Internet-Draft T. Sato
Intended status: Standards Track MyAuberge K.K.
Expires: November 17, 2026 May 17, 2026
The Governance Audit Record (GAR) for Agentic AI Systems
draft-sato-soos-gar-00
Abstract
This document specifies the Governance Audit Record (GAR), the audit
architecture for agentic AI systems. GAR defines five audit types,
the Session Audit Record (SAR), the Audit Alert system, auditor
principal categories, and the Audit Package for external regulatory
inspection. GAR provides verifiable evidence that AI agent sessions
were governed in accordance with the Intent Declaration Primitive
[I-D.sato-soos-idp] and the Human Escalation Mechanism
[I-D.sato-soos-hem]. GAR answers the governance question: can any
of this be proven to a regulator?
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 17, 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction
2. Conventions and Definitions
3. Architecture Overview
4. Audit Types
4.1. Type 1 -- Kernel Self-Audit
4.2. Type 2 -- Session-Close Audit
4.3. Type 3 -- Event-Triggered Alert
4.4. Type 4 -- Scheduled Audit
4.5. Type 5 -- On-Demand External Audit
5. Auditor Principal Categories
5.1. HEM Principal
5.2. Audit Principal
5.3. Verified External Auditor
5.4. Kernel Self-Auditor
6. Session Audit Record
6.1. SAR Generation
6.2. SAR Schema
6.3. SAR Signing
6.4. SAR Retention
7. Audit Alert System
7.1. Alert Generation
7.2. Alert Schema
7.3. Normative Trigger List
7.4. Alert Delivery
8. Event Log Requirements
8.1. IDP Audit Events
8.2. HEM Audit Events
8.3. GAR Audit Events
8.4. CAP Audit Events
9. Audit Package
9.1. Package Composition
9.2. Package Schema
9.3. Access Control
10. EU AI Act Applicability
10.1. Article 12 Mapping
11. Security Considerations
12. IANA Considerations
12.1. GAR Audit Alert Triggers Registry
12.2. GAR Auditor Principal Types Registry
13. References
13.1. Normative References
13.2. Informative References
Author's Address
1. Introduction
Agentic AI systems require governance across four questions:
o What did the agent intend before acting?
[I-D.sato-soos-idp] -- The Intent Declaration Primitive (IDP)
for Agentic AI Systems
o Who governed the agent's decisions?
[I-D.sato-soos-hem] -- The Human Escalation Mechanism (HEM)
for Agentic AI Systems
o Were those decisions within the law?
[I-D.sato-soos-cap] -- The Constitutional AI Protocol (CAP)
for Agentic AI Systems (forthcoming)
o Can any of this be proven to a regulator?
This document -- The Governance Audit Record (GAR) for Agentic
AI Systems
GAR is the evidentiary layer of this protocol family. IDP, HEM, and
CAP generate governance events; GAR specifies how those events are
collected, synthesized, signed, and made available for audit.
The architectural property GAR enforces is non-suppressibility: the
kernel MUST generate audit artifacts automatically, MUST sign them,
and MUST NOT allow any agent, application, or principal to suppress,
modify, or delete them. This property -- the kernel cannot suppress
bad news from its principals -- is the foundation of accountable AI
governance.
GAR defines five audit types ranging from continuous kernel self-
audit (Type 1) to on-demand external regulatory inspection (Type 5).
The Session Audit Record (SAR) is the primary audit artifact: a
complete, kernel-signed record of every governance event in a
session, generated automatically at session close.
This specification is a companion to [I-D.sato-soos-idp] and
[I-D.sato-soos-hem]. Readers should be familiar with both documents
before reading this document.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The following terms are defined in this document or inherited from
[I-D.sato-soos-idp] and [I-D.sato-soos-hem]:
Audit Principal:
A registered principal with read-only access to governance audit
artifacts. Distinct from a HEM Principal. Receives Audit Alerts
and reviews Session Audit Records.
Governance Audit Record (GAR):
The audit architecture specified in this document, comprising five
audit types, the SAR, the Audit Alert system, and the Audit
Package.
IDP Commitment Gap:
A condition detected by the kernel when an agent's actual state
transition does not match the agent's declared IDP commitment.
Classified as a critical audit finding.
IDP Commitment Verification Record:
A kernel-generated record produced after every governed state
transition, recording whether the agent's action matched its IDP
commitment.
Kernel Self-Auditor:
An architectural property of the governing kernel. The kernel
evaluates its own Event Log after every commitment and generates
KERNEL_AUDIT_ANOMALY entries when inconsistencies are detected.
