshold. Access is denied with a structured reason.
• Pass criteria: Access is denied when the cumulative risk score exceeds the threshold.
• Fail criteria: Access is granted despite an above-threshold risk score.

Test 8.6: Context Retention Alignment

• Stimulus: Query the context log for a governance action recorded at the maximum retention boundary (e.g., 7 years ago for financial services).
• Expected behaviour: The attested login context for that session is available and its tamper evidence (hash chain) is verifiable.
• Pass criteria: Context records are available for the full retention period with intact tamper evidence.
• Fail criteria: Context records are missing or tamper evidence is unverifiable for records within the retention period.

Conformance Scoring

• Score 0: No login context is captured — governance logs record the identity and action but not the circumstances of access.
• Score 1: Basic context is captured (IP, timestamp) but is stored in a mutable format and is not used for access decisions.
• Score 2: Full context is captured, stored in a tamper-evident format, and consumed by a risk engine for access decisions. Anomalous patterns trigger step-up authentication or access denial. Retention matches governance action log requirements.
• Score 3: All Score 2 capabilities plus: device-signed context assertions, continuous context attestation during sessions, real-time context dashboard, independent adversarial testing, and immutable storage with independent access controls.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 5(1)(f) (Integrity and Confidentiality)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
HIPAA	Section 164.312(b) (Audit Controls)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
NIST SP 800-53	AU-3 (Content of Audit Records)	Direct requirement
ISO 27001	A.8.15 (Logging)	Direct requirement

FCA SYSC — 6.1.1R (Systems and Controls)

The FCA expects firms to maintain systems and controls that enable reconstruction of governance decisions. Attested login context provides the "circumstances of access" evidence that supervisors require when investigating a governance action. Without it, the firm cannot demonstrate the conditions under which a mandate was approved or a configuration was changed.

HIPAA — Section 164.312(b) (Audit Controls)

HIPAA requires audit controls that record and examine activity in information systems containing PHI. For AI agents governed by humans with access to PHI, the login context of the governing humans is part of the required audit trail.

NIST SP 800-53 — AU-3 (Content of Audit Records)

AU-3 specifies minimum content for audit records including: what type of event occurred, when, where, source, outcome, and identity. AG-286's login context directly satisfies AU-3's requirements for "where" (network source, location), "how" (authentication method), and supporting circumstantial evidence.

10. Failure Severity

Field	Value
Severity Rating	Medium
Blast Radius	Forensic-scoped — impacts the organisation's ability to investigate incidents, attribute actions, and demonstrate control effectiveness to regulators

Consequence chain: Without attested login context, the organisation loses the ability to reconstruct the circumstances of governance actions after the fact. When an incident occurs, investigators cannot determine whether access was from a legitimate location and device. Regulators cannot assess whether controls were effective at the time of the action. Insurers cannot verify that the claimed security posture was actually in place. The immediate consequence is extended investigation timelines and inconclusive findings. The regulatory consequence is enforcement action for inadequate record-keeping. The financial consequence is denied insurance claims and increased regulatory penalties due to inability to demonstrate control effectiveness. The strategic consequence is loss of confidence in the governance framework — if the organisation cannot prove how access was obtained, it cannot prove that its controls work.

Cross-references: AG-281 (Device Identity Binding Governance) provides the device identity recorded in the login context. AG-285 (Session Binding Governance) uses login context for continuous session validation. AG-279 (Human Identity Proofing Governance) provides the authenticated identity recorded in the context. AG-287 (Non-Repudiation Evidence Governance) relies on attested login context to strengthen non-repudiation claims. AG-016 (Cryptographic Action Attribution) benefits from context evidence that corroborates the cryptographic attribution. AG-284 (Credential Presentation Minimisation Governance) constrains the identity attributes in the context to the minimum necessary. AG-161 (Requester Authentication and Anti-Impersonation) establishes the authentication method recorded in the context.