AgenticRail Blog IETF Agent Audit Trail
Standards 2026-05-12 Kade Cowper

IETF Agent Audit Trail: What the Draft Standard Requires — and What It Doesn't

There is a live IETF Internet-Draft that defines a JSON standard for AI agent audit records with hash chaining, trust levels, and mandatory fields. It cites EU AI Act Article 12 and ISO/IEC 42001. Here is what the draft requires, where it leaves gaps, and how AgenticRail aligns with — and goes beyond — it.

The Draft

draft-sharif-agent-audit-trail is an IETF Internet-Draft defining a standardised format for audit records produced by AI agent systems. It was published to address the absence of a common structure for agent audit logs — the gap that makes compliance attestation difficult when every deployment invents its own schema.

The draft expires September 29, 2026. At that point it either advances toward RFC status, is revised, or lapses. For now it represents the closest thing to an emerging standard that developers, auditors, and compliance teams can reference when building or evaluating agent audit infrastructure.

Draft Reference

draft-sharif-agent-audit-trail — IETF Internet-Draft. Expires 2026-09-29. Regulatory references: EU AI Act Article 12, ISO/IEC 42001, SOC 2, PCI DSS.

Mandatory Fields

Every audit record under the draft must include the following fields. Optional fields can be added, but omitting any mandatory field renders the record non-conformant.

Field Required Description
record_idRequiredUnique identifier for this record
timestampRequiredISO 8601 timestamp of the event
agent_idRequiredIdentifier of the agent that produced the record
agent_versionRequiredVersion string for the agent
session_idRequiredGroups all records from one agent session
action_typeRequiredCategorises the action (e.g. tool_call, lifecycle)
action_detailRequiredStructured object describing the specific action
outcomeRequiredResult: success / failure / timeout / denied / escalated
trust_levelRequiredL0–L4 verification assurance level
parent_record_idRequiredRecord that triggered this one (null for genesis)
prev_hashRequiredHash of the prior record; null for genesis

The session_id + prev_hash combination is what turns individual records into a chain. Every record knows what session it belongs to and cryptographically commits to the content of the record before it. This means you cannot insert, delete, or alter any record in the chain without invalidating all subsequent prev_hash values.

The Hash Formula

The draft specifies SHA-256 over JSON Canonicalization Scheme output (RFC 8785):

Hash chain formula
prev_hash(N) = hex(SHA-256(JCS(record(N-1))))

JCS (RFC 8785) produces a deterministic, canonicalised JSON encoding: alphabetically sorted keys, no insignificant whitespace, Unicode normalisation. The key property: two representations of the same logical record produce identical JCS output, and therefore identical hashes. Conversely, any change to field content, field order, or encoding in a prior record will produce a different hash, breaking the chain at the next record.

The genesis record — the session start record — has prev_hash: null and parent_record_id: null. It uses action_type: "lifecycle" and action_detail.event: "session_start". All subsequent records in the session chain back to it.

AgenticRail alignment

AgenticRail uses SHA-256 over canonical JSON with alphabetically sorted keys for all receipt signatures — the same structure the draft mandates. The sequence_id field maps directly to the draft's session_id.

Trust Levels

The trust_level field is mandatory on every record. The draft defines five levels:

L0
No verification. The agent asserts its identity and produces records with no external check. Records can be self-reported and cannot be independently verified.
L1
Self-signed. The agent signs its own records using a key it controls. The signature proves record integrity but doesn't verify the signing key itself came from a trusted authority.
L2
Authority-signed. A trusted third party countersigns or issues records. The signing key is externally verifiable.
L3
Mutual authentication. Both the agent and its counterparty verify each other's identity before records are produced.
L4
Full mutual auth with certificate revocation checking and continuous monitoring. The highest assurance level — every verification is checked against live revocation data.

Most production deployments today operate at L0 or L1. Compliance contexts targeting EU AI Act or ISO 42001 should aim for L2 minimum — authority-signed records that an auditor can verify without trusting the agent itself.

Special Record Types

Genesis Record

The first record in every session. Marks session initialisation. parent_record_id and prev_hash are both null. All records in the session chain back to this one.