Not a human role.
Rationale Store:
A kernel-managed object store, separate from the Event Log,
holding Policy Rationale Declaration (PRD) objects and Decision
Rationale Records (DRR) indexed by their respective identifiers.
Session Audit Record (SAR):
A kernel-generated, kernel-signed summary of all governance events
in a session, produced automatically at session close.
Verified External Auditor:
A regulator, accounting firm, or other external party granted
time-limited, scope-limited read access to kernel audit artifacts
by the operator. Produces an Audit Package.
3. Architecture Overview
The GAR architecture comprises five audit types operating at
different timescales and with different principals:
+----------------------------------------------------------+
| AI GOVERNANCE KERNEL |
| |
| [IDP Events] [HEM Events] [CAP Events] [GAR Events] |
| | | | | |
| v v v v |
| +--------------------------------+ |
| | EVENT LOG | |
| | append-only, kernel-signed | |
| +--------------------------------+ |
| | |
| +------------+------------+ |
| | | |
| v v |
| [Type 1: Self-Audit] [Type 2: SAR at close] |
| continuous session summary |
| | | |
| v v |
| KERNEL_AUDIT_ANOMALY SAR (kernel-signed) |
| | | |
+--------|-------------------------|--------------------+ |
v v
[Type 3: Audit Alerts] [Type 4: Scheduled Audit]
to Audit Principals cross-session patterns
|
v
[Type 5: Audit Package]
to Verified External Auditor
The kernel is the sole source of audit truth. No agent, application,
HEM Principal, or Audit Principal can generate, modify, or suppress
kernel audit artifacts.
4. Audit Types
4.1. Type 1 -- Kernel Self-Audit
The kernel MUST evaluate its own Event Log after every Event Log
commitment. If the kernel detects an inconsistency -- a state
transition without a corresponding IDP submission, a HEM resolution
without a recorded trigger, a mandate referenced by an IDP that does
not exist in the mandate store -- the kernel MUST generate a
KERNEL_AUDIT_ANOMALY Event Log entry.
KERNEL_AUDIT_ANOMALY entries are immutable once written. The kernel
MUST NOT suppress KERNEL_AUDIT_ANOMALY entries. A
KERNEL_AUDIT_ANOMALY entry MUST immediately trigger a Type 3 Audit
Alert at CRITICAL severity (Section 7.3).
The kernel MUST also generate an IDP Commitment Verification Record
after every governed state transition (Section 8.1). An
IDP_COMMITMENT_GAP result MUST be treated as a critical audit finding
equivalent to KERNEL_AUDIT_ANOMALY for alert severity purposes.
4.2. Type 2 -- Session-Close Audit
The kernel MUST generate a Session Audit Record (SAR) automatically
at the close of every governed session. SAR generation is not
requestable by any external party -- it fires unconditionally on
session close. The SAR specification is in Section 6.
4.3. Type 3 -- Event-Triggered Alert
The kernel MUST generate an Audit Alert when a normative trigger
condition is detected. Audit Alerts are delivered to all registered
Audit Principals for the governed session. The normative trigger
list is in Section 7.3.
4.4. Type 4 -- Scheduled Audit
Audit Principals MAY initiate cross-session pattern audits covering
a specified time range or SO Type population. The kernel MUST expose
a kernel.query_scheduled_audit() interface for this purpose. Type 4
audits produce cross-session pattern reports and MUST be recorded as
SCHEDULED_AUDIT_INITIATED and SCHEDULED_AUDIT_COMPLETED Event Log
entries.
The kernel SHOULD initiate a Type 4 audit automatically when a PRD
review_date is exceeded, covering all sessions governed by the
overdue policy.
4.5. Type 5 -- On-Demand External Audit
Operators MAY grant Verified External Auditors time-limited, scope-
limited read access to kernel audit artifacts. Access grants MUST be
recorded as EXTERNAL_AUDIT_ACCESS_GRANTED Event Log entries. Access
revocation MUST be recorded as EXTERNAL_AUDIT_ACCESS_REVOKED. Audit
Packages produced by Verified External Auditors are specified in
Section 9.
5. Auditor Principal Categories
GAR defines four distinct auditor categories. These are not
interchangeable.
5.1. HEM Principal
A HEM Principal is registered in a designation chain and resolves
HEM escalations. A HEM Principal is NOT an auditor. HEM Principals
do not receive Audit Alerts and do not have access to the Rationale
Store or Event Log beyond what is included in the HEM Escalation
Request.
