A Decision Passport is a cryptographically signed, tamper-proof record of every consequential AI agent action: who authorized it, what policy applied, and exactly why. Signed by an independent third party. Not your cloud. Not your own infrastructure. Hand it to the OCC examiner, the SOC2 auditor, the EU supervisory authority. Nothing in your current stack produces this. When your examiner asks "what controlled that decision?" This is what you show them.
Two deployment modes: capture every LLM call with zero code changes, or prove every regulated decision with one decorator. Both produce the same artifact. See deployment modes →
Banks, insurers, and healthcare companies are deploying AI agents to approve loans, flag fraud, deny prior authorizations, triage patients, and more. When the regulator asks why the agent did what it did, most companies cannot answer.
Your AI agent approved $4.2M in refunds last quarter. The OCC examiner wants three things: which policy version governed each decision, whether the model received exactly what was authorized, and proof the record was not touched afterward. You have logs. They are mutable. They are not enough.
Outside counsel on the other side subpoenas your AI decision records. Your audit logs are not write-protected (WORM). Your database rows can be updated. Your audit trail has no cryptographic signature. Everything you hand them can be challenged on authenticity. Without cryptographic proof of integrity, you cannot demonstrate the record was not modified after the fact. And if your cloud provider signed the evidence about decisions that ran on their own infrastructure, opposing counsel will challenge the independence of that record too.
Your AI agent flagged 12,000 patients for care gap outreach last quarter. HHS OCR opens an investigation. They want the audit trail: which agent decision identified each patient, what data it accessed, under which policy version, with what authorization. Your logs show the agent ran. They do not show what it was authorized to access, or whether the input it received was exactly what was approved. HIPAA § 164.312(b) requires audit controls that can prove what your AI accessed and whether it was authorized. With mutable logs, you cannot prove that. Your stack produces none.
| Current tool | What it does | What it lacks | AgentOS fills |
|---|---|---|---|
| CloudTrail / audit logs | Records API calls | No decision causality, no cryptographic seal. Even immutable cloud logs fail the independence test. The same provider cannot be both the infrastructure and the auditor. | Single cryptographically signed artifact per AI agent decision, signed by an independent third party |
| AI monitoring platforms | Traces execution, monitors drift | Mutable logs, not legal evidence | WORM-committed, RFC 3161 timestamped |
| OPA / policy engines | Evaluates rules at runtime | No artifact, no causality chain | Pre-execution binding + cryptographically signed artifact |
| LLM observability tools | LLM observability and logging | Mutable database logs, no cryptographic proof | Ed25519 signed, independently verifiable |
| SIEM / log aggregators | Aggregates logs across systems | Logs are mutable, not sealed | Ed25519 signed, WORM-committed, designed to withstand adversarial examination |
Built for debugging and operational visibility, not legal proceedings. Mutable logs. No cryptographic signature. No WORM commitment. Outside counsel cannot establish integrity in discovery.
Built for operational awareness, not legal proceedings. An OCC examiner will not accept a mutable data export as audit-grade proof, regardless of format.
One self-contained artifact per AI agent action. Signed, sealed, timestamped.
Click any field below to see what it proves. ↓
Each field exists for a forensic reason. Click to see it.
{ "passport_id": "dp_9f3a2c1e-4b7d-4e8a-b1c2", "schema_version": "1.1.0", "tier": "TIER_A"HSM · WORM · RFC3161, "capture_layer": "BUSINESS_LAYER"decorator, "consequential": true, "principal": { "agent_id": "refund-approval-agent-v2", "tenant_id": "tenant_acme_fintech" }, "action": { "type": "REFUND_APPROVAL", "decision_ts": "2026-04-12T09:23:41.847Z" }, "policy_evaluation": { "result": "ALLOW", "policy_id": "refund-policy-v4.2.1", "input_hash": "sha3_256:a3f82c1d..."pre-exec sealed }, "causality_chain": { "step_sequence": 3, "total_steps": 3, "prev_step_hash": "sha3_256:9e8d7c6b..."tamper-evident }, "signing_attestation": { "algorithm": "Ed25519", "hsm_level": "FIPS_140-2_LEVEL_3"production HSM, "signature": "3045022100a1b2c3..." }, "storage": { "worm_commit": "CONFIRMED"S3 COMPLIANCE, "rfc3161_ts": "APPLIED"after WORM, "customer_bucket": trueyou own this, "lock_verification_latency_ms": 187 }, "compliance_controls": [ "OCC_BULLETIN_2025-26", "NYDFS_PART_500", "EU_AI_ACT_ARTICLE_12", "SOC2_CC6.1", "NIST_SP800-53_AU-10" ], "verification_uri": "https://verify.getagentos.ai/dp_9f3a2c1e" }
Verify independently: agentos verify dp_9f3a2c1e
Two deployment modes. Both produce the same Decision Passport. Start with auto-instrument for immediate coverage. Promote regulated paths to the decorator.
One decorator on the function that makes the regulated decision. No changes to internal logic or return types.
BUSINESS_LAYER · consequential=trueSHA3-256(JCS(business_inputs)) committed into a signed Authorization Token before the function runs. Tampered input returns 403, zero artifact.
