Audit Trails: Tamper-Evident Records for Every Action
The NL Protocol creates an immutable, cryptographically chained audit log for every secret access, delegation, and revocation. If even one record is modified, the entire chain breaks -- making tampering mathematically detectable.
Why Traditional Logs Fail
Most logging systems are mutable. Log files can be edited, entries can be deleted, timestamps can be altered. An attacker who gains access to a system can cover their tracks by modifying or removing the log entries that document their actions.
For traditional applications, this risk is manageable with log aggregation and access controls. But for AI agent security, the stakes are different. An agent that has been compromised through prompt injection might attempt thousands of secret accesses in seconds. If the audit trail can be tampered with, there is no way to reconstruct what happened, which secrets were accessed, or whether data was exfiltrated.
What you need is not just logging, but mathematical proof that the log has not been tampered with.
How NL Protocol Audit Works
Every action in the NL Protocol creates an audit record. This record captures the agent's identity, the action type, which secrets were referenced (by name, never by value), a timestamp, and a summary of the result.
What makes these records tamper-evident is how they are chained together. Each record includes a SHA-256 hash of the previous record. This creates a hash chain -- a sequence where each entry depends on all the entries before it. Changing any single record would change its hash, which would break the link to the next record, which would break the link after that, and so on.
Additionally, each record is HMAC-signed using a secret key held by the NL System. This means that not only is the chain order protected, but each individual record is authenticated. You cannot forge a new record or modify an existing one without the signing key.
{
"sequence": 42,
"timestamp": "2026-02-09T10:30:00Z",
"agent_id": "nl://deploy/orchestrator",
"action_type": "exec",
"secrets_used": ["production/db-password"],
"result_summary": "exit_code: 0, stdout: 142 bytes",
"prev_hash": "sha256:a1b2c3d4e5f6...",
"hmac": "hmac-sha256:f6e5d4c3b2a1..."
}
Note: the secrets_used field records secret names, not values. The audit trail documents which secrets were accessed, without ever containing the secret data itself.
The Hash Chain
Each record's hash is computed over its entire contents including the hash of the previous record. This creates an unbreakable chain where modifying any record invalidates everything that follows.
+----------------+ +----------------+ +----------------+ | Record #40 | | Record #41 | | Record #42 | | | | | | | | agent: ... | | agent: ... | | agent: ... | | action: exec | | action: exec | | action: exec | | prev: hash39 |--> | prev: hash40 |--> | prev: hash41 |--> ... | HMAC signed | | HMAC signed | | HMAC signed | +----------------+ +----------------+ +----------------+
If Record #41 is modified, its hash changes. This means Record #42's prev_hash no longer matches, breaking the chain. The tampering is immediately detectable by any verifier.
What Gets Recorded
The audit trail captures every security-relevant event in the system. Nothing happens silently.
- ✓ Every action request and response
- ✓ Which secrets were resolved
- ✓ Sanitization events (leaked values detected)
- ✓ Token creation and scope details
- ✓ Token usage by sub-agents
- ✓ Revocations and cascade events
- ✓ Scope grant creation and modification
- ✓ Denied requests (with reason)
- ✓ Grant exhaustion (max_uses reached)
- ✓ Anomaly detection triggers
- ✓ Prompt injection detection events
- ✓ Automated response actions taken
Verification
Anyone with read access to the audit log can verify its integrity. The process is straightforward: start from the first record, compute its SHA-256 hash, check that the next record's prev_hash field matches, and repeat for every record in the chain.
If even one bit of any record has been changed -- a modified timestamp, an altered agent ID, a deleted entry -- the hash chain will break at that point. The verification tool will report exactly where the discrepancy occurred.
function verify_chain(records): for i in range(1, len(records)): expected_hash = sha256(records[i - 1]) if records[i].prev_hash != expected_hash: return "TAMPERED at record", i if not verify_hmac(records[i], signing_key): return "FORGED record at", i return "CHAIN VALID", len(records), "records verified"
The Foundation for Higher Levels
Audit integrity (Level 5 of the protocol) is not just a nice-to-have -- it is the foundation for the two highest security levels: Attack Detection (Level 6) and Cross-Agent Trust (Level 7).
Attack detection relies on analyzing audit records to identify anomalous patterns: unusual access frequency, unexpected secrets being accessed, or actions that don't match an agent's historical behavior. If the audit trail can be tampered with, attackers can erase the evidence of their anomalous behavior.
Cross-agent trust relies on audit records to verify that delegation chains are valid and that agents have behaved correctly. If audit integrity fails, trust verification becomes unreliable.
Fail-closed behavior: If audit chain verification fails, Levels 6 and 7 automatically enter a fail-closed state. Attack detection assumes all activity is suspicious, and cross-agent delegation is suspended. This ensures that a compromised audit trail cannot be used to mask ongoing attacks.