5.2. Audit Principal
An Audit Principal is a registered principal with principal_type:
AUDIT. Audit Principals receive Audit Alerts, review Session Audit
Records, and may initiate Type 4 scheduled audits.
An Audit Principal MUST NOT appear in a HEM designation chain. The
kernel MUST reject SO Type configurations that place an Audit
Principal in a designation chain.
Audit Principals have read-only access to:
o The Event Log (kernel.query_event_log())
o The Rationale Store (kernel.query_rationale())
o Session Audit Records (kernel.query_sar())
o IDP Commitment Verification Records
Audit Principals MUST NOT be able to modify any kernel artifact.
5.3. Verified External Auditor
A Verified External Auditor is a regulator, accounting firm, or
other external party granted temporary read access by the operator.
Access is time-limited and scope-limited. The operator declares
the access scope (session range, SO Type filter, time window) and
expiry at grant time.
A Verified External Auditor produces an Audit Package (Section 9)
covering the declared scope. The Audit Package is kernel-signed as
of the production timestamp.
5.4. Kernel Self-Auditor
The Kernel Self-Auditor is an architectural property, not a human
role. It refers to the Type 1 continuous self-audit function
executed by the kernel after every Event Log commitment. It cannot
be disabled, configured, or bypassed.
6. Session Audit Record
6.1. SAR Generation
The kernel MUST generate a SAR automatically at the close of every
governed session regardless of close reason (normal completion,
TERMINATE decision, mandate expiry, session timeout, or error).
SAR generation MUST be atomic with session close. The kernel MUST
NOT return a session close confirmation to any external party before
the SAR is committed to the audit store.
The kernel MUST sign every SAR using Ed25519 with the kernel's
signing key. The signing key MUST be the same key used for Mandate
JWT signing and HEM Escalation Request signing, published via the
operator's JWKS endpoint.
6.2. SAR Schema
A SAR MUST contain the following fields. All fields are REQUIRED
unless stated otherwise.
sar_id:
Kernel-generated UUID. Unique identifier for this SAR.
session_id:
The session identifier. Links the SAR to all Event Log entries
for this session.
mandate_id:
The governing mandate identifier. The mandate in force at session
open.
mission_ref:
The MissionDeclaration reference. Null if no mission was
declared for this session.
open_timestamp:
ISO 8601 UTC timestamp of session open.
close_timestamp:
ISO 8601 UTC timestamp of session close.
close_reason:
Controlled vocabulary. One of: NORMAL_COMPLETION | TERMINATE_DECISION
| MANDATE_EXPIRY | SESSION_TIMEOUT | ERROR | CAP_SUSPENSION.
idp_submissions:
Array of IDP summary records. Each entry contains:
idp_id: IDP identifier.
goal_summary: Human-readable goal description.
cedar_outcome: PERMIT | DENY | HEM_ROUTED.
hem_triggered: Boolean.
hem_decision: Decision type if HEM was triggered, null
otherwise.
hem_events:
Array of HEM event summary records. Each entry contains:
hem_id: HEM event identifier.
trigger_class: Classes 1-5.
trigger_source: AGENT_DETECTED | TRAVELER_REQUEST |
SYSTEM_EVENT.
policy_rationale_id: PRD identifier, null if absent.
decision_type: Final decision type.
decision_rationale_class: DRR rationale class, null if absent.
resolution_time_seconds: Integer. Wall time from trigger to
resolution.
state_transitions:
Array of state transition records. Each entry contains:
from_state: Prior governed object state.
to_state: Resulting governed object state.
action: Cedar action string.
timestamp: ISO 8601 UTC.
cap_violations:
Array of CAP violation records. Each entry contains:
violation_id: CAP Violation Record identifier.
tier: 0 | 1 | 2.
prohibition_id: Prohibition identifier.
action: Action attempted.
outcome: REFUSED | SESSION_SUSPENDED | HEM_FIRED.
audit_summary:
Summary counts block. Contains:
total_transitions: Integer.
hem_events_count: Integer.
terminate_count: Integer.
auto_approve_count: Integer.
policy_rationale_gaps: Integer. HEM events with no PRD.
decision_rationale_gaps: Integer. HEM events where DRR was
required but absent.
cap_violation_count: Integer.
jurisdictional_conflicts: Integer.
kernel_signature:
Ed25519 signature over the canonical serialization of all SAR
fields except kernel_signature itself.
