Blog

A.6.2.8 requires event log recording but specifies no timing, no format, no integrity requirement, and no chain linkage. Auditors accept whatever you present. For agentic AI, that gap is structural — and here's what a technically rigorous implementation actually requires.

A figure from Māori whakairo tradition describes the condition of 5 billion people in 2026. Manuruhi entered Tangaroa's domain without tikanga and was absorbed into it. Still visible. No longer his own shape. This is what algorithmic platforms do — and why mātauranga Māori already has the answer.

LLMs don't just generate text — they export English rhetorical structures into every language they touch. The words translate, but the thought architecture underneath stays English. What that means for te reo Māori, why every language needs provenance enforcement before the machine's voice becomes the default, and the counter-architecture already built.

The origin of whakairo is a story about a carved house under the sea where the posts on one wall were talking to the posts on the other. Not metaphor — the knowledge system worked. Here is what that means for AI language tools.

Tech companies approach language communities with good intentions. They collect recordings, build models, ship preservation tools. But someone has to decide which dialect is canonical, which knowledge is in scope, whose version counts. That decision is governance. Usually the builder makes it.

Policy as code for AI agents is not about OPA or infrastructure config. It means the agent's behaviour contract — step order, permitted action types — is declared, versioned, and enforced by an independent runtime gate before each action, with a signed receipt as proof that the policy ran.

Runtime policy controls what an AI agent is allowed to do. Sequence-order enforcement proves it did things in the right order — with cryptographic receipts no model can modify. Why both layers exist, what each one covers, and where compliance frameworks require the second one.

AI agent step order enforcement is the mechanism that verifies each step executes in declared sequence before the action proceeds. It cannot live in the agent itself — the agent is the system being regulated, not the regulator. What external step order enforcement provides and how it works.

A regular audit log records what happened. A cryptographic AI audit trail proves it — with HMAC signatures that break on any modification, canonical serialisation that makes verification deterministic, and key IDs that survive key rotation. What the cryptography actually does and why compliance requires it.

AI agents are probabilistic. Their enforcement layer cannot be. Same conditions, same gate decision, always before execution, always signed. A live system with 1M+ decisions and a public verification endpoint — no login required.

The EU AI Act high-risk deadline has moved from August 2026 to December 2027 via the Digital Omnibus on AI. Article 12 still requires pre-execution enforcement evidence — the requirement didn't change, only the timeline. What that means for your agentic AI deployment.

An evidence control layer for agentic AI is not an observability stack. Observability captures what happened after the fact. Evidence requires a gate that fired before the action ran — producing a signed, tamper-evident record at the moment of enforcement, not during post-hoc review.

The IETF draft standard for agent audit trails defines hash-chained JSON records, trust levels L0–L4, and mandatory fields for AI agent sessions. It references EU AI Act Article 12 and ISO 42001. But the draft doesn't require pre-execution recording — here's what it covers, what it leaves open, and how AgenticRail aligns with and exceeds the specification.

The OWASP Top 10 for Agentic Applications 2026 (ASI01–ASI10) is the first peer-reviewed security framework for autonomous AI agents. This post maps each risk to what sequence-order enforcement, pre-action authorization, and cryptographic receipts cover — and where the gaps remain.

Without pre-action authorization, social engineering attacks on AI agents succeed 74.6% of the time. With it: 0%. Model alignment is probabilistic — it cannot guarantee individual outputs. Pre-action authorization intercepts every tool call before execution, evaluates it against declared policy, and produces a signed record.

Sequence enforcement for AI agents means the gate verifies that each step executes in declared order before allowing it to proceed. Step order is not a logging detail — it is a security property. Skipping steps is the agentic equivalent of privilege escalation.

The April 2026 NIST Critical Infrastructure Profile signals where US enterprise AI governance is heading. How cryptographic gate receipts satisfy Govern 1.2 and Measure 2.5 — and map to EU AI Act and ISO 42001 simultaneously.

ISO/IEC 42001:2023 is a certification standard — auditors require documented evidence that controls ran, not just that policies exist. How cryptographic gate receipts satisfy A.6.1.6, Clause 9.1, and human oversight controls for agentic AI.

AI agent logs are self-reported — the model records what it believes it did, not what it provably executed. Best practices for production: pre-execution gate receipts, nonce-based replay protection, HMAC-signed immutable records, and deterministic sequence replay for any audit.

LLMs are probabilistic. Production deployments aren't. What it means to enforce deterministic behaviour on a non-deterministic model, and why regulated industries require it.

The EU AI Act requires traceability, human oversight, and logging for high-risk AI systems. Here's how sequence enforcement at the infrastructure layer satisfies Articles 9, 11, 12, and 14.