Most governance tools produce a single signed receipt after the fact. The action happened, here is the proof. That approach covers you in the simplest case, but it leaves two critical moments completely unrecorded.
The first is intent. Before an agent runs anything, it declares what it wants to do. That declaration is worth signing on its own, because it tells you what the agent was trying to accomplish regardless of whether it was allowed to proceed. The second is the policy decision itself, the moment your rules evaluated the request and returned an approval or a denial. If you only sign the final action, you lose both of these, and you are left with no proof that governance actually ran before the agent acted.
Three-phase signing treats each of these moments as a separate signed record in a chain. The intent gets signed first, capturing the agent, the action, and the context it provided. The decision gets signed next, recording whether the policy approved or denied the request and which rules were evaluated. If the request was approved, the execution gets signed last, confirming the action completed.
The interesting case is when the policy blocks the action. You still end up with two signed records: the intent and the denial. That means you have a tamper-proof record showing that the agent tried to do something it was not allowed to do, and that your governance layer caught it. For compliance, this is just as valuable as a successful execution chain, because auditors want to see that controls are working, not just that actions happened.
import asqav
asqav.init(api_key="sk_...")
agent = asqav.Agent.create("orchestrator")
chain = agent.sign_with_phases("data:delete:users", {"table": "users", "reason": "cleanup"})
print(chain.intent) # signed: agent wanted to delete users
print(chain.decision) # policy evaluated and approved/denied
print(chain.execution) # signed: action completed (only if approved)
print(chain.approved) # True/False
Each phase in the chain is individually verifiable. You can hand an auditor the intent signature alone and they can confirm it is authentic without needing the rest of the chain. Or you can export the full chain as a single bundle and let them walk through the entire lifecycle of the action from request to completion.
This also changes how you think about denied actions. Instead of treating a policy denial as a silent non-event, it becomes a first-class record in your audit trail. Over time, the pattern of denied intents tells you as much about your agents as the approved ones do, because it shows you what they are consistently trying to do and being stopped from doing.
CrewAI GuardrailProvider
On a related note, we recently shipped a GuardrailProvider integration for CrewAI that plugs three-phase signing directly into crew task execution. If you are building with CrewAI, the guardrail provider evaluates each agent action against your policies and produces the same signed chain automatically, so you get full intent, decision, and execution records without changing how your crews are structured.
Source on GitHub. If something breaks, open an issue.
Top comments (0)