Open Standard - v1.0.0 - March 2026

Overview

The AIR Audit Chain Specification (ACS) is an open standard for tamper-evident, cryptographically linked record structures designed for logging AI agent actions in compliance-critical environments. Any tool, framework, or platform may implement this specification. Built on industry-standard HMAC-SHA256 signatures and blockchain-style chain linking, the Audit Chain provides verifiable proof that:

  • No entries have been modified after creation
  • No entries have been deleted from the sequence
  • All entries are cryptographically signed and verified
  • The complete audit trail is preserved in order

Each entry records a discrete AI agent action (LLM calls, tool invocations, consent events, security detections) with deterministic SHA-256 content hashing, linked to the previous entry, and signed with a 256-bit HMAC-SHA256 secret key. This design ensures that the audit chain becomes a primary evidence source for regulatory compliance under the EU AI Act Articles 12 (Record-keeping) and 14 (Human Oversight).

Entry Format

Each audit chain entry is a JSON object with required fields for sequencing, cryptographic integrity, and action metadata. The entry structure is deterministic and language-agnostic, enabling verification across different platforms and tools.

Required Fields

id
UUID v4 (string)
Unique identifier for this entry. Generated using Python's uuid.uuid4(). Used in signature calculation.
sequence
integer (0-indexed)
Entry index in the chain. First entry is 0, incrementing by 1. Used to detect missing entries.
hash
64 hex characters (string)
SHA-256 hash of the deterministic JSON payload (alphabetically sorted keys, no whitespace). Verified by recomputing the hash and comparing.
prev_hash
64 hex characters (string)
Hash of the previous entry's content. Genesis entry (sequence 0) uses 64 zeros. Links entries into an immutable chain.
signature
128 hex characters (string)
HMAC-SHA256 of the message "{sequence}|{id}|{hash}|{prev_hash}" using a 256-bit secret key. Verifies entry authenticity and integrity.
timestamp
ISO 8601 string
UTC datetime when the entry was created. Format: "2026-02-28T14:30:45.123456Z". Used for temporal ordering and compliance records.
action
string (enum)
Type of AI agent action. Valid values: llm_call, tool_call, plugin_started, injection_scan, data_tokenized, consent_required, consent_granted, consent_rejected. Used for filtering and analysis.

Optional Fields

tool_name
string
Name of the tool invoked (e.g., "send_email", "database_query"). Only for tool_call actions.
risk_level
enum: critical|high|medium|low|none
Risk classification of the action according to AIR Blackbox risk scoring. Used for compliance auditing.
consent_required
boolean
Whether human consent was required for this action. True for critical/high-risk operations.
consent_granted
boolean
Whether consent was given (if required). False if blocked.
data_tokenized
boolean
Whether PII/sensitive data was tokenized before storage. True indicates compliance with Article 10 (Data Governance).
injection_detected
boolean
Whether a prompt injection was detected and blocked. True for Article 15 (Robustness) evidence.
metadata
object (any structure)
Free-form metadata for custom extensions. Not included in signature calculation. Examples: user_id, session_id, model_name.

Cryptographic Integrity

The Audit Chain uses three layers of cryptographic protection to ensure tamper-evidence and integrity verification:

Content Hash (SHA-256)

Each entry's content is hashed using SHA-256 to create a deterministic digest. The payload includes id, sequence, prev_hash, timestamp, action, and all optional fields, but excludes signature and metadata. Keys are sorted alphabetically, and whitespace is removed to ensure determinism across systems.

Payload: {action, id, prev_hash, sequence, timestamp, ...}
sorted_keys = True
no_whitespace = True
hash = SHA256(deterministic_json)

The resulting hash is 64 hexadecimal characters and is stored in the hash field.

HMAC-SHA256 Signature

The signature proves authenticity and prevents forgery. It is computed over a canonical message containing the entry's key identifiers:

message = "{sequence}|{id}|{hash}|{prev_hash}"
signature = HMAC-SHA256(message, secret_key)
secret_key: 256-bit (32 bytes) key, stored securely

The signature is 128 hexadecimal characters (512 bits). Verification recomputes the HMAC and compares to the stored signature. A mismatch indicates tampering.

