Evidence or It Didn't Happen

There is a question coming for every AI deployment that has not yet been asked, and it is the same question any serious audit eventually asks: prove that this happened. For autonomous AI action the version of the question is sharper, because the action is consequential and there is no human in the loop to recall the moment. Prove that this specific governance decision was rendered, against this specific policy, before this specific action ran. Many organisations I have looked at could not, today, actually prove it. They could narrate it. They could log it. They could not, in any meaningful sense, prove it.

Logs Cannot Carry Authority

When teams show me their evidence, the same gap surfaces every time: traditional logs were not designed for what is now being asked of them. They were designed for observability, for the question “what happened?” answered against the system that already happened to be running. Three properties make ordinary logs structurally insufficient for governance, and naming them is the cleanest way to see why a different kind of artefact is needed.

The first is that ordinary logs are mutable. Many logging systems write to storage that can be altered after the fact; entries can be modified, deleted or reordered. Even append-only stores typically lack cryptographic guarantees that the content between write and read has not been tampered with. Under audit, mutability is disqualifying: evidence that could have been altered is not evidence in the sense the audit needs. The second is that logs are unstructured for governance. Their formats vary by system, service and version, and what they record is operational fact — this function was called, this error was thrown, this request returned a 200. They do not record which policy was evaluated, which delegation was in scope or what decision was rendered. A timeline can be reconstructed from logs; an authority chain cannot. The third is that logs are disconnected. Each entry stands on its own, without a cryptographic link to the entry before or after, which means no integrity check is available to reveal whether an entry has been inserted, removed or reordered.

The properties governance needs from its evidence are not new ideas. Cryptographically secure audit logs were formalised by Schneier and Kelsey in 1999, in work that is now over a quarter of a century old. The gap predates AI. What is new is applying these properties to the governance decisions of autonomous AI systems, a domain that until quite recently produced no governance evidence at all.

What A Governance Evidence Record Has To Carry

A governance evidence record, in the strict sense, is not a log entry with extra fields. It is a tamper-evident, cryptographically chained record of a single thing: a governance decision. What it records is the canonical representation of the action under evaluation, the identity of the policy that was applied, the delegation chain under which the actor claimed authority, the decision that was rendered, and the moment of the decision. The record can still be called a receipt in ordinary prose, because that is how people talk about proof they can carry forward, but the important point is structural: the evidence is bound to the decision, not to a vague operational event.

Each evidence record is recorded with a cryptographic hash that references its predecessor, forming an integrity chain that cannot be reordered, cannot hide gaps and cannot have individual records removed without detection. The actor, intent, target, parameters, policy version, content hash, delegation scope, time bounds and outcome are not annotations around the decision. They are what make the decision independently reconstructable.

What that produces is not a log of the action. It is proof that governance occurred at the moment the action was about to occur.

Integrity Has To Be Verifiable

Four cryptographic properties make this work, and each maps to a question an audit will eventually ask. The first is that the authoring system can be verified: receipts are cryptographically signed, and forgery is computationally infeasible under the signing scheme in use. The second is that the chain cannot be silently broken: each receipt incorporates the hash of its predecessor, so insertion, deletion or reordering breaks the chain in a way that is detectable from outside. The third is reconstructability: the evidence can be verified by a party who does not have access to the system that produced it, and the originating system does not need to be honest or even available. The fourth is collision resistance: no two distinct inputs can produce the same receipt hash, which is what makes the chain semantically meaningful in the first place.

None of these properties is novel cryptography. They are well-understood from a literature that has been mature for decades. What is novel is that they are being applied to the governance of autonomous AI action, a domain that has mostly operated without them.

Evidence Makes The Decision Portable

Once the evidence exists in this shape, several things become possible that were not possible before. Every autonomous action can be traced to the governance decision that preceded it, which is what audit-proof actually means in this context: the evaluation happened before execution and the evaluation was complete. For any action, the complete decision context can be reconstructed, including canonical action, policy version, delegation chain and outcome, and the reconstruction does not depend on the originating system being available or willing to cooperate. Any alteration to the chain becomes cryptographically detectable, so tampering with one record after the fact requires either compromising the signing key or rewriting every record that followed it. The delegation chain that granted authority for each action is recorded at decision time, not reconstructed from scattered logs after the fact, with scope, time bounds, revocation status and chain depth all captured in the evidence itself.

A receipt becomes more than a log entry when the decision can be replayed without asking the original system to vouch for itself.

The Receipt Carries The Decision

The receipt is, in a real sense, the artefact that makes governance honest. Governance has to precede consequence, has to operate at the boundary where intent becomes execution, has to distinguish whether an action is authorised from whether the model’s text output is acceptable, and has to flow from delegations that were explicitly granted rather than from credentials the system happens to hold. The decision has to be deterministic, reconstructable byte for byte from the recorded inputs. The proof of the decision has to be tamper-evident, cryptographically chained and independently verifiable. None of those properties is nice-to-have. They are the only way the answer to “show me” is something other than a story.

Governance that cannot prove itself does not survive an audit. A system that produces no tamper-evident record of its governance decisions has no evidence that governance occurred, which means the governance claim dissolves the moment a serious counterparty asks to see it.