Who Signs the Run

Every piece in this series ends at the same place. The record gets signed. A signature attests to an identity, and the identity is the part nobody has specified. Sign a trajectory with the wrong identity and you have a log entry that photographs like evidence.

The signature is the easy half. The signer is the half that decides whether a party who was not there can trust the record.

Identity is shipping. The signer is not.

Identity-governance products for agents shipped this spring. A federal standards effort now names agent identity as a core pillar alongside agent security. The movement is real, and it is overdue.

All of it answers one question. May this agent reach this tool. That is access identity, and it belongs in front of the tool call, where it gates what the agent is allowed to touch. The audit object needs a different identity, and almost no one is building it.

Two questions an identity answers.

Access identity asks whether the agent may act. It runs before the call fires and decides what the agent can reach.

Attestation identity asks a question that only matters after the fact. Which agent did act, under which policy, and can a party who was not present verify the answer. The first is a gate. The second is a witness.

Access identity asks whether the agent may act. Attestation identity asks which agent did, and lets a stranger verify it.

The products shipping this spring built the gate. The witness is the artifact an examiner reads, and it is still missing.

What the signature has to bind.

A signature on a trajectory is worth exactly what it binds. Bind nothing but the output bytes and it proves only that something produced them. That is not an identity. It is a checksum with a key attached.

The signer has to bind the configuration that produced the run.

Which agent. The named actor, not the platform that hosts it.

Which version. The build of that agent in force at the moment, because the next deploy changes the behavior under the same name.

Which policy. The governing rules that were active when the decision was made, not the ones in effect when the record is read.

Which authority. The human or service that delegated the run, and the scope it delegated.

The clock reading. The time the entry was signed, fixed in the chain so it cannot be backdated.

The signature has to bind the configuration that produced the run, not just the bytes that came out of it.

Why one platform key fails the test.

The common pattern is one service key. The platform signs every run from every agent with the same credential. That signature proves the platform emitted bytes. It does not say which agent, which version, or under which policy.

A reviewer who trusts the platform can take the rest on faith. An examiner does not extend that trust. Neither does a carrier pricing the loss, nor an attorney on the other side of the decision. Each of them has to verify the binding without trusting the party that produced it. A single shared key gives them nothing to check.

This is the half of reproducibility the latency work did not cover. Replaying a run reproduces the output. It does not, on its own, prove which configuration signed it. Determinism without bound identity tells you the bytes match. It does not tell you whose bytes they were.

What the examiner verifies.

SR 26-2 placed agentic AI outside its scope and pointed institutions back at their own risk practices. Those practices carry an identity model for people and for service accounts. They do not carry one for a non-human actor that branches, learns, and acts across thousands of decisions a day.

The examiner is going to ask the agent what it asks an employee who made a decision under review. Who were you. What were you authorized to do. Prove both. A trajectory that cannot answer those questions is unsigned in the way that counts, no matter how many keys touched it.

What we are building.

Wayfinder Systems Group builds the runtime layer that binds identity to the record at the moment of the decision. Every signed entry carries which agent, which version, which policy was in force, and the authority under which it acted, written onto a tamper-evident chain a third party can verify without trusting us. The signature is evidence only when the signer is provable. The substrate is what makes the signer provable. Patents held in The Wayfinder Trust. We call her Velma.