What Is Not Attested Is Neither Real Nor True
There is a foundational claim at the centre of agentic Zero Trust:
What is not attested by the witness is neither real nor true.
The first time someone reads it, they think it sounds dramatic. Real? True? These are heavy words for a security claim.
After a year of running production agents, the claim stops sounding dramatic and starts sounding like the only honest description of where the discipline lives. Because in a system of autonomous agents acting under authority, unattested action is functionally identical to no action — and unattested claims about action are functionally identical to fabrication.
The witness is not a logger. The witness is the boundary between what happened and what didn’t.
What “Attested” Means
To attest is not to log. Logging is what a server does when it remembers what it served. Attestation is something stronger:
- Cryptographically signed. The attestation is bound to the actor. A signature that does not validate is not attestation.
- Bound to a specific event. The attestation is about a particular action — this input, this output, this state transition. Not “the agent did things”; this specific thing.
- Witnessed by a verifier the actor does not control. The witness is not the agent. The witness is independent. If the agent could forge its own attestations, attestation collapses to assertion.
- Persistent. Attestation that is overwritten is not attestation. The trail must survive — the same way a notarised document survives the moment of notarisation.
A log is what an agent says it did. An attestation is what a verifier confirms the agent did, at the time it did it, in a form that survives.
The difference matters because logs can be edited. Logs can be lost. Logs can be selectively retrieved. Attestations cannot — by construction — be quietly altered after the fact. The witness is what gives the trail its weight.
Why Unattested Action Is Not Real
Suppose your agent took an action in production. Suppose no attestation captured it. The action is in the system; its effects are in the data; the agent did something.
How do you know what?
You ask the agent. The agent reports what it did. You log the report. Now you have the agent’s account of its own action.
The agent’s account might be honest. It might also be wrong. The agent might have hallucinated the report. The agent might have been compromised. The agent might be giving you a sanitised version. You have no independent verification.
In an audit, in an incident review, in a regulatory inquiry — the agent’s self-report is not evidence. It’s the suspect explaining what happened. You need the witness.
If the witness was not present, you do not have a record of the action. You have a belief about the action, formed from one source whose reliability is exactly what you are trying to verify. That is functionally equivalent to no record.
Hence: what is not attested by the witness is neither real nor true. Not because the action didn’t happen — it might have. But because, operationally, you cannot demonstrate it happened. The action might as well not have, for any purpose that requires evidence.
What This Means for Engineering
The foundational claim has direct architectural consequences:
1. Every action that matters must be attested at the moment it happens. Not after; at the moment. Post-hoc reconstruction is not attestation. The witness must be present.
2. The witness must be independent of the agent. The agent cannot attest to itself. Identity-based attestation works because the cryptographic infrastructure is outside the agent’s control. Self-signed attestations are not attestations.
3. The attestation chain must be unbroken. The agent acts; the action is attested at the boundary; the next layer attests its receipt; downstream consumers can verify the full chain. A break anywhere in the chain breaks the realness of everything past the break.
4. The trail must be append-only. Editing the trail is forging the trail. Append-only — a single forensic ledger, witness to all events, never overwritten — is what makes the trail evidence rather than report.
These are not nice-to-haves. They are what real and true look like when implemented. Skip any one and you have a system that produces logs but not attestations — and logs are not enough for the kind of verification agentic systems require.
What This Inverts
Conventional security often runs on a different model: actions are taken, and you trust the actors unless something looks wrong. Telemetry collects what is collected. Logs are written by the actors themselves. Attestation, where it exists, is bolted on at specific high-stakes moments.
Agentic Zero Trust runs on the inverse model: actions are not real until attested. The default is no record, no real. The witness is part of every action’s pipeline. Logs are downstream of attestations, not parallel to them.
This inversion is uncomfortable because it makes the witness mandatory. Every action carries its cost: a signature, a verification, a record. There is no “fast path” that bypasses attestation — fast paths are exactly the actions that won’t be evidence later, and “evidence” is what the discipline is built to produce.
But the inversion is also clarifying. Once you adopt it, the architecture becomes obvious: attestation is upstream of action, the witness is independent, the chain is unbroken, the trail is append-only. Every other architectural choice flows from these. Where you skip them, you have decided that the corresponding actions don’t need to be evidence — and you should be explicit about that decision, because it is a decision.
What “The Witness” Concretely Is
In a working framework, the witness is several things composed:
- A forensic ledger — append-only event store, signed entries, persistent across runs
- An attestation pipeline — cryptographic signing of action events at the moment of occurrence
- An observatory — the read-only surface that surfaces the ledger to operators and auditors without modifying it
- The verification machinery — checks that the attestation chain is unbroken, signatures validate, the trail is consistent
These together are the witness. None of them alone is the witness. A forensic ledger without signed attestations is a database of assertions. An attestation pipeline without persistent ledger is a stream of signatures with no record. An observatory over an editable store is a viewer of fiction.
Built together, the witness is what makes the actions of agentic systems evidentially real. Built apart, you have components that produce logs.
The Disposition
The first time a team encounters the foundational claim, they often try to soften it: surely some actions can be lighter-weight; surely we don’t need attestation on every state transition; surely the cost is too high.
The team that softens this is the team that, six months later, has an incident that requires the chain — and discovers that they don’t have the chain, because they decided some actions could be unattested, and the action that mattered was one of those.
The team that holds the claim — what is not attested is neither real nor true — pays the cost of attestation up front. Every action carries its witness. The cost is real and the cost is ongoing. What it earns is the architecture that holds when the chain is needed.
For agentic systems specifically: this is not optional. The combination of autonomous action and delegated authority and open input space means the system is producing claims about its own operation continuously. Without the witness, those claims are the agent’s account of itself — which is not evidence. With the witness, those claims are evidentially real, and the system can be audited, recovered from, and improved.
The witness is the foundation. Real and true, in this discipline, are functions of the witness. There is no alternative architecture that gets you there.