The Entity That Acts Cannot Attest
Why better logs won't save you and what every other accountability domain figured out a long time ago
In the first piece of this series, I identified a structural problem: the unattested agent. Autonomous AI agents are operating within enterprise environments with real credentials and permissions, and there is no independent verification of their behavior. The entity performing the action is the same entity creating the record of that action.
The response I’ve received most frequently from security leaders, vendors, and engineers is some version of:
“We just need better observability.”
More logging. More verbose platforms. Better telemetry. Centralized dashboards. If only we could see enough data about what agents are doing, we’d be fine.
They’re mistaken, and not because observability isn’t valuable. It is. They are wrong because they’ve misunderstood the true nature of the problem.
The unattested agent isn’t an observability gap; it's an accountability gap. And no amount of data can close it because the data itself can’t be trusted.
There is a principle at play here that predates AI, software, and computing itself. It appears in every field where accountability is important.
The entity that acts cannot be the entity that attests.
If you perform an action and only record that action yourself, you have not been governed. You have self-reported, and self-reporting is not evidence; it’s a claim.
This isn't a controversial idea. It’s the foundational assumption behind every accountability system humans have ever built. We just forgot to apply it with AI agents.
Consider the domains where we got this right.
Financial auditing. A public company cannot audit its own books. It doesn’t matter how thorough the internal accounting is, how detailed the ledgers are, or how many controls the CFO has in place. The numbers are not considered trustworthy until an independent external auditor—someone with no financial interest in the outcome—verifies them. This isn’t optional; it’s the law. Sarbanes-Oxley exists because we learned, often painfully, what happens when entities certify their own integrity. Enron had excellent internal records. They were fiction.
Chain of custody. When a police officer gathers evidence at a crime scene, the evidence does not remain solely in the officer’s possession and later appear in court with only the officer’s testimony as verification. Every transfer is documented, and every person who handles the evidence is recorded by someone other than the original handler. The chain of custody exists precisely because we do not trust any single individual to be the sole witness to their own handling of important material.
Aviation. A pilot does not record a flight’s events. The flight data recorder — the black box — captures what happened independently of the pilot’s actions, memory, or intentions. It exists precisely because, after a crash, the pilot’s account (if they survive to give one) is not enough. We need an independent record created by something that was in the execution path but not making decisions.
Pharmaceutical manufacturing. Every batch of medication is tracked from raw material to finished product. The equipment that makes the drug does not certify the drug. An independent quality assurance process with its own instrumentation, record-keeping, and verification chain of verification attests that the manufacturing process meets requirements. The production line and the attestation layer are structurally separate.
These are not merely analogies; they are implementations of the same principle. The entity that acts cannot attest to its own behavior because self-attestation inherently cannot produce independent evidence.
Now, observe how the AI agent industry handles this same problem.
An agent using an API makes a tool call. The platform records the call in its own logging system. If you’re fortunate, the log includes details like timestamp, parameters, and response code. If you’re less fortunate, the log might be sparse, summarized, or missing altogether.
But even in the best case — even with the most verbose, detailed, and meticulously recorded platform log — you have not solved the attestation problem. You’ve addressed a data issue. You know what the platform reports the agent did, but you do not have independent verification that the record is complete, unaltered, or accurate.
The platform is part of the acting system. It produces and stores the log. In some architectures, the platform or the agent running on it can overwrite the log.
This is the equivalent of a company auditing its own books, a police officer being the only witness to their own evidence collection, and a pilot recording their own flight recorder data — all at the same time.
We would not accept this in any of those areas. We shouldn't accept it here.
I want to address the most common objection, because I hear it in every conversation.
“But we centralize our logs. We pull them into a SIEM. Once they’re in Splunk or Sentinel, they’re immutable.”
This misunderstands where the integrity problem lives.
Yes, once a log reaches your SIEM, it’s stored securely. However, the vulnerability isn’t in storage; it’s in generation. The log was created by the entity you’re trying to monitor. It was produced inside the entity’s execution environment. It also traveled through the entity’s own infrastructure before reaching your SIEM.
You secured the warehouse, but you haven't verified what was loaded into the truck.
A centralized SIEM ensures your logs are durable, but it doesn't make them independently trustworthy. The integrity of the record solely depends on the trustworthiness of the source — which is what you’re trying to assess.
This is not just a theoretical issue. It’s an architectural problem. The solution isn’t simply better storage; it's creating a structural separation between the actor and the attestor.
There’s a subtler version of this problem that almost nobody is talking about.
When we established governance for human actors, we had an inherent advantage: humans are slow. A human employee makes a decision, takes an action, and leaves traces across multiple independent systems along the way — badge logs, email records, file access timestamps, and network connection logs. The human doesn’t control all of these systems. The traces are spread across infrastructure that the human cannot manipulate. This distribution itself acts as a form of independent attestation, even if we never intentionally designed it that way.
AI agents don’t function that way.
An agent can perform ten tool calls in two seconds. It can read a database, extract a value, call an API, write a file, and send a message — all within a single session, through a single protocol, and logged—or not—by a single platform. There’s no spreading of traces across separate systems. There’s no accidental disconnect between actor and record. The entire sequence of actions and the entire chain of evidence collapse into one entity, one platform, one log.
The issue isn’t the speed; it’s the collapse.
At human speed, the environment provides incidental attestation — not because we designed it, but because humans are too slow and limited to control every system they interact with. At machine speed, that incidental safety net vanishes. The agent can act faster than any independent system can observe, and the only record that keeps up is the one the agent or its platform creates.
This is why “better observability” doesn’t work as an answer. You’re not observing an independent signal. You’re reading a self-report at machine speed and calling it monitoring.
So, what does attestation separation actually involve?
It requires exactly one thing: an independent entity in the execution path that is structurally separate from the agent and the agent’s platform, that observes the action at the moment of execution, and that produces its own record; one that the agent cannot modify, overwrite, or suppress.
Not a sidecar that reads logs after the fact. Not a dashboard that aggregates platform telemetry. Not a SIEM that stores whatever the agent’s platform chooses to emit.
An independent observer. In the execution path. Producing its own chain of evidence.
This is the same architecture as a black box on an aircraft. It doesn’t depend on the pilot’s self-report. It doesn’t read the pilot’s notes after the flight. It’s in the cockpit, recording automatically in real time, and the pilot cannot disable it.
That’s what attestation separation means for AI agents. And until it exists in your environment, every agent operating within your enterprise is — by definition — unattested.
I want to be clear about the stakes, because this isn’t an abstract architectural debate.
Every compliance framework that matters — SOC 2, the EU AI Act, NIST AI RMF, ISO 27001 — is moving toward the same requirement: demonstrable, auditable governance of autonomous systems. “Demonstrable” doesn’t mean “we have logs.” It means “we can produce evidence that an independent process verified the behavior.”
If your evidence is self-reported by the system under evaluation, it is not independent. It does not meet the requirement. And the first time a regulator, an auditor, or a plaintiff’s attorney pulls on that thread, the entire governance claim unravels.
You aren't missing a tool; you're missing a structural layer. No amount of dashboards, telemetry, or platform-native logging can replace it — just as a company’s internal accounting doesn’t replace an external audit.
The entity that acts cannot attest. Without that separation, you are still accepting the testimony of an untrusted witness — just with better dashboards.
Next in this series: the difference between a log and a decision trace — why the record your security team needs can only be produced from a specific architectural position, and what that position is.
Author’s note: AI helped with grammar and readability. It did not help with the opinions.
