From finding to cryptographic proof
in 15 minutes.
The next AI incident postmortem will end the same way every one before it has: "we couldn't reconstruct what the agent did." Cognita ships three artifacts on every governed model — the counter-signed policy, the Merkle proof that anchors it, and the agent action log that ties them together. Here's what each looks like.
The counter-signed policy
When the Bundle's Lead Auditor counter-signs an AI policy or AIIA, the platform records a credential row (auditor_credentials) with the SHA-256 hash of the signed PDF + an HMAC signature using the auditor's key. The accreditation tier — IAF-MLA — is the moat; the specific CB is interchangeable.
{
"subject_type": "policy",
"subject_id": "pol_atlas_credit_risk_v3",
"accreditation_tier": "IAF-MLA",
"cb_anchor": "Mastermind Assurance",
"credential_ref": "Cert 2697gssmkw",
"lead_auditor_email": "lead@<auditor>.example",
"document_hash": "8a3b...d4e2",
"signature": "AF3D...c0e1",
"signed_at": "2026-05-17T14:22:08.103Z"
}The Merkle proof anchoring it
That signature doesn't just sit in a database. Every hour, Cognita batches the past hour's evidence rows + audit-log entries into a Merkle tree, computes the root, and writes the root to S3 with Object Lock COMPLIANCE-mode retention of 7 years. The S3 PutObject response includes a receipt — AWS's own attestation that the object exists and cannot be modified or deleted until the retention window expires.
Any party can re-fetch the original evidence + audit segments, recompute the Merkle root locally, and compare against the S3-stored value. Match = the chain is intact and the signature is the one that was committed. Mismatch = tamper detected, and you have a date-stamped AWS receipt proving when the chain diverged.
{
"anchored_at": "2026-05-17T15:00:00Z",
"first_id": "evidence_pol_atlas_credit_risk_v3_sig",
"last_id": "evidence_audit_log_entry_8421",
"merkle_root": "0x4d3a8c2e6f...91d4",
"s3_bucket": "cognita-anchors-us",
"s3_key": "org/<orgId>/anchors/20260517T150000Z_first-last.json",
"s3_etag": "ab9c712f4d8...",
"retention_until": "2033-05-17T15:00:00Z",
"verifier": "https://app.cognitagrc.io/api/v1/audit-log/verify?segment=20260517T15"
}The agent action log proving the model operated under it
Each agent action (LLM call, tool invocation, RAG retrieval) writes an audit-log entry that references the active policy_version_hash at the time of the call. The hash matches step 1. Together: the agent acted, that action references the policy hash, the policy hash matches the counter-signature, the counter-signature is anchored in the Merkle tree, the Merkle root is in S3 Object Lock for 7 years.
Every link of that chain is cryptographically verifiable. No "we think the agent followed the policy." Just "here's the proof."
{
"ts": "2026-05-17T14:31:42.901Z",
"action": "agent.tool_called",
"actor": { "id": "agent_atlas_underwriter", "label": "atlas-underwriter v3.2.1" },
"subject":{ "type": "tool_call", "id": "tc_8f2a91" },
"payload": {
"tool": "internal.credit_score.score",
"model": "[email protected]",
"policy_version_hash": "8a3b...d4e2", // SAME hash as step 1
"decision": "approve_with_review",
"input_features_hash": "c1f5...0a82" // PII-redacted via lib/persisted-ledger
},
"hash": "f4d2...8c19",
"prev_hash":"e8c1...3a44", // chain link to the prior row
"signature":"AE2D...b7f0" // HMAC over the row
}What none of our competitors ships
- LangSmith / Arize / W&B / OpenLLMetry — agent observability for engineers, no cryptographic chain, no IAF-credentialed counter-signature, no audit-grade evidence wrapper
- Datadog / New Relic / Splunk — generic application telemetry that doesn't understand agentic semantics or governance evidence
- Vanta / Drata / Secureframe — SOC 2-first attestation, no AIMS implementation, no auditor counter-signature
- Big-4 + boutique consultancies — produce signed deliverables but no cryptographic proof, no continuous chain, no 60-day refund guarantee