15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

Cryptographic Audit Receipts Explained: SHA-256 Chaining for Agent Decisions

December 12, 202515 Research Lab

defensecompliancetools

Every time an AI agent takes an action, you want a record. Not just a log entry that can be edited after the fact, but a cryptographic receipt that proves what happened and when, with mathematical guarantees against tampering.

SHA-256 Hash Chaining

The concept is simple. Each receipt contains a SHA-256 hash of the previous receipt. This creates a chain where modifying any receipt invalidates everything after it.

Step 1: Create the first receipt (genesis receipt).

Receipt 0:
  data: { action: "session_start", agent: "agent-1", time: "..." }
  prev_hash: "0000...0000" (genesis)
  hash: SHA256(data + prev_hash) = "a1b2c3..."

Step 2: Create subsequent receipts, each referencing the previous hash.

Receipt 1:
  data: { action: "call_tool", tool: "search", params: {...} }
  prev_hash: "a1b2c3..." (hash of Receipt 0)
  hash: SHA256(data + prev_hash) = "d4e5f6..."

Step 3: Continue for every action in the session.

Tamper Evidence

To verify the chain, walk from the first receipt to the last:

Recompute Receipt 0's hash from its data and genesis marker
Confirm it matches Receipt 1's prev_hash field
Recompute Receipt 1's hash from its data and prev_hash
Confirm it matches Receipt 2's prev_hash field
Continue to the end of the chain

If any receipt has been modified (data changed, receipt deleted, receipt inserted), the hash computation fails at that point. The chain is broken, and you know exactly where the tampering occurred.

What Goes in a Receipt

For AI agent audit trails, each receipt captures:

Envelope: Agent ID, session ID, user ID, timestamp
Action: What the agent did (tool call, response generation, policy check)
Input: What triggered the action (user message, tool response)
Decision: What the policy engine decided (allow, deny, require approval)
Parameters: For tool calls, the exact parameters used
Outcome: Success/failure of the action
Hash chain: Previous receipt hash and current receipt hash

Performance

SHA-256 computation takes microseconds. Generating a receipt per action adds negligible latency to the agent pipeline. The bottleneck is storage I/O (writing the receipt to disk or database), which is the same cost as any logging system.

For high-throughput systems, batch receipt writes. Compute hashes in memory and flush to storage periodically. The chain integrity is maintained in memory; storage is for durability.

Not Blockchain

This is frequently confused with blockchain technology. It is not. Hash chains are a data structure used since the 1990s (Haber and Stornetta, 1991). They require no consensus mechanism, no mining, no distributed ledger, and no cryptocurrency. They run in a single process with microsecond overhead.

The property they provide is simple and specific: tamper evidence for an ordered sequence of records. That is exactly what AI agent audit trails need.

Authensor generates receipt chains automatically. Every action that passes through the policy engine produces a receipt. Verification tools walk the chain on demand to confirm integrity.