Evidence · provability
How to prove what an AI agent did
To prove what an AI agent did, you need a record a third party can verify independently — not a screenshot or a log you could have edited. That means tamper-evident integrity (a hash chain), the authorization decision that allowed the action, the actual outcome, and the ability to replay the sequence. CHP captures all four at the capability boundary, so "show me what happened, and prove it" becomes a recorded fact rather than a reconstruction.
By Capability Host Protocol · 2026-06-28
The bar
Proof is a record someone else can verify.
"We have logs" is not proof. Proof is a record whose integrity you do not control unilaterally, that captures the authorization and outcome at the moment of the action, and that can be replayed. Here is the gap between what most teams have and what holds up.
Logs / screenshots
Provable evidence
Can be edited after
Logs / screenshots
Yes — unilaterally
Provable evidence
No — tampering is detectable
Authorization
Logs / screenshots
Not captured
Provable evidence
Allow/deny + policy, recorded
Denial
Logs / screenshots
Usually invisible
Provable evidence
A first-class recorded outcome
Replay
Logs / screenshots
Manual reconstruction
Provable evidence
Deterministic replay of the sequence
Verifiable by a third party
Logs / screenshots
Take our word
Provable evidence
Check the hash chain
The four things you need
Identity, authorization, outcome, integrity.
Tamper-evident integrity
Records are hash-chained, so any later alteration breaks the chain and is detectable.
The authorization decision
Not just that it happened — that it was allowed (or denied) under a specific policy.
The real outcome
What actually resulted, with denial captured as a first-class result, not an absence.
Replayability
The ability to reconstruct and re-verify the exact sequence after the fact.
How CHP does it
Evidence at the boundary — replayable and hash-chained.
CHP captures each governed action as an evidence record at the capability boundary, hash-chained to the ones before it. You can replay the sequence to show exactly what the agent did, and anyone can verify the chain was not altered. That turns "show me why this happened" from a forensic reconstruction into reading a record that was designed to be defended.
Related reading: Proving why a claim was denied, The security review that stalls your agent, and what an agent audit trail contains.
Questions
Proving agent actions, answered.
What does it take to prove what an AI agent did?
A record with four properties: it identifies which agent and principal acted, it captures the authorization decision (allowed or denied, under which policy), it records the real outcome, and it is tamper-evident so any later alteration is detectable. With those, the action can be replayed and independently verified — which is what "proof" means to an auditor or regulator.
Why is not a log or a screenshot enough?
Because both are assertions you could have produced after the fact. A log can be edited or selectively retained; a screenshot proves nothing about authorization or completeness. Proof requires integrity you do not control unilaterally — a hash chain that makes tampering evident — plus the authorization and outcome captured at the moment of the action.
What is tamper-evidence and why does it matter here?
Each evidence record is cryptographically linked to the previous one, forming a hash chain. Altering or removing any record breaks the chain, so changes are detectable. This is what lets the record be defended: you are not asking anyone to trust that you did not edit it — they can check.
Can I prove an agent was NOT allowed to do something?
Yes. In CHP a denial is a first-class, recorded outcome — "the agent attempted X and was denied under policy Y" is captured the same way an allowed action is. Proving the negative (the guardrail held) is often exactly what a security review or regulator wants to see.
Who actually asks for this?
Anyone operating an agent under scrutiny: a security review gating a rollout, model-risk and compliance teams, regulators in finance, insurance, and healthcare, and counterparties in agent-to-agent transactions. The common thread is provability under scrutiny — the action has to be defensible, not merely logged.
Make your agents' actions provable.
It starts with declaring what your host can do — the capabilities.txt standard — and ends with evidence you can defend. CHP is the layer that proves it.