| Internet-Draft | AIVS | March 2026 |
| Stone | Expires 18 September 2026 | [Page] |
This document specifies the Agentic Integrity Verification Standard (AIVS), a portable, self-verifiable archive format for cryptographic proof of AI agent sessions. An AIVS proof bundle is a gzip-compressed tar archive containing a SHA-256 hash-chained audit log, an Ed25519 digital signature over the chain, a machine-readable manifest, and an embedded verification script that requires only the Python 3 standard library to execute. AIVS also defines AIVS-Micro: a minimal six-field attestation (~200 bytes) for continuous monitoring and API contexts where a full session bundle is not required. AIVS enables any party to independently verify that every action in an agent session is accounted for and unmodified, that no actions have been inserted, deleted, or reordered, and that the session was produced by a specific cryptographic identity — entirely offline, without installing any software beyond Python 3.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
AI agents increasingly perform consequential actions on behalf of humans: navigating websites, filling forms, executing JavaScript, extracting data, and making purchases. Existing observability platforms (OpenTelemetry, LangSmith, Langfuse) log these actions but provide no cryptographic guarantees that the logs are complete, unmodified, or authentic.¶
Regulatory frameworks mandate audit trails but do not prescribe formats:¶
EU AI Act Article 19 requires automatically generated logs for high-risk AI systems but specifies no format.¶
ISO/IEC 42001:2023 Annex A.6.2.8 requires event logging but defines no data structure.¶
NIST AI RMF requires documentation and audit trails but deliberately avoids prescribing formats.¶
This creates a gap: organizations that must prove what their AI agents did have no standard way to produce, exchange, or verify that proof.¶
| Goal | Rationale | |-------------------|--------------------------------------------------------| | Self-verifiable | Bundles verifiable without contacting any server, | | | blockchain, or authority. | | Portable | A single file that can be emailed, stored, or | | | submitted to any system. | | Tamper-evident | Modifying any action in the log must be detectable. | | Zero dependencies | Verification requires only Python 3 standard library. | | Session-level | Covers an entire session (sequence of actions). | | Lightweight | AIVS-Micro provides ~200-byte attestation for | | profile | high-frequency monitoring. | | Domain-agnostic | Applicable to any AI agent performing any action. |¶
| Standard | Scope | AIVS Relationship | |-----------------------|------------------------------|--------------------------------| | W3C VC 2.0 | Identity claims | AIVS bundles may be wrapped | | | | as VC credentialSubject | | IETF SCITT | Supply chain transparency | AIVS bundles may be registered | | | | as SCITT signed statements | | C2PA v2.2 | Media asset provenance | AIVS applies the same | | | | manifest-chain concept to | | | | agent actions | | Certificate | Append-only Merkle logs | AIVS hash chain is a | | Transparency RFC 6962 | | simplified linear variant | | EU AI Act Art. 19 | Audit log requirements | AIVS is a concrete format | | | | satisfying Article 19 |¶
| Term | Definition | |--------------------|--------------------------------------------------------| | Session | A bounded sequence of actions performed by a single | | | AI agent instance, identified by a session_id. | | Action | A single operation performed by the agent (e.g., | | | navigate to URL, click element, execute JavaScript). | | Audit Row | A JSON object recording one action with its inputs, | | | outputs, timestamp, cost, and hash chain fields. | | Hash Chain | A sequence of audit rows where each row's hash | | | depends on the previous row's hash. | | Chain Hash | A single SHA-256 hash computed over all row hashes, | | | serving as a fingerprint of the entire session. | | Proof Bundle | A .tar.gz archive containing the audit log, signature, | | | manifest, public key, and verifier script. | | AIVS-Micro | A minimal 6-field JSON proof (~200 bytes) for a | | | single-URL scan attestation. | | Identity Key | An Ed25519 keypair used to sign the chain hash. |¶
Each audit row is identified by a deterministic SHA-256 hash. The hash input is a colon-separated string of exactly seven fields in this order:¶