Chain Linking (Merkle Chain)

Each entry's prev_hash field contains the SHA-256 hash of the previous entry's content. This creates an immutable chain where any modification to a past entry breaks all subsequent signatures. The first entry (genesis, sequence=0) uses prev_hash = 64 zeros (0x00...00).

Entry[0]: prev_hash = "0000000000000000000000000000000000000000000000000000000000000000"
Entry[1]: prev_hash = hash(Entry[0].content)
Entry[2]: prev_hash = hash(Entry[1].content)
...
Entry[n]: prev_hash = hash(Entry[n-1].content)

Chain linkage ensures that entries cannot be reordered, removed, or inserted without detection.

Entry Types

The audit chain supports eight action types, each mapped to specific EU AI Act articles and AIR Blackbox compliance controls.

Action Type Description EU AI Act Mapping
llm_call Language model invocation with prompt and response Article 11 (Documentation), 12 (Record-keeping)
tool_call Tool/function execution with risk classification Article 9 (Risk Management), 14 (Oversight)
plugin_started Third-party plugin or extension initialization Article 9 (Risk Management)
injection_scan Prompt injection detection completed Article 15 (Robustness & Security)
data_tokenized PII redaction or tokenization applied Article 10 (Data Governance)
consent_required Human consent requested for critical action Article 14 (Human Oversight)
consent_granted Human approval given; action proceeds Article 14 (Human Oversight)
consent_rejected Human blocked action; execution prevented Article 14 (Human Oversight)

Verification

The integrity of an audit chain is verified through four sequential checks. All must pass for the chain to be considered valid and tamper-free.

1
Sequence Continuity
Verify that entry sequence numbers increment by 1 from 0 with no gaps. If entry[i].sequence ≠ i, the chain is incomplete or corrupted.
2
Chain Linkage Verification
For each entry, verify that entry[i].prev_hash = SHA256(entry[i-1].content). Entry[0].prev_hash must equal 64 zeros. A broken link indicates deletion or reordering.
3
Content Hash Integrity
Recompute the SHA-256 hash of each entry's content (sorted keys, no whitespace) and compare to entry.hash. A mismatch indicates field modification.
4
HMAC Signature Verification
Recompute HMAC-SHA256("{sequence}|{id}|{hash}|{prev_hash}") with the secret key and compare to entry.signature. A mismatch indicates tampering or wrong secret key.

Verification Python Implementation

import json
import hashlib
import hmac
from typing import List, Dict, Tuple

def verify_audit_chain(
    entries: List[Dict],
    secret_key: bytes
) -> Tuple[bool, List[str]]:
    """Verify complete audit chain integrity.

    Args:
        entries: List of audit chain entry dicts
        secret_key: 32-byte HMAC secret key

    Returns:
        (is_valid, error_messages)
    """
    errors = []

    # Check 1: Sequence continuity
    for i, entry in enumerate(entries):
        if entry.get('sequence') != i:
            errors.append(
                f"Entry {i}: sequence mismatch "
                f"(expected {i}, got {entry.get('sequence')})"
            )

    # Check 2: Chain linkage
    genesis_hash = "0" * 64
    for i, entry in enumerate(entries):
        if i == 0:
            expected_prev = genesis_hash
        else:
            expected_prev = entries[i-1]['hash']

        if entry.get('prev_hash') != expected_prev:
            errors.append(
                f"Entry {i}: prev_hash mismatch "
                f"(chain break or reordering detected)"
            )

