Enforcement & signed intent

A signed record is two things at once. It is a durable memory your agent reads back after its own context is gone, and a precondition you can put in the path of a consequential action so the work cannot proceed without it. The agent reports with its key; the notary signs what it reported. This page is about both: what the agent gets from having made the record, and how you make making it mandatory.

Durable memory · No record, no action · Validated, not just present · Fail-closed by default

Last updated: 2026-06-10 · API v1.3.2

Signed intent

Intent that outlives the memory of it

Agents lose the plot. A context window fills and truncates, a session expires, work hands off to a fresh agent, a tool swap wipes the running state. The conversation that held what the agent was doing evaporates - and a model asked to remember will reconstruct a plausible story that may never have been true.

The signed record does not evaporate. When an agent loses context, it reads its records and recovers what it was required and authorized to do - byte-for-byte, signed, not a summary of a conversation that no longer exists. The same record names the principalAgentId accountable for the work and the requestedBy party that asked for it. If the laptop you ordered arrives two weeks later, the agent does not have to remember why - it reads the record it created when it placed the order.

This is signed intent, and it is the reason to plug AGLedger in today even before you need a gate: it makes long-running and delegated agents more reliable now, not just auditable later. And you do not build it - the agent reports, the notary signs. The free Developer Edition is enough to start.

Why before, not after

A log records what happened. It cannot record what was meant.

After-the-fact logging captures the action. It cannot capture what the agent meant to do, or whose authority it claimed - because by the time you ask, the agent has lost the context and will reconstruct a plausible story. Intent and authority are only honest when they are signed at the moment they are real: before the action. Capture them afterward and you have recorded half the story and made up the other half.

That is why a record carries more than the action. It names what was intended, and who stands behind it - signed before the consequential step, not narrated after it. The authority is the principal's; the signature is the notary's.

How a gate enforces it

No record, no action

A notary matters most when the work actually stops to use it. Put a gate in the path of consequential automated actions - buying hardware, provisioning a user, moving funds - and the record becomes a precondition of the work, not a hope about it. The gate is yours: your own policy engine, or an off-the-shelf agent-governance toolkit. AGLedger never blocks your systems; it holds the signed record the gate checks. The gate intercepts the consequential tool call and refuses it until a valid record exists. The rejection is not a dead end; it is a directive the agent can act on.

REJECTED: This action requires an accountability record. Create a record of this type using the AGLedger API, then retry this action with the record ID.
  1. The agent calls the tool - buy the laptop, add the user - with no record.
  2. The gate finds none and returns the directive above.
  3. The agent discovers the API, learns the contract type, and notarizes what it intends and on whose authority.
  4. It retries the tool call, now carrying the record ID.
  5. The gate validates that ID against AGLedger - not just that a string is present - and only then lets the action proceed.

An agent with no prior knowledge of AGLedger completes this loop on its own, taught entirely by the gate directive and the API's own responses. See the full first-contact trace in the agent-governance-toolkit walkthrough.

Validate, do not just check for presence

An agent will fabricate any string you only check for presence

If the gate only checks that a record ID field is filled in, an agent under pressure to complete its task will invent one that satisfies the requirement. The gate has to confirm the record actually exists, against the AGLedger API, before it trusts it. It is a single read - on the order of 50 to 200 milliseconds, negligible against model inference - and it is the difference between a control and a checkbox. This is also why weaker agents are not a reason against the pattern: an agent that fabricates an ID fails closed, because the gate validates rather than trusts.

Fail-closed by default

If AGLedger is unreachable, the action does not run

When the gate cannot reach AGLedger to validate a record, it has to choose: block the action (fail-closed, safer) or allow it (fail-open, more available). The reference implementation fails closed - the consequential step waits rather than proceeding unrecorded. “Fail-closed” is a policy you set at your own gate, not something AGLedger does to you. Configure it to your risk tolerance, but the default is the one that keeps the trail complete.

The decision stays yours

The gate enforces. AGLedger holds the record. We are not the judge.

AGLedger does not decide whether your agent may act. The gate enforces the policy; your principal, or your rules engine, renders the verdict; AGLedger holds the signed record of both the intent and the decision. Where the action crosses a delegation boundary and someone other than the doer must accept or reject the delivery, that verdict path is the Gate. The enforcement point is how you make reaching it mandatory.

The same record then serves three readers. The agent reads it to recover what it was told to do. The operator reads it to see what the fleet intended and did. The auditor reads it to prove it - verifying the cryptography offline, without taking anyone's word. The signing the agent never needed is what the auditor relies on.

Two ways to put a gate in front

Your own policy engine

A thin check at the point an agent invokes a consequential tool: does a valid AGLedger record exist for this action? Reject and return the directive if not; validate and proceed if so.

An agent-governance toolkit

Already running a governance layer? A small adapter maps its policy decisions to AGLedger records and enriches its denials with the retry directive - no system-prompt changes. See the integration walkthrough.

Related