row_hash = SHA-256(
"{row_id}:{session_id}:{action_type}:{tool_name}:{cost_cents}:{timestamp}:{prev_hash}"
)
¶
The hash is represented as a lowercase hexadecimal string (64 characters).¶
| Field | Type | Description | |--------------|---------|-------------------------------------------------| | row_id | Integer | Monotonically increasing row identifier | | | | (1-indexed). | | session_id | String | Unique identifier for the session. | | action_type | String | Classification of the action. | | | | Default: "tool_call". | | tool_name | String | Namespaced tool identifier | | | | (e.g., "browser.navigate"). | | cost_cents | Integer | Cost of the action in cents. 0 for free | | | | actions. | | timestamp | Float | Unix timestamp with fractional seconds. | | prev_hash | String | row_hash of the immediately preceding row. | | | | Empty string for the first row. |¶
For a chain of N rows, modifying any field of row K invalidates row_hash[K], which invalidates prev_hash[K+1], and so on through row_hash[N]. This means:¶
Insertion of a row is detectable (changes all subsequent row_id values and hashes).¶
Deletion of a row is detectable (breaks the prev_hash link).¶
Reordering of rows is detectable (changes prev_hash linkage).¶
Modification of any field is detectable (changes the affected row's hash and all subsequent hashes).¶
If rows is empty:
chain_hash = SHA-256(b"empty")
Else:
combined = concatenate(row_hash[1], row_hash[2], ..., row_hash[N])
chain_hash = SHA-256(combined.encode("utf-8"))
¶
The chain hash is represented as a lowercase hexadecimal string (64 characters).¶
{
"id": 1,
"session_id": "sess-abc123",
"action_type": "tool_call",
"tool_name": "browser.navigate",
"inputs_json": "{\"url\": \"https://example.com\"}",
"outputs_json": "{\"title\": \"Example Domain\"}",
"cost_cents": 0,
"error": "",
"timestamp": 1710252645.123456,
"prev_hash": "",
"row_hash": "a1b2c3d4e5f6..."
}
¶
| Field | Type | Required | Description | |--------------|---------|----------|------------------------------------| | id | Integer | Yes | Row identifier, 1-indexed, | | | | | monotonically increasing. | | session_id | String | Yes | Session identifier. | | action_type | String | Yes | Action classification. | | tool_name | String | Yes | Namespaced tool identifier. | | inputs_json | String | Yes | JSON-encoded action inputs. | | | | | Sensitive keys MUST be redacted. | | outputs_json | String | Yes | JSON-encoded action outputs. | | | | | MAY be truncated. | | cost_cents | Integer | Yes | Action cost in cents. | | error | String | Yes | Error message; empty if success. | | timestamp | Float | Yes | Unix timestamp, fractional secs. | | prev_hash | String | Yes | Previous row's row_hash. | | row_hash | String | Yes | This row's computed SHA-256 hash. |¶
Before computing the row hash, implementations MUST redact values for input keys matching any of the following case-insensitive substrings:¶
password, token, api_key, secret, key, authorization, bearer, credential, passwd, passphrase¶
Redacted values MUST be replaced with the string "[REDACTED]".¶
Implementations MAY truncate outputs_json to a maximum length. The reference implementation truncates to 2000 characters. Truncation does not affect the hash chain because outputs_json is not included in the row hash computation.¶
signature_bytes = Ed25519_Sign(private_key, chain_hash.encode("utf-8"))
signature_b64 = Base64_Encode(signature_bytes)
¶
| Property | Value | |---------------------|-------------------------------------------| | Algorithm | Ed25519 (RFC 8032) | | Private key size | 32 bytes | | Public key size | 32 bytes | | Storage format | Raw bytes (not PEM) | | Public key repr. | 64-character lowercase hexadecimal string | | File permissions | 0600 (owner read/write only) |¶
chain_hash:{64-char-hex-chain-hash}
signature:{base64-encoded-signature}
¶
Implementations MAY produce bundles without Ed25519 signatures. The hash chain provides tamper-evidence independent of the signature. The signature adds identity binding (proof of who produced the bundle).¶
aivs_proof_{session_prefix}_{unix_timestamp}.tar.gz
└── session_proof/
├── audit_log.jsonl # Hash-chained action log
├── manifest.json # Bundle metadata
├── session_sig.txt # Ed25519 signature
├── public_key.pem # Signer's public key
