Tamper-Evident Audit Chain Format for AI Agent Compliance. A cryptographically linked record structure for logging AI agent actions with full integrity verification.
The AIR Audit Chain Specification (ACS) is an open standard for tamper-evident, cryptographically linked record structures designed for logging AI agent actions in compliance-critical environments. Any tool, framework, or platform may implement this specification. Built on industry-standard HMAC-SHA256 signatures and blockchain-style chain linking, the Audit Chain provides verifiable proof that:
Each entry records a discrete AI agent action (LLM calls, tool invocations, consent events, security detections) with deterministic SHA-256 content hashing, linked to the previous entry, and signed with a 256-bit HMAC-SHA256 secret key. This design ensures that the audit chain becomes a primary evidence source for regulatory compliance under the EU AI Act Articles 12 (Record-keeping) and 14 (Human Oversight).
Each audit chain entry is a JSON object with required fields for sequencing, cryptographic integrity, and action metadata. The entry structure is deterministic and language-agnostic, enabling verification across different platforms and tools.
The Audit Chain uses three layers of cryptographic protection to ensure tamper-evidence and integrity verification:
Each entry's content is hashed using SHA-256 to create a deterministic digest. The payload includes id, sequence, prev_hash, timestamp, action, and all optional fields, but excludes signature and metadata. Keys are sorted alphabetically, and whitespace is removed to ensure determinism across systems.
Payload: {action, id, prev_hash, sequence, timestamp, ...}
sorted_keys = True
no_whitespace = True
hash = SHA256(deterministic_json)
The resulting hash is 64 hexadecimal characters and is stored in the hash field.
The signature proves authenticity and prevents forgery. It is computed over a canonical message containing the entry's key identifiers:
message = "{sequence}|{id}|{hash}|{prev_hash}"
signature = HMAC-SHA256(message, secret_key)
secret_key: 256-bit (32 bytes) key, stored securely
The signature is 128 hexadecimal characters (512 bits). Verification recomputes the HMAC and compares to the stored signature. A mismatch indicates tampering.
Each entry's prev_hash field contains the SHA-256 hash of the previous entry's content. This creates an immutable chain where any modification to a past entry breaks all subsequent signatures. The first entry (genesis, sequence=0) uses prev_hash = 64 zeros (0x00...00).
Entry[0]: prev_hash = "0000000000000000000000000000000000000000000000000000000000000000" Entry[1]: prev_hash = hash(Entry[0].content) Entry[2]: prev_hash = hash(Entry[1].content) ... Entry[n]: prev_hash = hash(Entry[n-1].content)
Chain linkage ensures that entries cannot be reordered, removed, or inserted without detection.
The audit chain supports eight action types, each mapped to specific EU AI Act articles and AIR Blackbox compliance controls.
| Action Type | Description | EU AI Act Mapping |
|---|---|---|
| llm_call | Language model invocation with prompt and response | Article 11 (Documentation), 12 (Record-keeping) |
| tool_call | Tool/function execution with risk classification | Article 9 (Risk Management), 14 (Oversight) |
| plugin_started | Third-party plugin or extension initialization | Article 9 (Risk Management) |
| injection_scan | Prompt injection detection completed | Article 15 (Robustness & Security) |
| data_tokenized | PII redaction or tokenization applied | Article 10 (Data Governance) |
| consent_required | Human consent requested for critical action | Article 14 (Human Oversight) |
| consent_granted | Human approval given; action proceeds | Article 14 (Human Oversight) |
| consent_rejected | Human blocked action; execution prevented | Article 14 (Human Oversight) |
The integrity of an audit chain is verified through four sequential checks. All must pass for the chain to be considered valid and tamper-free.
import json
import hashlib
import hmac
from typing import List, Dict, Tuple
def verify_audit_chain(
entries: List[Dict],
secret_key: bytes
) -> Tuple[bool, List[str]]:
"""Verify complete audit chain integrity.
