The infrastructure primitive that's missing from every agent stack in 2026.
Your AI agent just made a decision. Maybe it rebalanced a portfolio. Maybe it drafted a contract. Maybe it triggered a downstream action that affected a real person.
Can you prove what happened?
Not "we have logs somewhere." Prove it. Cryptographically. To a regulator. To a court. To an auditor who has no access to your infrastructure.
Probably not.
That's the problem PCP solves.
The stack everyone's building on has a hole in it
Here's the standard AI agent stack in 2026:
Model Layer GPT-4o, Claude, Llama
↓
Inference API OpenAI, Anthropic, Ollama
↓
Agent Framework LangChain, CrewAI, AutoGen, MCP
↓
Application trading bot, medical copilot, pipeline
↓
Storage logs, databases, S3 buckets
This stack can reason, plan, use tools, coordinate with other agents. But no layer in it answers the questions that matter when something goes wrong:
- Who acted?
- What did they decide, exactly?
- In what order?
- Was a human in the loop?
- Did the agent's behaviour change over time?
Traditional logs fail every single one of these:
| Requirement | Traditional logs | PCP |
|---|---|---|
| Attribution | ✗ no identity binding | ✅ Ed25519 signature per event |
| Integrity | ✗ mutable, deletable | ✅ SHA-256 hash chain |
| Temporal order | ✗ internal clock only | ✅ RFC 3161 trusted timestamps |
| Portability | ✗ requires your infrastructure | ✅ self-contained .pqz bundle |
| Governance record | ✗ separate, disconnected | ✅ TrustGate decisions in the chain |
| Behavioural monitoring | ✗ no baseline | ✅ Vigil VRS continuous scoring |
The primitive that was missing
Digital infrastructure advances in layers. TCP/IP made communication reliable. TLS secured it. OAuth made it delegable.
Each one introduced a primitive so fundamental it became invisible infrastructure.
PCP : Proof of Continuity Protocol , is that primitive for autonomous agent accountability.
It defines verifiable continuity: the property that an agent's complete sequence of decisions forms a tamper-evident, chronologically ordered, attributable, and behaviourally coherent record — independently auditable by anyone with just the agent's public key.
No access to your servers. No special tooling. Just the key and the chain.
Four layers, four properties
PCP is a vertical four-layer stack that sits between your agent framework and your storage:
┌──────────────────────────────────────────────────────┐
│ TRUSTGATE Governance Continuity │
│ ALLOW · REQUIRE_HUMAN · BLOCK · QUARANTINE │
├──────────────────────────────────────────────────────┤
│ VIGIL Behavioural Continuity │
│ VRS risk score · TSI · A2C anomaly detection │
├──────────────────────────────────────────────────────┤
│ PIQRYPT CORE Memory Continuity │
│ Hash chains · RFC 3161 · .pqz certified archives │
├──────────────────────────────────────────────────────┤
│ AISS Identity Continuity MIT ©2026 │
│ Ed25519 identity · SHA-256 chains · ML-DSA-65 PQ │
└──────────────────────────────────────────────────────┘
Layer 1 : Identity: who is this agent?
Every agent gets a cryptographic identity derived deterministically from its public key:
agent_id = BASE58ENCODE( SHA256(pk_bytes) )[0:32]
This identity is self-sovereign (no issuing authority), portable (survives restarts and migrations), and cryptographically bound (you need the private key to claim it).
import piqrypt as aiss
private_key, public_key = aiss.generate_keypair()
agent_id = aiss.derive_agent_id(public_key)
# → "PIQR1a3f8b2c..." — stable across restarts
Layer 2 : Memory: what did it do?
Every decision produces a signed event. Every event references the hash of its predecessor:
E₀ (genesis) → E₁ → E₂ → ... → Eₙ
Sign(sk) Sign(sk) Sign(sk) Sign(sk)
prev=⊥ prev=H(E₀) prev=H(E₁) prev=H(Eₙ₋₁)
Modify any event → its hash changes → the next event's prev_hash no longer matches → the chain breaks. Tamper detection is O(n), or O(1) for incremental verification.
from aiss.memory import store_event
event = aiss.stamp_event(
private_key,
agent_id,
{"action": "portfolio_rebalance", "confidence": 0.94}
)
store_event(event)
aiss.verify_chain([event])
# ✅ Chain verified — 1 event, 0 anomalies
Performance: median 0.12 ms per event (Ed25519, measured on commodity hardware). For a 10,000-event chain: full re-verification in under 10 seconds. Overhead is negligible.
Layer 3 : Vigil: is it behaving consistently?
An intact chain proves records weren't tampered with. It doesn't prove the agent behaved consistently. That's Vigil's job.
Vigil computes a VRS (Vigil Risk Score) — a composite real-time signal from 0.0 to 1.0:
VRS = 0.30 × TSI_weight
+ 0.35 × (1 − TrustScore)
+ 0.20 × A2C_risk ← relational anomaly detection
+ 0.15 × ChainIssueScore
| VRS | State | Meaning |
|---|---|---|
| 0.00–0.25 | SAFE | Normal operation |
| 0.25–0.50 | WATCH | Alert logged |
| 0.50–0.75 | ALERT | High alert |
| 0.75–1.00 | CRITICAL | TrustGate escalation triggered |
The A2C detector catches 16 relational anomaly patterns: sudden over-reliance on a single peer, tight temporal lock-step with other agents, abnormal bursts after inactivity. These patterns are invisible in per-event logs — they only appear when you look at behaviour over time.
