My AI agents went rogue.
I run an e-commerce store. A few months ago, I deployed AI agents to handle customer emails — returns, refund requests, product questions. It worked great, until it didn't.
The agents started making promises we couldn't keep: wrong refund amounts, unauthorized discounts, completely fabricated policies. "Sure, we'll refund your shipping even though our policy says otherwise." "Yes, you can return that item after 90 days." None of it was true.
The worst part wasn't that they failed. That's fixable. The worst part was that I couldn't prove what they actually said.
When customers disputed AI responses, I had nothing. Logs were scattered across three different services. They were mutable — anyone (or any process) could quietly change them after the fact. And they were incomplete. Half the tool calls weren't captured at all.
I had no audit trail. No accountability. No evidence.
The Gap That Nobody Talks About
When I went looking for a solution, I found plenty of observability tools. Langfuse. Helicone. LangSmith. They're all excellent at showing you what happened.
But I didn't need to see what happened. I needed to prove what happened.
That distinction sounds subtle. It isn't.
- Observability answers: "What did the agent do?"
- Accountability answers: "What did the agent do, and can you prove it wasn't changed after the fact?"
In a regulated world — and we're entering one fast — that difference is everything. The EU AI Act is partially in force. The Colorado AI Act hits in June 2026. Texas TRAIGA is live now. The SEC has made AI governance its top priority for 2026.
Companies deploying AI agents for anything consequential (approving loans, handling complaints, writing medical summaries, processing transactions) are going to need tamper-evident records of what their AI said and did. Not logs. Proof.
What I Built
So I built AIR — the open-source black box for AI agents.
Like the flight recorder on an aircraft, AIR captures every decision, every interaction, every tool call your AI agents make. But unlike scattered logs, AIR creates cryptographic chains: HMAC-SHA256 proof that records haven't been modified after the fact. Change one record and the entire chain breaks.
Three lines of code to wrap your existing OpenAI app:
from openai import OpenAI
import air
client = air.air_wrap(OpenAI())
response = client.chat.completions.create(...)
# Every call is now recorded with a tamper-evident audit trail
That's it. Every prompt, completion, tool call, and model decision is captured — with cryptographic integrity — stored on your own infrastructure, never leaving your control.
What It Actually Solves
When a customer disputes what your AI told them: You have a signed, timestamped record of the exact conversation. Not a log file that could have been edited — cryptographic proof of what was said.
When a regulator asks for your AI governance documentation: AIR auto-generates compliance reports mapped to SOC 2, ISO 27001, and EU AI Act requirements. 22 controls, pre-mapped.
When your agent goes off-script and you don't know why: Deterministic replay lets you reproduce any AI decision exactly as it happened, in isolation, for debugging.
When your team changes a model or prompt: You have a before/after comparison with the same inputs, so you can prove the change didn't introduce new failure modes.
The Ecosystem
AIR isn't one repo — it's a complete accountability stack across 19 open-source repositories:
- air-blackbox-gateway — OpenAI-compatible reverse proxy that captures every LLM call
- air-sdk-python — Python SDK wrapping OpenAI, LangChain, and CrewAI
- agent-policy-engine — Risk-tiered autonomy: policies, kill switches, trust scoring
- eval-harness — Replay episodes, score results, detect regressions
- mcp-policy-gateway — Firewall for AI agent tool access via MCP
The Python SDK is live on PyPI: pip install air-blackbox-sdk
There's also an interactive demo you can try right now in your browser — watch an agent run, inspect the audit chain, tamper with a record, and see the chain break.
Why Now
The timing isn't accidental. 90% of enterprises use AI in daily operations. Only 18% have governance frameworks. The tools simply don't exist yet for most companies.
But they will need to exist — and soon. August 2026 is when EU AI Act enforcement begins for high-risk systems. June 2026 for Colorado. January 2026 for Texas (already live).
If you're building AI agents that affect real people, you need to be thinking about this now, not after your first customer dispute or regulatory inquiry.
AIR is open source and free to use. The hard part is done — the code is real, the SDK is live, the demo works.
If you're building AI agents in production, I'd love your feedback. Try the interactive demo, kick the tires on the SDK, file an issue if something doesn't work.
GitHub: github.com/nostalgicskinco/air-blackbox-gateway
Jason Shotwell builds e-commerce tooling and, apparently, AI infrastructure when his agents go rogue.
Top comments (0)