The AI Forensics Audit Trail Specification
An open reference standard for tamper-evident, cryptographically-signed audit trails of autonomous AI agents. Profiles OCSF, OpenTelemetry GenAI, MITRE ATLAS, SPIFFE, and NIST AI RMF as a single coherent schema for forensic reconstruction — verifiable offline by auditors with no vendor dependency.
The Spec at a Glance
Four pillars, one coherent schema
The spec organizes forensic primitives into four pillars. Each pillar maps to a specific question an auditor will ask after an incident.
| Pillar | The auditor's question | Spec capability |
|---|---|---|
| Identity | Who is this agent? | Per-agent API keys, lifecycle management, scoped credentials. |
| Policy | What is it allowed to do? | Fail-closed gateway, deny-by-default policy evaluation. |
| Compliance | Can we prove rules were followed? | DSSE-signed session attestations, HMAC-verifiable audit logs, automated compliance assessments. |
| Forensics | What happened, provably? | Hash-chained logs, incident replay, export, offline cryptographic verification. |
Built on Standards
Standards-track alignment
The spec profiles existing open standards rather than inventing new ones. It is not a competing schema — it is a forensic-grade composition.
OCSF
Event envelopeProfiles the OCSF event schema for AI Agent Activity (new class proposed for upstream contribution).
github.com/ocsf/ocsf-schema →
OpenTelemetry GenAI semconv
Span attributesTool calls, model invocations, and policy evaluations emit OTEL spans following the GenAI semconv.
github.com/open-telemetry/semantic-conventions/tree/main/docs/gen-ai →
MITRE ATLAS 2026
Threat taxonomyForensic events tag against ATLAS techniques (T0051 prompt injection, T0040 model theft, etc.) for SIEM correlation.
atlas.mitre.org/ →
SPIFFE / SPIRE
Workload identityPer-agent X.509-SVID or JWT-SVID identity binding optional; required for cross-trust-domain agent federation.
spiffe.io/ →
NIST AI RMF 1.0
Governance mappingAudit chain primitives map directly to MANAGE 4 (incident response) and MEASURE 2.7 (decision traceability).
www.nist.gov/itl/ai-risk-management-framework →
IETF Agent Identity Protocol (AIP) draft
Identity federationTracking the IETF AIP draft for future-proof cross-organization agent identity assertions.
datatracker.ietf.org/ →
§9.1 Capability Matrix
Per-provider logprob exposure
Token-level log-probabilities are the strongest forensic signal — they let a verifier replay sampling decisions deterministically. Not every provider exposes them. This matrix tracks the state of public APIs as of 2026-05.
| Provider | Logprobs | Detail | Forensic sufficiency |
|---|---|---|---|
| OpenAI | Yes | `logprobs` parameter returns top-N log-probabilities per token. Up to 5 alternatives via `top_logprobs`. | Yes |
| Anthropic | No (as of 2026-05) | No public logprob exposure on the Messages API. Forensic attestations rely on response provenance (model_id, system fingerprint, request_id) instead. | Partial |
| Google Gemini | Yes | `logprobs` and `responseLogprobs` available on the GenerateContent API. Up to 5 alternatives. | Yes |
| AWS Bedrock | Varies by model | Claude on Bedrock: no logprobs (parity with Anthropic direct). Other models: provider-dependent. | Partial |
| Self-hosted (vLLM, TGI, llama.cpp) | Yes | Full logprob distribution exposed. Strongest forensic signal — verifier can replay token-by-token sampling decisions. | Full |
See the full spec §9.1 for the verifier algorithm + fallback rules when logprobs are unavailable.
§9 Open Questions
What v1.0 doesn't solve yet
A specification that hides its uncertainty is not a standard — it's a marketing document. These are the questions v1.0 leaves open, with v1.1 and v1.2 commitments where applicable.
Per-provider logprob exposure
Anthropic and Bedrock-Claude do not expose token logprobs. Forensic attestations rely on response provenance (model_id, system fingerprint) — but this is weaker than logprob-backed replay. We track upstream changes here.
Multimodal context capture
Image, audio, and video inputs are out of scope for v1.0. v1.1 plan in progress — likely capture content-hash + MIME + size rather than raw bytes, with optional vendor-specific perceptual hashes.
Cross-organization federation
Agent identity assertions across trust domains depends on IETF AIP draft maturity. v1.0 assumes single-org trust domain; federation profile deferred to v1.2.
Vendor-hosted agent attestation
Agents running entirely inside vendor-hosted runtimes (Perplexity hosted agents, OpenAI Custom GPTs, Anthropic Claude Projects, Manus, Devin) cannot be intercepted by the gateway-proxy pattern — calls originate inside vendor infrastructure with no operator-controlled injection point. v1.0 supports operator-assertion only (declarative registration, manual artifact logging). v1.1 will introduce Level 0 declarative conformance + a browser-side intercept profile; v1.2 tracks vendor-API attestation hooks. The most strategically important unanswered piece of v1.0.
Help us land v1.1
The spec is open and seeking community review. File issues on GitHub, comment on the OCSF discussion, or join the AI Identity design partner cohort to shape v1.1 against real production deployments.
OCSF discussion issue: filing pending · Spec license: CC-BY-4.0 (content) + Apache-2.0 (reference impl)