Your AI Agents Need an Accountability Layer

You shipped a multi-agent system. Agents route tasks, process data, produce outputs. It works. Stakeholders are happy.

Then someone from compliance shows up.

"Which agent made this decision? What data did it have access to? Can you prove nothing was modified after the fact?"

You check your logs. They're there. But they're mutable. Any process with write access could have altered them. You have observation, not evidence. That distinction is about to matter more than most teams realize.

The Accountability Gap

Most agent systems have extensive logging. Print statements, structured JSON, maybe a centralized log aggregator. That covers observability.

Accountability is a different question. Can you prove what happened? Can you demonstrate that the record is complete, unaltered, and attributable to a specific actor?

Traditional logging fails this test for three reasons:

1. Mutability. Logs can be edited, truncated, or deleted. If an agent (or a compromised process) modifies a log entry, there's no cryptographic evidence of the change.
2. Attribution. Log entries say "Agent X did Y" but there's no signature proving Agent X actually produced that entry. Any process writing to the same log can impersonate any agent.
3. Ordering. Timestamps can be spoofed. Without a hash chain, there's no way to prove event A happened before event B, or that no events were inserted between them.

What Accountability Actually Requires

A proper accountability layer needs three properties:

Identity. Each agent has a cryptographic key pair. When it acts, it signs the record with its private key. The signature is verifiable by anyone with the public key. No impersonation possible.

Integrity. Each record includes a hash of the previous record. This creates a chain where altering any entry invalidates every subsequent hash. Tampering becomes detectable, not just unlikely.

Sequence. The hash chain provides a provable ordering. Event 47 references event 46's hash. You can reconstruct the entire sequence and verify nothing was inserted, deleted, or reordered.

Here's what that looks like in practice:

import hashlib
import json
from datetime import datetime, timezone

def create_attestation(agent_id: str, action: str, data: dict, prev_hash: str) -> dict:
    """Create a hash-chained attestation record."""
    record = {
        "agent_id": agent_id,
        "action": action,
        "data": data,
        "timestamp": datetime.now(timezone.utc).isoformat(),
        "prev_hash": prev_hash,
    }
    # Hash the canonical JSON representation
    content = json.dumps(record, sort_keys=True)
    record["hash"] = hashlib.sha256(content.encode()).hexdigest()
    return record

# Build a chain
chain = []
prev = "genesis"

chain.append(create_attestation("researcher", "fetch_data", {"sources": 3}, prev))
prev = chain[-1]["hash"]

chain.append(create_attestation("analyst", "process", {"rows": 1420}, prev))
prev = chain[-1]["hash"]

chain.append(create_attestation("writer", "generate_report", {"words": 2100}, prev))

Each record in this chain references the hash of the previous one. Alter any field in any record, and the chain breaks from that point forward. This is the same principle behind blockchain and git, applied to agent operations.

The Compliance Pressure Is Real

The EU AI Act requires audit trails for high-risk AI systems. SOC 2 auditors are starting to ask about AI governance practices. Even if your system isn't in a regulated industry today, the direction is clear: organizations deploying AI agents will need to demonstrate accountability, not just observability.

The teams building this infrastructure now will be ahead when the requirements formalize. The teams retrofitting it later will be doing it under pressure, with production systems that were never designed for it.

Adding Signatures

Hash chains prove integrity and ordering. Cryptographic signatures prove identity. Combining both:

from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey

def sign_attestation(record: dict, private_key: Ed25519PrivateKey) -> bytes:
    """Sign an attestation with the agent's private key."""
    content = json.dumps(record, sort_keys=True).encode()
    return private_key.sign(content)

Each agent holds its own key pair. The signature on each record is proof that the specific agent produced it. You can verify the signature with the agent's public key without needing access to the private key.

This moves you from "the log says Agent X did this" to "Agent X cryptographically signed this record, and the hash chain proves it wasn't altered afterward."

Where This Fits in Your Stack

An accountability layer sits between your agents and your log storage. Agents produce attestations instead of (or in addition to) log entries. The attestation chain is append-only and verifiable.

Agent → Attestation (sign + hash-chain) → Storage
                                            ↓
                              Verification (any time, by anyone)

This doesn't replace your existing logging. It transforms observations into evidence.

Getting Started

If you're building multi-agent systems and want to add cryptographic accountability:

1. Assign each agent an Ed25519 key pair at initialization.
2. Sign every significant action (task completion, data access, routing decisions).
3. Hash-chain the records so ordering and completeness are verifiable.
4. Store the chain immutably (append-only file, database with write-only access, or dedicated service).

Sigil implements this pattern as a Python library with MCP integration. pip install sigil-notary if you want to skip the build-from-scratch step.

The audit trail your compliance team will eventually ask for is cheaper to build now than to retrofit later. The agents doing the work should be producing the evidence that they did it correctly.