You know what your agents are allowed to do.
Do you know what they actually did?
Policy controls decide whether your agents can act. AGLedger records what they did — a signed, tamper-evident chain of custody with proof you can verify offline. The accountability layer for autonomous work on your infrastructure.
Layer 3 · self-hosted · any model · any framework
the coverage gap
If you're relying on your agents to document their own work, you're missing half of it.
In our testbed — 64 traces across four LLM providers — agents asked to document their own accountability completed the full chain only 43% of the time. They fabricated mandate IDs. They invented contract types. They skipped receipts. GPT-4o-mini generated twenty-five random UUIDs in a single run. Nova Pro invented a contract type and retried thirteen times.
The pattern isn't “bad agents.” It's unreliable infrastructure. Anything that depends on an agent to narrate its own work is going to miss what you most need to see.
When agents are asked to document their own accountability: 3 of 7 contract types completed. When the enterprise system owns the accountability record and the agent just does the work: 8 of 8. Every provider, every contract type.
where we fit
Three layers are forming around autonomous agents. We're the one nobody else is building.
Policy controls decide whether an agent can act. Guardrails shape how it acts. AGLedger records what it actually did. All three are needed. We plug into the first two — we don't compete with them.
Policy controls
Runtime interception. Allow or deny on a per-call basis.
Agent guardrails
Behavioral enforcement. Least-privilege, just-in-time permissions.
Accountability
Signed chain of custody. Mandate, receipt, verdict. Tamper-evident.
gateways: allow/deny.
AGLedger: allow/deny + directive + proof + tamper-evident chain.
Gateways are stateless. Accountability is stateful — lifecycle, state machine, hash-chained vault. A gateway company adding accountability rebuilds AGLedger inside their gateway. Not a sprint.
see it run
Mandate, receipt, verdict. Four endpoints, Ed25519-signed, verifiable offline. Works with any agent framework, any model.
$ agledger mandate create --type ACH-PROC-v1 --performer agent-b
✓ mandate m_7xK created [DRAFT]
$ agledger mandate register m_7xK
✓ m_7xK [DRAFT → REGISTERED]
$ agledger mandate activate m_7xK
✓ m_7xK [REGISTERED → ACTIVE]
$ agledger receipt submit m_7xK --evidence '{"item":"laptop","price":1850}'
✓ receipt r_3aQ submitted [ACTIVE → RECEIPT_SUBMITTED]
$ agledger receipt accept m_7xK
✓ receipt accepted [RECEIPT_SUBMITTED → RECEIPT_ACCEPTED]
$ agledger mandate fulfill m_7xK
✓ m_7xK [RECEIPT_ACCEPTED → FULFILLED]audit-ready by design
Answer any audit question in seconds, not weeks.
Your existing logs scatter the accountability story across your ERP, your CRM, your SIEM, and whatever your agent framework writes. Reconstructing what happened takes days of engineer time and judgment calls. AGLedger records the story in structured, agent-queryable form from the moment work starts.
Point your Audit Agent at AGLedger and ask the questions you've been postponing. Who committed to the delivery? Who approved the payment? Was this purchase within policy? The answer comes back with signed proof attached — not a summary of logs, the actual chain.
traditional logs
Six systems. No shared join key. Reconstruction is manual. Your audit window: days to weeks.
AGLedger
One source. Mandate ID as join key. Agent-queryable by design. Your audit window: seconds.
Not to be confused with continuous-compliance platforms (Vanta, Drata) that automate after-the-fact evidence collection. AGLedger records are audit-ready the moment they are written.
at every scale
Solo agents today. Multi-agent chains tomorrow. Federation when you need it.
The same protocol grows with your deployment. Start where you are; the upgrade path is additive.
- 01
Solo agent
✓ todayPattern D: your enterprise system owns the mandate and receipt, the agent does the work and renders the verdict. Coverage is infrastructural — nothing can be missed because accountability doesn't depend on whether the agent documents itself.
- 02
Multi-agent chains
Agent A delegates to Agent B delegates to Agent C. Each handoff carries a mandate. Each level owns its own receipt. The full delegation tree is reconstructible from a single mandate ID — with Ed25519 signatures at every node.
- 03
Cross-company federation
When agents cross organizational lines, federation extends the chain of custody — shared schemas, sovereign vaults, cross-company proof. Each party keeps their own keys and data. The protocol crosses boundaries; the data doesn't.
the moat
Your vault. Your keys. Your federation.
AGLedger runs on your infrastructure. Customer-owned PostgreSQL. Your Ed25519 keys. No phone-home. No kill switch. Fails open if the license expires — security patches always free. A SaaS competitor can't match this: federation with data sovereignty is architecturally impossible for a hosted service to deliver.
$8,000 perpetual per unique database instance is roughly one engineer-week. You're not paying for code a competent team with AI couldn't ship in a sprint. You're paying for the network of counterparties already speaking the same protocol — and the guarantee that your accountability infrastructure isn't owned by someone else's roadmap.
your vault
PostgreSQL 17+
your keys
Ed25519
your federation
sovereign vaults
try it