The Defensible Agent Test — passed architecturally.
Four questions every AI agent action must answer. What it did, why, on whose authority, and where the evidence lives. acipta answers all four with cryptographic primitives — signed verdicts, capability tokens, byte-identically replayable evidence — not workflow audit trails.
Deterministic Precision. Experiential Intuition. Autonomous Agents.
Every AI agent action must answer four questions.
Industry analysts and GRC practitioners converge on a four-question test for any agent operating in a regulated environment. The questions are correct. The question for any platform is whether it answers them with workflow audit-trail records or with cryptographic guarantees.
What did the agent do?
A cryptographically signed manifest at write time — bound to the verdict, not appended to a log.
Why · what context drove the decision?
A structured signed consensus record — multiple frontier models voting, per-model confidence, sub-floor routing to human review.
Under whose authority?
Capability tokens at the API boundary — JWT-bound, scoped, time-limited, policy-validated.
Where is the evidence?
Byte-identically replayable five years out — via a standalone verifier with no acipta dependency.
A seven-times governance gap. A 2028 forecast. And 40% of CIOs about to demand the architecture.
of organizations say they must adopt generative AI. OCEG, 2026.
have a documented AI governance plan in place. OCEG, 2026.
of day-to-day work decisions made autonomously by 2028 — up from 0% in 2024. Gartner.
of CIOs will demand Guardian Agents to track, oversee, and contain AI agent actions by 2028. Gartner.
The function expected to govern AI cannot credibly adopt it without architectural answers to the four questions. acipta is those answers.
One question at a time.
Each answer is a structural property of the platform — not a logged record, not a workflow audit trail. Verifiable independently. Survives platform transitions. Replayable five years out.
Cryptographically signed manifest at write time.
Every verdict carries a signed manifest of the model provenance, per-model confidence, and consensus outcome. Signing uses hybrid Ed25519 plus a NIST-standardized post-quantum signature. Keys live in FIPS-validated key management. Timestamps come from an external authority via RFC 3161. Hash-chained per tenant.
Structured signed consensus record.
Every verdict carries the consensus story. Multiple frontier models vote at a high-confidence threshold. Per-model confidence scores are captured. The consensus outcome — whether agreement at the floor was met — is recorded. Below the floor, no PASS or FAIL emits; the case routes to a human reviewer instead of another model pass. Human reviewer decisions are signed and hash-chained. Editing any prior decision breaks every subsequent hash, making the trail tamper-evident.
Capability tokens · cryptographic enforcement at the API boundary.
Every agent action is authorized by a capability token — a JWT-bound, scoped, time-limited credential validated against an OPA policy bundle at every cross-component call. Identity uses Auth0 with a separate license JWT. A confused-deputy tenant-binding guard refuses cross-tenant operations server-side. A boot-time fail-closed check refuses to start in production if escape hatches are set.
Five-year byte-identical replay · standalone offline verifier.
Evidence lives in a tamper-evident hash chain anchored by external timestamps. The hybrid post-quantum signature scheme survives a future quantum break of either the classical or the post-quantum signature. A standalone verifier reproduces the chain with no acipta dependency — no network call, no proprietary viewer, no platform login.
Workflow platforms build defensibility into the audit trail.
acipta builds defensibility into the verdict.
Both are valid. One records the work in a workflow audit trail. The other binds the answer cryptographically to the verdict. The trade-off is real and worth naming. Workflow defensibility integrates faster with existing GRC tooling. Verdict defensibility survives platform transitions, regulator subpoenas five years out, and the simple question of whether the evidence still verifies when the original platform vendor is no longer in the picture.
Four commitments. Each makes one answer structural.
Trust Column
Hybrid post-quantum signing at write time, FIPS-validated HSM, RFC 3161 timestamps, 5-year byte-identical replay.
Control Mapping Catalog
One verdict projects to multi-framework attestations from a single canonical control catalog.
Bounded Autonomy Engine
Three frontier models vote at a high-confidence threshold. Sub-floor routes to human review, not another model pass.
Conformance & Extensibility
Open adapter protocol. Bronze, Silver, Gold, Certified conformance ladder. Third-party adapters cannot break replay.
Nine principles. Nine architectural answers.
ALCOA+ is the integrity standard regulators converge on — Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available. Originally formalized for FDA-regulated pharmaceutical and clinical-trial records under 21 CFR Part 11, ALCOA+ is now the underlying integrity bar referenced across HIPAA Security Rule AI updates, EU AI Act Article 12 record-keeping, SOX 404 for AI-augmented financial controls, and emerging SEC AI disclosure requirements. The four-question Defensible Agent Test maps directly onto the nine ALCOA+ principles. acipta's substrate satisfies all nine by construction, not retrofit.
| ALCOA+ principle | DAT question | acipta architectural primitive |
|---|---|---|
| Attributable | Q3 + Q1 | Capability tokens (JWT-bound · scoped · time-limited) + signed manifest naming model + version + tenant + reviewer chain |
| Legible | Q2 | Canonical-JSON tool I/O · structured consensus record with named fields · no proprietary viewer required |
| Contemporaneous | Q1 | Hybrid Ed25519 + post-quantum signature applied at write time · RFC 3161 timestamp from external authority |
| Original | Q4 | Hash-chained verdict ledger · editing any prior decision breaks every subsequent hash · tamper-evident by construction |
| Accurate | Q2 | Three-frontier-model consensus · a high-confidence threshold · sub-floor routes to human reviewer not another model pass |
| + Complete | architecture | Per-verdict signed manifest carries model provenance, per-model confidence, consensus, reviewer chain, and framework projections |
| + Consistent | Q4 | Byte-identical 5-year replay via standalone offline verifier · same inputs produce same hash |
| + Enduring | Q4 | Hybrid post-quantum signing survives a future quantum break of either the classical or the post-quantum signature · canonical control catalog survives framework-version churn |
| + Available | Q4 | Standalone offline verifier with no acipta dependency · no network call · no proprietary viewer · no platform login |
acipta is ALCOA+ aligned by architecture — formal 21 CFR Part 11 certification requires separate FDA inspection.
The questions are right. The architectural answer is the work.
The Defensible Agent Test is correct. The architecture to actually pass it — cryptographically, not procedurally — is what we built.