Months after a change ships, someone asks the simple question — an auditor, an incident review, a regulator: who decided this, and on what basis? In a world of human authors that answer lived in a commit author field and a person’s memory. In a world where a human prompted an agent, the agent drafted against some context, a model chose an approach and another human accepted it, the answer is distributed across four actors and no single record. The audit trail is how you reconstruct it — and it is becoming the operational form of accountability.
Provenance proves the pipeline
The mature substrate already exists. SLSA defines build provenance as verifiable, machine-readable metadata describing where, when and how an artifact was produced — enough for a consumer to verify it was built as expected, or rebuild it. Builder identity is defined as the transitive closure of every entity trusted to run the build and record the provenance. Signed attestations (sigstore, in-toto) make it tamper-evident. If you have invested here, you can already answer a great deal about how something was produced.
But provenance is not attribution
Here is the gap that matters for agentic delivery, and it is easy to miss. SLSA’s builder identity is the trusted build platform — the trust base. The entity that triggered the build, and the inputs that drove it, live in external parameters and are explicitly treated as untrusted. So provenance proves the integrity of the pipeline; it does not prove who or what decided the change that went through it. Which agent, running which model version, against which context, accepted by which human — that decision layer sits above SLSA and is not addressed by it. Closing that gap is the work: an agent-and-decision log layered on top of build provenance. This is the accountable core, made durable.
Regulation is making it non-optional
What used to be good hygiene is turning into a compliance artifact. The EU AI Act requires high-risk systems to keep automatic records over their lifecycle (Article 12) and to be designed for effective human oversight (Article 14) — both of which presuppose that you can show, after the fact, what the system did and where a human exercised judgement. SOC 2 and ISO 27001 audits increasingly probe AI in the supply chain on the same terms. The trail that lets you reconstruct who decided what is shifting from a nice-to-have into something you are asked to demonstrate.
What an accountable trail records
A trail built for agentic delivery has two layers. Underneath, build provenance for the artifact — SLSA, signed. Above it, decision provenance:
- Which agent and which model version produced the change, and against what context (the prompt, the retrieved knowledge, the reference it worked from).
- Which human accepted it — the acceptance signature — so there is a named owner attached to the decision, not just to the merge.
- When, and through which gates, recorded as it happens rather than inferred later; tamper-evident via signing.
- Reconstructable on demand: the trail answers both what produced this and who is answerable for it.
Provenance is becoming table stakes; attribution is the differentiator. The audit trail is not paperwork — it is the accountable core written down, the record that when a change is examined later, a human’s name is genuinely under the decision and the basis for it can be reconstructed. Build it at the moment of the decision, because that is the only moment the information is cheap.