Proof of what an agent actually did.
The Agent Attestation Record (AAR) is an open standard: a portable, Ed25519-signed record of what an AI agent claimed it did versus what an independent verifier found, checked against real system state — verifiable with a public key and no central server.
Every agent control plane on the market governs access — can this agent call the CRM? None ship portable proof of outcome. The Agent Attestation Record (AAR) is a signed record binding an agent's claim to an independently-verified, evidence-committed verdict — checkable with a public key, no central server.
View on GitHub Verify a record Read the spec
The record
{
"aar": "0.02",
"subject": "did:web:agents.example.com:conductor",
"principal": "did:web:example.com",
"task": { "id": "ack-56083", "claim": "drafted acknowledgement for ticket #56083" },
"verdict": "verified",
"quality": "substantive",
"ground_truth": "confirmed",
"reason": "draft quotes the customer's words; matches the live ticket body",
"checks": [{ "source": "…/tickets/56083", "query": "GET /tickets/56083",
"observed_at": "2026-06-05T20:13:58Z", "response_sha256": "…" }],
"verifier": { "id": "did:web:example.com:angel", "independence": "third_party" },
"issued": "2026-06-05T20:14:03Z",
"sig": { "alg": "Ed25519", "by": "did:web:example.com", "value": "base64url…" }
} What it does — honestly
| Provenance | Ed25519 over the record — proves who vouched, untampered. |
|---|---|
| Inspectable truth | confirmed/contradicted carry committed evidence (hash of the checked state + the query) — an authorized party re-runs it without trusting the verifier. |
| Fabrication-evident | ground_truth: contradicted is a signed statement the claim failed against real state. |
| No self-grading | L2 requires verifier.id ≠ subject — the agent can't sign off on itself. |
| Honest about limits | verifier.independence is disclosed (same/separate/third-party), not asserted. AAR is inspectable + fabrication-evident, not magically true. |
It does not claim a signature makes a verdict true. same_principal
is organizational attestation; third_party + evidence + L3 is audit-grade.
AAR is inspectable and fabrication-evident, not magically true.
Conformance
| Level | Adds | For |
|---|---|---|
| L0 | a signed record that verifies | the point-to-point floor |
| L1 | + ground_truth + checks evidence | claims checked vs real state, inspectably |
| L2 | + independent verifier (id ≠ subject) | no self-grading; quality advisory |
| L3 | + transparency-log commitment | protects L0–L2 from retroactive rewrite |
Getting started
A zero-dependency reference signer/verifier ships in the repo (Node ≥ 20):
git clone https://github.com/frontier-infra/agentcontrolplane cd agentcontrolplane node tools/aar.mjs verify specs/fixtures/valid/helpdesk-ack.json \ --did-json specs/fixtures/.well-known/did.json # → conformance: L2
Sibling of AVL
AVL — Agent View Layer makes a site agent-readable; AAR makes
an agent's actions accountable. The proof layer over the view layer.
This very site is AVL L3-conformant — fetch
/.agent,
the /agent.txt manifest, or send
Accept: text/agent-view. We eat our own cooking.
FAQ
What is the Agent Attestation Record (AAR)?
AAR is an open standard: a portable, Ed25519-signed record of what an AI agent claimed it did versus what an independent verifier found, checked against real system state. It verifies with a public key and no central server.
How is AAR different from an agent access-control plane?
Existing agent control planes (Okta for AI Agents, Microsoft Agent 365, Galileo) govern access — what an agent is permitted to call. AAR governs proof of outcome — whether the agent actually did what it claimed, checked against reality. It composes with access control rather than replacing it.
Does an AAR prove a verdict is true?
No. AAR proves provenance (who signed) and makes the verdict inspectable (the evidence is committed as a hash) and fabrication-evident (a contradicted ground_truth is a signed lie-detection). A same-owner key can still assert a verdict; AAR discloses that via verifier.independence and, at L3, makes records non-rewritable.
How do I verify an AAR?
Remove the signature, canonicalize the record (JCS / RFC 8785), resolve the signer's did:web public key, and Ed25519-verify. A zero-dependency reference tool ships in the repo: node tools/aar.mjs verify record.json.
What are the AAR conformance levels?
L0 is a signed record that verifies. L1 adds ground_truth plus committed evidence. L2 adds an independent verifier (the agent cannot grade itself). L3 adds a transparency-log commitment that protects records from retroactive rewrite.
Is AAR related to AVL?
Yes. AVL (Agent View Layer) makes a website agent-readable; AAR makes an agent's actions accountable. They are sibling standards from frontier-infra. This site is itself AVL L3-conformant.