Genesis record structure
{
  "record_id": "rec_0001",
  "timestamp": "2026-05-12T09:00:00Z",
  "session_id": "sess_abc123",
  "agent_id": "credit-approval-agent",
  "agent_version": "1.4.2",
  "action_type": "lifecycle",
  "action_detail": { "event": "session_start" },
  "outcome": "success",
  "trust_level": "L2",
  "parent_record_id": null,
  "prev_hash": null
}

Tombstone Record

Used for GDPR-compliant deletion. When personal data in a record must be erased, a tombstone replaces the original record. The tombstone preserves the record_id, timestamp, and chain linkage fields (prev_hash, parent_record_id) so chain integrity is maintained, while removing the personal data. This lets you honour right-to-erasure requests without destroying audit chain continuity.

What the Draft Requires

The draft is explicit about structure. It requires:

What it does not specify: how long records must be retained, which storage backend to use, whether the recording system must be independent of the agent, or when in the action lifecycle the record must be written.

The Gap: Pre-Execution Recording

The most significant gap in the draft is timing. The draft defines records of events that occurred — it records outcomes after actions complete. The outcome values reflect completion states: success, failure, timeout, denied, escalated.

This means a fully conformant implementation could write all records after execution. An agent could complete every action in a session and then produce a conformant, hash-chained audit log retroactively. The chain would be internally consistent. The hashes would verify. But the records would not prove that any enforcement gate fired before execution — they would only record what the agent reported about itself.

Critical gap

The draft does not require that a record be written at the moment of authorisation rather than at the moment of completion. A post-execution log can be fully draft-conformant. That is not the same as pre-execution evidence.

This matters for EU AI Act Article 12. Article 12 requires logs enabling reconstruction of the sequence of events — which implies the log must be a faithful record of what was enforced, not a summary written after the fact by the system being audited.

How AgenticRail Aligns With the Draft

Draft Requirement AgenticRail Status
SHA-256 over canonical JSON SHA-256 over alphabetically sorted canonical JSON for all receipts Aligned
session_id groups records sequence_id groups all receipts in a session chain Aligned
denied outcome value DENY decisions map to denied outcome; specific reason codes also provided Aligned
Tamper-evident record storage Receipts written to immutable R2 storage; HMAC-signed at write time Aligned
Trust level per record Gate enforces key verification on all requests; receipts are authority-signed (L2+) Aligned

Where AgenticRail Goes Further

Capability Draft standard AgenticRail
Record timing Post-event (outcome recorded after action completes) Pre-execution — receipt written at gate decision time, before action runs
Step order enforcement Not specified — records are individual events, no sequence enforcement Strict step-order enforced across session; SEQUENCE_VIOLATION returned for out-of-order steps
Replay protection Not specified Nonce ledger per session; REPLAY_NONCE for any reused nonce
Sequence sealing Not specified Session sealed at final step; SEALED_SEQUENCE for any subsequent request
DENY reason codes Single denied outcome value SEQUENCE_VIOLATION / REPLAY_NONCE / ACTION_NOT_ALLOWED / NO_POLICY_MATCH / SEALED_SEQUENCE / STALE_TIMESTAMP
Timestamp freshness Timestamp field required; no freshness check defined |ts_ms − now| > 300s → STALE_TIMESTAMP — closes replay-with-fresh-nonce-after-delay

An AgenticRail Receipt Mapped to Draft Fields

Here is an AgenticRail ALLOW receipt with the IETF draft fields mapped:

AgenticRail receipt — IETF field mapping
{
  // draft: record_id
  "pack_id": "pack_1715507244_abc123",

  // draft: timestamp
  "ts_ms": 1715507244154,

  // draft: session_id
  "sequence_id": "credit-approval-20260512-001",

  // draft: agent_id + agent_version (combined in model_id)
  "model_id": "MSMD",

  // draft: action_type
  "function": "intake",

  // draft: action_detail
  "step": "intake",
  "action_type": "CHECK_STATE",
  "action": "validate_application_inputs",

  // draft: outcome ("success" / "denied")
  "decision": "ALLOW",

  // draft: prev_hash (canonical JSON hash of prior receipt)
  "prev_hash": "a7f3c9...",

  // AgenticRail extension: pre-execution evidence timestamp
  "decided_before_execution": true,
  "hmac_sig": "sha256=9e2f4b...",
  "key_id": "k1_2026-02-22_01"
}

The structural alignment is clear. The key extension: decided_before_execution: true asserts what the draft leaves implicit — this record was written before the action ran, at the moment the gate decided.

