Proof Chain
Beyond audit logs. Cryptographic evidence of what was requested, what was authorized, what executed, and what the result was. Tamper-evident, hash-chained, and auditor-ready.
Logs are not evidence
Traditional audit logs tell you what happened. They don't prove it. Logs can be edited, deleted, or disputed. When a regulator asks "can you prove what this agent did last Tuesday?" — you need cryptographic evidence, not log files.
What a proof chain receipt contains
Request
What was requested — the action, parameters, requestor identity, and delegation chain.
Authorization decision
The PDP decision — Allow, Deny, or SSC — with the policy context, constraints, and obligations that applied.
Execution
What actually executed — the method, target system, parameters used, and timestamp. Per-parameter provenance trail.
Evidence
AEE cryptographic fingerprint matching. JWS-signed receipt with hash chain linking to prior receipts. Tamper-evident.
Five auditor questions — answered automatically
Who requested it?
Identity chain from human user through agent delegation to tool execution.
Who authorized it?
PDP decision with policy reference. For SSC: approver identity and approval timestamp.
What exactly happened?
Per-parameter provenance trail from CDA engine with 9 x-field extensions.
Can it be disputed?
Cryptographic fingerprinting and hash-chained receipts make tampering detectable.
Where's the evidence?
Proof Pack evidence bundles with AEE fingerprint matching. One endpoint, complete provenance.
Proof chain is built into every EmpowerNow offer
Whether the action comes from a portal user (SAP, IGA), an AI agent (ARIA), an API call (Authorization), or an automated workflow (A&F) — the same proof chain applies. One evidence model across all surfaces.