Vigil runs as a local dashboard on port 8421:
piqrypt start --tier free
# → Vigil dashboard at http://localhost:8421
Layer 4 : TrustGate: should it have done that?
TrustGate is the governance layer. Before an agent executes a critical action, TrustGate evaluates it against a policy and returns one of four outcomes:
-
ALLOW— proceed -
DENY— blocked -
AUDIT— proceed, flagged for review -
REQUIRE_HUMAN— paused until a human approves
The key invariant: every TrustGate decision is a signed event in the agent's chain. A DENY cannot be removed. A DENY that was overridden leaves a trace. Human approval is cryptographically recorded.
# ~/.piqrypt/trustgate/policy.yaml
rules:
- event_type: "financial_transaction"
condition: "payload.amount > 10000"
outcome: REQUIRE_HUMAN
reason: "High-value transaction requires human approval"
- event_type: "send_email"
condition: "payload.recipients|length > 50"
outcome: DENY
reason: "Mass email blocked"
When REQUIRE_HUMAN triggers, TrustGate opens an approval queue in the dashboard. Human approves or rejects. Either way, the decision is signed and chained. Default on timeout: DENY.
piqrypt start --tier business --manual
# → TrustGate console at http://localhost:8422
Two agents, one verifiable session
When two agents collaborate, PCP records the interaction in both chains via a co-signed handshake:
from piqrypt.bridges.session import AgentSession
# Agents reference their identity files
session = AgentSession(agents=[
{"name": "planner", "identity_file": "~/.piqrypt/agents/planner.json"},
{"name": "executor", "identity_file": "~/.piqrypt/agents/executor.json"},
])
session.start()
session.stamp("planner", "task_delegation",
{"task": "analyze_portfolio"}, peer="executor")
session.stamp("executor", "task_completed",
{"result_hash": "sha256:9c4e..."}, peer="planner")
# → Each interaction signed in both chains
# → Verifiable by any third party with just the public keys
Neither agent can deny the interaction. Neither chain can be modified without breaking the other.
Post-quantum: harvest-now-decrypt-later
For regulated deployments — finance, healthcare, legal — PCP offers AISS-2: a hybrid Ed25519 + ML-DSA-65 (NIST FIPS 204) signature.
Every event carries two independent signatures. Valid under both classical and post-quantum verification. If quantum computers break Ed25519 in 10 years, your 2026 audit records are still valid.
# Requires: pip install piqrypt[post-quantum]
from aiss.stamp_aiss2 import stamp_event_aiss2_hybrid, verify_aiss2_hybrid
# Generate separate keypairs for each algorithm
ed_priv, ed_pub = aiss.generate_keypair()
from aiss.pq import generate_dilithium_keypair
dil_priv, dil_pub = generate_dilithium_keypair()
agent_id = aiss.derive_agent_id(ed_pub)
event = stamp_event_aiss2_hybrid(ed_priv, dil_priv, agent_id, {"action": "trade"})
# → event carries two independent signatures: Ed25519 + ML-DSA-65
Works via MCP, zero code change
If you're already using MCP, PiQrypt plugs in as a server:
npm install -g @piqrypt/mcp-server
Four tools exposed: piqrypt_stamp_event, piqrypt_verify_chain, piqrypt_export_audit, piqrypt_search_events.
Compatible with Claude Desktop, Cursor, n8n 1.88+, and any MCP client. The agent never sees private keys — they stay in the PiQrypt layer.
The regulatory deadline
EU AI Act Article 12 requires inviolable, tamper-evident logs for high-risk AI systems. Full obligations apply from August 2, 2026.
Traditional logs don't qualify. PCP chains do.
| Article | Requirement | PCP Layer |
|---|---|---|
| Art. 12 | Inviolable logging | PiQrypt Core (hash chain) |
| Art. 13 | Transparency | Signed payload |
| Art. 14 | Human oversight mandatory | TrustGate REQUIRE_HUMAN |
| Art. 9 | Risk monitoring | Vigil VRS |
Try it in 30 seconds
pip install piqrypt
piqrypt identity create my_agent
piqrypt stamp my_agent --payload '{"action":"test","value":42}'
piqrypt verify my_agent
# ✅ Chain integrity verified — 1 event · trust_score: 1.00
piqrypt start --tier free
# → Vigil at http://localhost:8421
What's open, what's not
| Component | License |
|---|---|
| AISS (foundation layer) | MIT — pip install aiss-standard
|
| Framework bridges (9) | Apache-2.0 |
| PiQrypt Core, Vigil, TrustGate | ELv2 |
The protocol specification is at aiss-standard.org. The reference implementation is at github.com/piqrypt/piqrypt.
PCP does not change how agents think.
It establishes — cryptographically, portably, independently — what they did.
PiQrypt May 4 2026.
Reference implementation: github.com/piqrypt/piqrypt
Protocol spec: aiss-standard.org
Contact: contact@piqrypt.com
Top comments (0)