DENY Receipt: The denied Outcome

AgenticRail DENY — maps to draft outcome: "denied"
{
  "pack_id": "pack_1715507311_def456",
  "ts_ms": 1715507311208,
  "sequence_id": "credit-approval-20260512-001",
  "model_id": "MSMD",
  "step": "execution",
  "function": "execution",
  "action_type": "WRITE_DB",

  // draft outcome: "denied"
  "decision": "DENY",

  // AgenticRail extension: specific reason code
  "reason": "SEQUENCE_VIOLATION",
  "expected_step": "internal_driver",
  "received_step": "execution",

  "prev_hash": "b1d8e2...",
  "hmac_sig": "sha256=7a3c1f..."
}

The draft records denied. AgenticRail records DENY with SEQUENCE_VIOLATION — a step was submitted out of order. An auditor reading this receipt knows not just that something was denied, but exactly which policy rule fired and what the agent attempted.

Regulatory Context

The draft explicitly references the following regulatory frameworks:

Framework Relevant Requirement Draft coverage
EU AI Act Article 12 Automatic recording of events enabling reconstruction of the sequence Structural — no pre-execution mandate
EU AI Act Article 26 Deployers retain logs at least 6 months Not specified — retention policy outside draft scope
ISO/IEC 42001 AI management system risk controls and evidence Structure aligns; enforcement controls outside draft scope
SOC 2 Availability, confidentiality, integrity controls Hash chain satisfies integrity; storage controls outside draft scope
PCI DSS Audit log completeness and tamper evidence Chain tamper evidence aligns; field completeness depends on implementation

The draft is a structural foundation. It defines how records relate to each other and what fields every record must carry. It does not specify the enforcement architecture that produces those records — that is left to implementors. For EU AI Act purposes, the draft alone gets you a well-formed log. Pre-execution enforcement is what makes that log admissible as evidence of control rather than observation.

What This Means in Practice

If you are evaluating agent audit infrastructure against the IETF draft, the questions to ask are:

  1. When is the record written? At action completion, or at gate decision time before execution? The draft allows both. Only pre-execution records provide enforcement evidence.
  2. Who writes the record? The agent itself (L0/L1), or an independent gate (L2+)? The draft requires trust level to be declared — it does not require independence. Auditors will ask.
  3. Are all 11 mandatory fields present? Missing any one — including trust_level or prev_hash — makes the record non-conformant.
  4. Is the chain verifiable independently? JCS canonicalisation must be reproducible without the original system. Verify hashes offline before claiming chain integrity.
  5. What does denied mean in your implementation? The draft has one denied outcome. What rule fired? Which step was out of order? Reason codes are not required by the draft — but they are what compliance teams and auditors actually need.
11 Mandatory fields per record
L0–L4 Trust verification levels
RFC 8785 Canonicalisation standard (JCS)
2026-09-29 Draft expiry date

Summary

The IETF agent audit trail draft is the right structural starting point. It defines a hash-chained, tamper-evident record format with trust levels and mandatory fields that map cleanly onto EU AI Act, ISO 42001, and other compliance frameworks. If you are building agent audit infrastructure, building to the draft gives you a schema that regulators and auditors will recognise.

The gap the draft leaves open is enforcement. A conformant log can be written post-hoc by the agent itself. For compliance contexts where the question is not just "what happened?" but "what was the agent permitted to do, and was that permission granted before execution?" — you need a gate that fires before execution and signs a receipt at the moment of decision. That is what AgenticRail provides, on top of the structural alignment the draft defines.

See IETF-aligned receipts in the live demo

Run a sequence through AgenticRail and inspect the hash-chained receipts — canonical JSON, SHA-256 signed, written pre-execution.

Open Demo Read Docs
← All posts