AI system Can now execute arbitrary tasks autonomously – running code, invoking external APIs, and making decisions without direct human oversight.
This creates a fundamental trust problem: When an agent acts independently, how do you know that the results are accurate, repeatable, and tamper-proof? For regulated or mission-critical environments, these questions demand concrete answers.
The EU’s proposed AI Act requires traceability and tamper-evident logging for all high-risk AI systems. Yet most agent workflows still rely on standard log entries or ephemeral records that can be easily forged or altered by malicious actors or faulty system components.
As one industry expert observed, AI systems can generate code faster than any team can review it, making new approaches to validating programmatically generated output necessary.
Trust must be built on a new base-layer approach:
- dam data and code together by cryptographic means
- Ensures deterministic processing on every run
- Provides an immutable history of all actions taken
Content-Addressed Artifacts
Immutability is at the heart of verifiability. All code and models used by the agent must be linked to cryptographic hashes, tools, skills, and signals must be treated as content-addressed artifacts with content IDs (CIDs).
Any modification creates a new CID, which immediately breaks downstream references and makes unauthorized changes instantly detectable.
The entire identity of an agent – including model versions, library versions, and skill definitions – can be expressed as a set of hashes or signatures, so any attempt to load a malicious code module immediately fails if the hashes mismatch.
ContextSubstrate puts this into practice by documenting each agent run as an immutable context package bound to a SHA-256 hash.
Each input, parameter, interim step, and output is stored in a single content-addressable bundle with a unique context URI (for example, ctx://sha256:…).
💡
Runs can be inspected with ‘ctx show’ or compared with ‘ctx diff’. Storing each model and tool in an immutable registry – such as an OCI registry or IPFS – eliminates all ambiguity about which version ran at what time, and is a solid first step toward verifiable execution.
Deterministic and Reproducible Estimates
Content-addressing decides which code runs; Determinism ensures that it produces the same result every time. Modern LLMs have traditionally been non-deterministic, but recent research shows that this is not an inherent constraint:
- Karvonen et al. found that using fixed random seeds and sampling parameters produced identical tokens in repeated runs in approximately 98% of the cases.
- EigenAI performed perfect bit-for-bit deterministic inference on the GPU by carefully controlling the execution environment and removing all sources of non-determinism, obtaining the same output byte stream on each run.
EigenAI combined this with blockchain-style cryptographic logs – encrypting and recording all requests and responses on an immutable ledger.
Validation is then reduced to a simple hash comparison of the outputs, giving each model’s prediction a self-contained proof of correctness.
Where full determinism is not possible to achieve, reproducibility commitments provide a practical alternative.
An agent declares that its results will be deterministic within an acceptable variance range, and a verifier can later confirm this by rerunning the run with the same seed, prompt, and model configuration.
Code generation tasks are completely repeatable; More variable outputs can be evaluated using semantic equivalence comparisons or thresholded edit distance.
The new era of AI: Train once, predict forever in production AI
Why will the future of AI systems be driven by inference and agent workload?
Run-time isolation and sandboxing
Reproducibility addresses the integrity of the output; Isolation first constrains what an agent can do. As NVIDIA’s AI Red Team notes, AI coding agents often execute commands with the user’s full system privileges, vastly expanding the attack surface. A compromised or rogue agent can:
- Write important system files
- Exclude sensitive data
- give rise to unauthorized rogue processes
Practical guidance is to treat all agent tool-calling as untrusted code execution. Major mandatory controls include:
- Blocking all unapproved network egress to prevent unauthorized external connections or data intrusion
- Limiting file-system writes to a specified scope, not allowing access to sensitive paths like ~/.zshrc or .gitconfig
- Removing root privileges and enforcing kernel-level isolation via secure runtimes such as gVisor or Firecracker microVM, OS sandboxing tools such as SELinux or macOS seatbelts, or eBPF/seccomp filters
WebAssembly (Wasm) offers an attractive lightweight alternative: a portable bytecode sandbox that has no system calls by design.
Agent code compiled in Wasm can only access explicitly given host functions, which eliminates the shared-kernel risks of traditional containers. Along with memory and time limits, Wasm provides a powerful execution environment for generated scripts and tools.
The principle holds: Autonomy should be earned through demonstrated trustworthiness, not given by default.
Why does AI security break down at the system level?
AI security shifts from the model to the system level. As AI becomes agentic and tool-driven, risks emerge from complex interactions, increasing the gap between assessment and real-world behavior.
Tamper-Resistant Logging and Proof Bundle
Isolation and determinism govern what agents do; Logging provides accountability for the actions they take. Standard logs lack cryptographic linkage, meaning that entries can be deleted or altered without detection.
A better solution is an append-only, Merkle-chain audit trail where the hash of each log entry is linked to the previous one – any deletion or modification immediately breaks the chain.
Zhou et al.’s Verifiable Interaction Ledger takes this further: every agent-tool transaction is hashed and bilaterally signed by two parties, meaning no entry can be secretly added or modified.
💡
Compared to traditional telemetry, the main advantage is that neither the agent nor the host needs to be trusted – the cryptographic structure enforces integrity independently.
Conclusion: Towards a Trusted Agent Ecosystem
Verifiable execution applies established techniques – content hashing, reproducible construction, and sandbox confinement – LLM AgentCreating a multi-layered trust framework where:
- agents Tied to specific code set through digitally signed certificates
- model Run deterministically under certain random seed conditions
- Each stage takes place within a rigid, isolated sandbox
- All interactions are recorded in a tamper-evident hash chain
The result is full auditability: any party can replay the sequence of hashes and verify that the agent’s actions were consistent with the original intent and stated policy.
3 easy ways to get the most out of cloud code
Everyone is talking about cloud code. With millions of weekly downloads and a rapidly growing feature set, it has quietly become one of the most powerful tools in a developer’s arsenal. But most people are barely scratching the surface.
The momentum behind this approach is real.
Academic work – including the VET and GenuPixel frameworks – has formally characterized on-chain verification. Commercial SDKs are beginning to emerge, and the regulatory pressure of the EU AI Act is driving organizations to demonstrate tamper-resistant logs and reproducibility for high-risk AI uses.
The black-box era of agentic AI is coming to an end. It will be replaced by a paradigm where every autonomous decision has a verifiable proof of integrity – from content-addressed code to digitally signed audit trails.
As AI Agent Adopting more and more of our digital work, this verification layer will be essential protection against error, manipulation and loss of confidence.