Args:
entries: List of audit chain entry dicts
secret_key: 32-byte HMAC secret key
Returns:
(is_valid, error_messages)
"""
errors = []
# Check 1: Sequence continuity
for i, entry in enumerate(entries):
if entry.get('sequence') != i:
errors.append(
f"Entry {i}: sequence mismatch "
f"(expected {i}, got {entry.get('sequence')})"
)
# Check 2: Chain linkage
genesis_hash = "0" * 64
for i, entry in enumerate(entries):
if i == 0:
expected_prev = genesis_hash
else:
expected_prev = entries[i-1]['hash']
if entry.get('prev_hash') != expected_prev:
errors.append(
f"Entry {i}: prev_hash mismatch "
f"(chain break or reordering detected)"
)
# Check 3: Content hash integrity
for i, entry in enumerate(entries):
# Reconstruct deterministic payload
payload = {k: entry[k] for k in sorted(entry.keys())
if k not in ['signature', 'metadata']}
payload_json = json.dumps(payload, separators=(',', ':'),
sort_keys=True)
computed_hash = hashlib.sha256(
payload_json.encode()
).hexdigest()
if computed_hash != entry.get('hash'):
errors.append(
f"Entry {i}: content hash mismatch "
f"(field tampering detected)"
)
# Check 4: HMAC signature verification
for i, entry in enumerate(entries):
seq = entry['sequence']
eid = entry['id']
ehash = entry['hash']
prev = entry['prev_hash']
message = f"{seq}|{eid}|{ehash}|{prev}".encode()
computed_sig = hmac.new(
secret_key,
message,
hashlib.sha256
).hexdigest()
if computed_sig != entry.get('signature'):
errors.append(
f"Entry {i}: signature mismatch "
f"(tampering or wrong secret key)"
)
is_valid = len(errors) == 0
return is_valid, errors
The Audit Chain specification directly addresses two critical EU AI Act articles, providing the technical foundation for compliance evidence.
Regulatory requirement: "Providers of high-risk AI systems shall automatically record their operation through logging. The logs shall be kept for a period appropriate to the duration of the use of the system and for a period of at least 6 months after the cessation of use."
Audit Chain solution: The tamper-evident audit chain with HMAC-SHA256 signatures and Merkle linking provides cryptographic proof that:
Regulatory requirement: "Natural persons who use high-risk AI systems shall have information to interpret its output. Users shall be able to effectively oversee the system. Design and deployment of high-risk AI systems shall take into account the human oversight requirements."
Audit Chain solution: The audit chain tracks human decisions and AI actions:
The AIR Audit Chain Specification was developed independently and prior to the publication of AEGIS (arXiv:2603.12621, March 2026), an academic pre-execution firewall for AI agents that uses Ed25519 signatures with SHA-256 hash chaining. The convergence on similar architectural patterns - interception-layer placement, tamper-evident chain linking, and cryptographic audit trails - validates the approach as the emerging standard for AI agent governance.
| Capability | AIR Audit Chain Spec (ACS) | AEGIS (arXiv 2026) | Langfuse / Helicone | Arthur AI / Lasso |
|---|---|---|---|---|
| Architecture | Interception layer (inside the call) | Interception layer (pre-execution) | Retrospective logging | Gateway / proxy |
| Tamper evidence | HMAC-SHA256 chain | Ed25519 + SHA-256 chain | None | None |
| Open standard / spec | Yes (this document) | Academic paper | No | No |
| EU AI Act article mapping | Art. 12 + Art. 14 | Not specified | No | No |
| Human oversight attestation | consent_required / consent_granted | Human approval gates | No | No |
| PII detection | Yes (data_tokenized field) | Content scanning stage | No | Yes |
| Compliance drift detection | 51 checks in CI/CD | No | No | No |
| Framework trust layers | 6 frameworks + standalone SDKs | 14 frameworks (Python, JS, Go) | SDK callbacks | Gateway only |
| Shipping product | 11 PyPI packages, 14,294+ downloads | Academic prototype | Commercial SaaS | Commercial SaaS ($60M+ raised) |
| Open source | Apache 2.0 | Open source | Partial | Proprietary |
The AIR Audit Chain Specification is published as an open standard. Any tool, platform, or framework may implement this specification to produce interoperable, tamper-evident audit records for AI agent compliance.
The AIR Audit Chain Specification is available under Apache 2.0. If you implement this spec in your tool or framework, we'll list you as a compatible implementation. This is an open standard - the goal is interoperability across the AI governance ecosystem.