└── verify.py # Self-contained verifier (stdlib only)
¶
{
"session_id": "sess-abc123",
"exported_at": "2026-03-14T15:30:45Z",
"action_count": 42,
"chain_hash": "a1b2c3d4...",
"aivs_version": "1.0",
"generator": "ExampleAgent",
"generator_url": "https://github.com/example/agent"
}
¶
The embedded verifier script MUST:¶
Verify the hash chain using only Python 3 standard library (hashlib, json, sys, pathlib).¶
Exit with code 0 on successful verification.¶
Exit with code 1 if the hash chain is broken or the signature is invalid.¶
Print human-readable verification results to stdout.¶
The embedded verifier MAY verify the Ed25519 signature if the cryptography library is available.¶
When a session produces multiple sequential bundles, each bundle MAY reference its predecessor via previous_bundle_hash.txt, containing the SHA-256 hex digest of the prior .tar.gz file. This forms a scan chain: a tamper-evident sequence of bundles where each bundle cryptographically references its predecessor.¶
AIVS-Micro is a minimal single-URL scan attestation (~200 bytes) designed for use cases where a full session bundle is impractical: continuous monitoring, embedded score widgets, API responses, and DNS TXT record verification.¶
{
"url": "https://example.com",
"dom_hash": "sha256:a1b2c3d4e5f6...",
"timestamp": "2026-03-14T10:22:01.000000000Z",
"signature": "ed25519:BASE64_ENCODED_SIGNATURE",
"scanner_version_hash": "sha256:def456...",
"scan_origin": "local"
}
¶
{url}|{dom_hash}|{timestamp}|{scanner_version_hash}|{scan_origin}
¶
1. Reconstruct canonical payload:
payload = "{url}|{dom_hash}|{timestamp}|{scanner_version_hash}|{scan_origin}"
2. Decode signature:
sig_b64 = micro_proof["signature"].removeprefix("ed25519:")
sig_bytes = Base64_Decode(sig_b64)
3. Verify:
Ed25519_Verify(public_key, sig_bytes, payload.encode("utf-8"))
4. If verification succeeds: PASS
5. If verification fails: FAIL
6. If signature == "unsigned": SKIP
¶
Input: audit_log.jsonl
Output: PASS or FAIL with row number
prev_hash = ""
for each row in audit_log.jsonl (ordered by id):
expected = SHA-256(
"{row.id}:{row.session_id}:{row.action_type}:"
"{row.tool_name}:{row.cost_cents}:{row.timestamp}:{prev_hash}"
)
if row.row_hash != expected:
FAIL at row.id
prev_hash = row.row_hash
PASS: all N rows verified
¶
Input: session_sig.txt, public_key.pem
Output: PASS, FAIL, or SKIP
1. Parse chain_hash and signature from session_sig.txt
2. Parse public key hex from public_key.pem
3. If no signing key configured: SKIP
4. Reconstruct Ed25519PublicKey from raw bytes
5. Verify: Ed25519_Verify(public_key, signature,
chain_hash.encode("utf-8"))
6. If verification succeeds: PASS
7. If verification fails: FAIL (exit 1)
8. If cryptography library unavailable: SKIP with notice
¶
| Code | Meaning | |------|---------------------------------------------------------------| | 0 | Hash chain verified. Signature verified (if available). | | 1 | Hash chain broken OR signature invalid. |¶
Integrity: The sequence of actions has not been modified since the bundle was created.¶
Completeness: No actions have been inserted or deleted from the chain.¶
Ordering: Actions occurred in the recorded sequence.¶
Identity (with signature): The bundle was produced by the holder of a specific Ed25519 private key.¶
Truthfulness: AIVS does not prove that the recorded inputs/outputs actually occurred. A malicious agent could fabricate actions and produce a valid chain.¶
Timeliness: Timestamps are self-reported. Implementations requiring trusted timestamps SHOULD layer RFC 3161 on top.¶
Key authenticity: AIVS does not include a PKI or certificate chain. The public key in the bundle is self-asserted.¶
| Threat | Mitigated By | |-----------------------------------|---------------------------------------| | Post-hoc modification of log | Hash chain (Section 2) | | Deletion of actions | Sequential prev_hash chaining | | Insertion of actions | Sequential row_id + prev_hash | | Reordering of actions | prev_hash depends on previous hash | | Impersonation of agent identity | Ed25519 signature (Section 4) | | Exposure of sensitive inputs | Mandatory redaction (Section 3.3) | | Replay of old proof bundle | session_id + timestamp uniqueness |¶
This document defines no new IANA registries. The following existing standards are referenced: SHA-256 (FIPS 180-4), Ed25519 (RFC 8032), JSON (RFC 8259), gzip (RFC 1952).¶