OCC · NYDFS · Litigation-readyEd25519 signed. WORM-committed. RFC 3161 timestamped. Verifiable independently using the standalone CLI and your S3 bucket.
TIER-A · SynchronousRun agentos run python app.py or set AGENTOS_AUTO_INSTRUMENT=1. Same pattern as ddtrace-run.
Every LLM API call intercepted at the client library boundary. SHA3-256(JCS(LLM_API_request)) committed as input_hash.
Article 12 · GDPR · NIST AI RMFEd25519 signed. WORM-committed. RFC 3161 timestamped. Complete audit trail. Same standalone verify CLI as the decorator.
TIER-A · Zero code changeEach passport names the specific controls it addresses. Not general positioning. Named fields, named controls, named regulations.
OCC Bulletin 2025-26 directs national banks to govern AI agent decisions as model risk. Examination cycles now include AI governance readiness.
NY-licensed fintechs and insurers face NYDFS enforcement risk for AI agent decisions without audit trails.
Article 12 requires tamper-proof automatic logging for high-risk AI, with post-hoc reconstruction capability.
Article 22 governs automated decision-making affecting individuals and requires documented accountability.
The NY RAISE Act requires frontier AI developers to publish safety frameworks and report safety incidents. Enterprises deploying those models need documentation of which model version governed each decision.
CC6.1 maps to authorization_token_id. CC4.1 maps to execution_result. NIST AU-10 requires non-repudiation of principal actions.
SOC2 CC6.1 requires documented authorization controls for non-human identities. CC4.1 requires evidence of processing integrity.
The proposed 2025 Security Rule amendments would significantly strengthen audit logging requirements for AI agent interactions with ePHI. Under the proposed amendments, every agent decision touching patient data would require a record of who authorized it, what input it received, and what it produced. Mutable logs do not satisfy this requirement.
Any AI system that creates or modifies GxP records must log which model version acted, on what input, producing what output, with a timestamp.
All 10 risks mapped to specific Decision Passport fields. Hand this to your security team. The review checklist can close in one meeting rather than 2-3 weeks. The controls live in code.
| # | OWASP Risk | Evidence Type | AgentOS Controls |
|---|---|---|---|
| 1 | Goal hijacking | Prev + Record | input_hash + substrate enforcement + AUTHORIZATION_INPUT_MISMATCH |
| 2 | Tool misuse | Prev + Record | tool_call_log + authorization_token_id + action_type |
| 3 | Identity abuse | Recording | principal_identity + signing_attestation |
| 4 | Memory poisoning | Recording | full_prompt_snapshot + rag_evidence_bundle + causality_chain_hash |
| 5 | Cascading failures | Recording | causality_chain_hash + instrumentation_coverage + PASSPORT_COMMIT_FAILED |
| 6 | Insecure output handling | Recording | output_pre_postprocess + execution_result |
| 7 | Code execution abuse | Prev + Record | action_type + tool_call_log + BLOCK_ON_SERVICE_UNAVAILABLE |
| 8 | Human-agent trust exploitation | Prev + Record | principal_identity + policy_version_hash + availability_policy |
| 9 | Supply chain risks | Recording | model_version_hash + registry_validation_status + sdk_binary_sha3 |
| 10 | Rogue agents | Recording | deployment_mode + evidence_tier + instrumentation_coverage |
19 years systems engineering · HP (OpenVMS, Tru64 UNIX) · VMware ESX · FedRAMP GovCloud · Apache Ambari PMC
Started at HP. Filesystem work on Tru64 UNIX, then backup and restore on OpenVMS using tape libraries. Tape is write-once by design. Once written, it stays. S3 Object Lock in AgentOS enforces the same property, different medium.
Moved to VMware and spent years in the ESX storage stack implementing T10 DIF/DIX. That is the standard that proves data was not silently corrupted between host and storage device. Same problem, one layer down.
Later: FedRAMP GovCloud delivery, Control Plane and Workload side. FIPS 140-3 cryptographic compliance. Evidence packages for federal authorising officials, produced firsthand.
19 years, same question: how do you prove the data is exactly what it should be, and that nobody changed it? AgentOS asks that question about AI decisions.
agentos verify CLI. The capture_layer field tells the auditor which forensic claim applies. The verify CLI accepts both v1.0.0 and v1.1.0 artifacts.evidence_tier field of every artifact.customer_bucket field in every artifact confirms your ownership.lock_verification_latency_ms field documents the WORM sealing time per artifact. In production, values are typically 150-300ms.Looking for 1-2 design partners to build the Decision Passport to your auditor's specification. You define what it must prove. We build to your requirements.
90-day pilot · $10-25K · 50% upfront · Design partner pricing guaranteed for the first two customers.
OCC examination readiness, EU AI Act Article 12, or HIPAA audit controls.
contact@getagentos.ai
The Decision Passport schema is open. The OWASP mapping is public. The standalone verify CLI will be open source.
SDK integration: 30 minutes in a clean development environment. Enterprise security review: 3-6 weeks, reduced by the OWASP mapping.
No account needed to evaluate the schema and verify a sample artifact.
SDK integration: 30 minutes in a clean environment · Enterprise production: 1–4 hours
90-day pilot · $10-25K · 50% upfront. One conversation to see if it fits.
Or book directly: 30-min call ↗