    # Check 3: Content hash integrity
    for i, entry in enumerate(entries):
        # Reconstruct deterministic payload
        payload = {k: entry[k] for k in sorted(entry.keys())
                   if k not in ['signature', 'metadata']}
        payload_json = json.dumps(payload, separators=(',', ':'),
                                  sort_keys=True)
        computed_hash = hashlib.sha256(
            payload_json.encode()
        ).hexdigest()

        if computed_hash != entry.get('hash'):
            errors.append(
                f"Entry {i}: content hash mismatch "
                f"(field tampering detected)"
            )

    # Check 4: HMAC signature verification
    for i, entry in enumerate(entries):
        seq = entry['sequence']
        eid = entry['id']
        ehash = entry['hash']
        prev = entry['prev_hash']

        message = f"{seq}|{eid}|{ehash}|{prev}".encode()
        computed_sig = hmac.new(
            secret_key,
            message,
            hashlib.sha256
        ).hexdigest()

        if computed_sig != entry.get('signature'):
            errors.append(
                f"Entry {i}: signature mismatch "
                f"(tampering or wrong secret key)"
            )

    is_valid = len(errors) == 0
    return is_valid, errors

EU AI Act Mapping

The Audit Chain specification directly addresses two critical EU AI Act articles, providing the technical foundation for compliance evidence.

Article 12: Record-Keeping

Regulatory requirement: "Providers of high-risk AI systems shall automatically record their operation through logging. The logs shall be kept for a period appropriate to the duration of the use of the system and for a period of at least 6 months after the cessation of use."

Audit Chain solution: The tamper-evident audit chain with HMAC-SHA256 signatures and Merkle linking provides cryptographic proof that:

  • All operations are logged with immutable timestamps
  • No log entries have been deleted or modified
  • The complete sequence is preserved
  • Logs can be retained and verified for 6+ months
Article 14: Human Oversight

Regulatory requirement: "Natural persons who use high-risk AI systems shall have information to interpret its output. Users shall be able to effectively oversee the system. Design and deployment of high-risk AI systems shall take into account the human oversight requirements."

Audit Chain solution: The audit chain tracks human decisions and AI actions:

  • consent_required entries show when human review is triggered
  • consent_granted/consent_rejected entries document human decisions
  • Complete audit trail enables post-hoc review and accountability
  • Risk-classified tool_call entries enable oversight of critical operations

Comparison with Other Approaches

The AIR Audit Chain Specification was developed independently and prior to the publication of AEGIS (arXiv:2603.12621, March 2026), an academic pre-execution firewall for AI agents that uses Ed25519 signatures with SHA-256 hash chaining. The convergence on similar architectural patterns - interception-layer placement, tamper-evident chain linking, and cryptographic audit trails - validates the approach as the emerging standard for AI agent governance.

Capability AIR Audit Chain Spec (ACS) AEGIS (arXiv 2026) Langfuse / Helicone Arthur AI / Lasso
Architecture Interception layer (inside the call) Interception layer (pre-execution) Retrospective logging Gateway / proxy
Tamper evidence HMAC-SHA256 chain Ed25519 + SHA-256 chain None None
Open standard / spec Yes (this document) Academic paper No No
EU AI Act article mapping Art. 12 + Art. 14 Not specified No No
Human oversight attestation consent_required / consent_granted Human approval gates No No
PII detection Yes (data_tokenized field) Content scanning stage No Yes
Compliance drift detection 51 checks in CI/CD No No No
Framework trust layers 6 frameworks + standalone SDKs 14 frameworks (Python, JS, Go) SDK callbacks Gateway only
Shipping product 11 PyPI packages, 14,294+ downloads Academic prototype Commercial SaaS Commercial SaaS ($60M+ raised)
Open source Apache 2.0 Open source Partial Proprietary

The AIR Audit Chain Specification is published as an open standard. Any tool, platform, or framework may implement this specification to produce interoperable, tamper-evident audit records for AI agent compliance.

Adopt This Specification

The AIR Audit Chain Specification is available under Apache 2.0. If you implement this spec in your tool or framework, we'll list you as a compatible implementation. This is an open standard - the goal is interoperability across the AI governance ecosystem.

Reference Implementation on GitHub Install from PyPI