Governance · June 15, 2026
Immutable Audit Receipts for AI Agent Actions: What They Are and How to Generate Them
An immutable audit receipt is a signed, tamper-evident record created at the moment an AI agent action is authorized (naming who (or what policy) approved it, the action, the policy applied, and the time to the millisecond) and you generate one by routing each consequential action through an authorization layer that issues the receipt before the action runs. Below is what one contains and how to produce it.
What an immutable audit receipt is
An immutable audit receipt is a signed, tamper-evident record that an authorization layer creates at the instant an AI agent action is authorized, before the action executes. It records the named signer (or the policy that auto-approved the action), the action and tool invoked, the intent the request was bound to, the policy applied, and a timestamp to the millisecond. Once issued it cannot be altered. It turns “the system says it did this” into “this specific authorizer approved this action at this time, and here is the proof.”
The key design choice is receipt-first: every request gets a receipt before any tool executes, so the record of authorization always precedes the consequence, never the reverse.
Why a receipt, not a log line
A receipt and an application log line answer different questions. A log says what happened; a receipt proves who authorized it. (For the full argument, see our companion post on audit logs vs. signed receipts.) The short version, in one table:
Application log line vs. immutable audit receipt
| Property | Application log line | Immutable audit receipt |
|---|---|---|
| Created before or after the action | After, describes what already ran | Before, issued at authorization |
| Names the authorizer | Rarely | Always, signer or auto-approve policy |
| Tamper-evidence | None: editable, droppable | Signed and tamper-evident |
| Independently verifiable | No, trust the writer | Yes, verifiable at a public URL |
| Satisfies an auditor's “who approved this?” | No | Yes |
| Maps to EU AI Act Art. 14 / SR 11-7 | Weak | Direct evidence |
How to generate an immutable audit receipt
The pattern is general, but these steps describe how Permission Protocol does it. The goal is the same regardless of vendor: issue the receipt before the action runs.
- Route the action through the authorization layer. Send every consequential agent action to a single enforcement choke point instead of letting the agent call the tool directly. The request carries the intent, the action, and the context.
- The layer issues a receipt before execution. Receipt-first design means a receipt is created for the request before any tool runs. The receipt binds the action to the intent and the policy being applied.
- The named signer, or auto-approve policy, is recorded. For consequential actions, a named human signs and that identity is written into the receipt. For low-risk actions cleared automatically, the policy that approved them is recorded instead. Either way the authorizer is named.
- Export and retain the receipt for audit. Each receipt is immutable, timestamped to the millisecond, and viewable at a stable public URL,
app.permissionprotocol.com/r/:receiptId, that an auditor can open without trusting the agent that produced it. Export it to your evidence vault for retention.
Common mistakes
- Relying on logs the agent can write. If the same agent that takes the action also writes the record, the record proves nothing, it can be edited, dropped, or backdated.
- Receipts without a named authorizer. A receipt that records what happened but not who (or what policy) approved it cannot answer the question an auditor actually asks.
- Mutable records. If the record can be changed after the fact, it is not evidence. Receipts must be tamper-evident and immutable once issued.
- No export path for auditors. A record that lives only inside one system, with no stable URL or export, will not satisfy a regulator. Make receipts retrievable and exportable.
Frequently asked questions
What is an immutable audit receipt for an AI agent?
An immutable audit receipt is a signed, tamper-evident record created at the moment an AI agent action is authorized. It names who, or what policy, approved the action, the action itself, the intent it was bound to, the policy applied, and the timestamp to the millisecond. Because it is issued before the action runs and cannot be altered afterward, it is the durable artifact an auditor can rely on to answer “who authorized this?”
How is a receipt different from an audit log?
An audit log records what happened; a receipt proves who authorized it. Logs are usually written by the same system taking the action and rarely name an authorizer, while a receipt is signed, tamper-evident, and issued before the action runs. For the full comparison, see audit logs vs. signed receipts.
What should an AI agent audit receipt contain?
At minimum: the named signer or the policy that auto-approved the action, the action and tool invoked, the intent the request was bound to, the policy that was applied, and a timestamp to the millisecond. It should be tamper-evident, independently verifiable, and retrievable at a stable public URL so an auditor can confirm it without trusting the agent that produced it.
Last updated: June 15, 2026. Permission Protocol is the external authorization layer for AI agent actions, per-action human approval and immutable, tamper-evident receipts. See the OWASP Agentic Top 10 mapping for the full control coverage.