every agent framework ships logging. LangChain has callbacks. CrewAI has task output. Google ADK has tool traces.
none of it is verifiable.
the problem nobody talks about
an application log is a file the operator controls. the same party who ran the agent controls the record of what the agent did.
an auditor reviewing that log is not verifying evidence. they are trusting the operator to tell the truth about their own behavior.
this is not a hypothetical. the average AI agent-related data breach now costs $4.7 million. 88% of enterprises running agents reported at least one security incident.
the governance tools shipped at RSAC 2026 solve policy: what agents SHOULD do. they do not solve evidence: what agents DID do.
policy and evidence are different records. the second one needs cryptography, not configuration.
what a real receipt looks like
a receipt is not a log entry. it is a signed, content-addressed record that anyone can verify without trusting the operator.
from nobulex.integrations.langchain import NobulexAuditHandler
handler = NobulexAuditHandler(agent_id="my-agent")
agent.invoke({"input": "check credit for user 4821"},
config={"callbacks": [handler]})
handler.export("audit.json")
what this produces per tool call:
-
action_ref = SHA-256(JCS({agent_id, action_type, scope, timestamp_ms}))using RFC 8785 for deterministic serialization - Ed25519 or ES256 signature over the canonical payload
- hash chain linking each receipt to the previous one
any third party can verify the trail:
from nobulex.chain import verify_audit_trail
report = verify_audit_trail("audit.json", authorized_keys=AGENT_PUBLIC_KEY)
assert report["chain_intact"] and report["authenticated"]
the verifier recomputes the action_ref from the receipt fields, checks the signature against the agent's registered key (not the key the receipt itself carries), and walks the hash chain. no API call. no operator trust. offline verification.
the trust-anchor problem
most audit-trail tools verify the signature against the public key embedded in the record. that means anyone who mints a keypair can produce a valid-looking trail.
the fix: verify against a pinned authorized key. the agent's public key is registered at setup time. the verifier checks the receipt's signature against that pinned key, not the one the document carries.
this is the difference between "the record is internally consistent" and "the record was produced by an authorized agent."
what ships today
integrations for LangChain, CrewAI, Google ADK, PydanticAI, Haystack, and LlamaIndex. six major agent frameworks covered. dual signing: Ed25519 (default) or ES256 (for x402 payment protocol compatibility).
~15,000 signed receipts per second (Ed25519) or ~60,000/sec (ES256) at p50. sub-millisecond per agent action.
sections 8-11 of the OWASP Agentic Security CheatSheet cover the bilateral receipt pattern (merged by Jim Manico). nobulex is cited as the third independent receipt issuer in the x402 payment protocol spec (section 5, Linux Foundation). 14/14 conformance verdicts green.
pip install nobulex
Top comments (0)