The idp_submissions, hem_events, state_transitions, and cap_violations
arrays carry reference fields and key summary data only. Full detail
for each record is available in the Event Log and Rationale Store.
The SAR is a governance summary and index, not a duplicate of the
Event Log.
6.3. SAR Signing
The kernel MUST sign the SAR using Ed25519 prior to committing it
to the audit store. The canonical serialization for signing is the
JSON serialization of all fields except kernel_signature, with keys
in lexicographic order and no whitespace.
Audit Principals and Verified External Auditors MUST verify the
kernel_signature before relying on SAR content.
6.4. SAR Retention
Operators SHOULD retain Session Audit Records for a minimum of 12
months from session close_timestamp. Operators subject to EU AI Act
Article 12 obligations MUST retain SARs for the period required by
applicable law. The kernel SHOULD warn Audit Principals when a SAR
approaches its configured retention expiry.
7. Audit Alert System
7.1. Alert Generation
The kernel MUST generate an Audit Alert when any normative trigger
condition listed in Section 7.3 is detected. Alert generation is
synchronous with the triggering event -- the kernel MUST generate the
alert before returning any response to the triggering agent or
principal.
7.2. Alert Schema
An Audit Alert MUST contain the following fields:
alert_id:
Kernel-generated UUID.
alert_severity:
CRITICAL | HIGH | MEDIUM | LOW.
alert_trigger:
Identifier of the normative trigger condition. See Section 7.3.
session_id:
The session in which the trigger occurred.
hem_id:
The HEM event identifier, if the trigger is HEM-related. Null
otherwise.
cap_violation_id:
The CAP Violation Record identifier, if the trigger is CAP-
related. Null otherwise.
detail:
Human-readable description of the trigger condition. REQUIRED.
timestamp:
ISO 8601 UTC timestamp of alert generation.
kernel_signature:
Ed25519 signature over canonical serialization of all fields
except kernel_signature.
delivered_to:
Array of Audit Principal identifiers to whom the alert was
delivered.
7.3. Normative Trigger List
The following trigger conditions MUST generate an Audit Alert.
Trigger identifiers are registered in the GAR Audit Alert Triggers
registry (Section 12.1).
+-----------------------------------------+-----------+
| Trigger | Severity |
+-----------------------------------------+-----------+
| KERNEL_AUDIT_ANOMALY | CRITICAL |
| IDP_COMMITMENT_GAP | CRITICAL |
| TERMINATE_DECISION | HIGH |
| AUTO_APPROVE_DISPOSITION | HIGH |
| HEM_CHAIN_EXHAUSTED | HIGH |
| MISSION_REVOKE_CASCADE | HIGH |
| HEM_TERMINATE_RATIONALE_REQUIRED | MEDIUM |
| THREE_OR_MORE_HEM_EVENTS_IN_SESSION | MEDIUM |
| PRD_REVIEW_DATE_EXCEEDED | MEDIUM |
| POLICY_RATIONALE_GAPS_IN_SAR | LOW |
+-----------------------------------------+-----------+
Table 1: Normative Audit Alert Triggers
7.4. Alert Delivery
Audit Alerts MUST be delivered to all registered Audit Principals
for the governed session. Delivery MUST be recorded as an
AUDIT_ALERT_FIRED Event Log entry, followed by AUDIT_ALERT_DELIVERED
on successful delivery.
Implementations SHOULD use the Shared Signals Framework (SSF)
[RFC8936] for cross-system Audit Alert delivery.
Audit Principals SHOULD acknowledge Audit Alerts. Acknowledgement
MUST be recorded as AUDIT_ALERT_ACKNOWLEDGED.
8. Event Log Requirements
The Event Log is the append-only, kernel-maintained record of all
governance events in a session. The Event Log specification is
normative in [I-D.sato-soos-hem] Section 10. This section specifies the
GAR-specific Event Log entries that MUST be supported.
8.1. IDP Audit Events
IDP_SUBMITTED:
Recorded when an IDP is submitted to the kernel. Existing entry
type specified in [I-D.sato-soos-idp].
IDP_COMMITMENT_VERIFIED:
Recorded after every governed state transition. The kernel MUST
generate an IDP Commitment Verification Record and commit this
event. Fields: idp_id, state_transition_id, verified_at,
match_result (MATCHED | IDP_COMMITMENT_GAP), kernel_signature.
IDP_COMMITMENT_GAP:
Recorded when match_result is IDP_COMMITMENT_GAP. This is a
critical audit finding. The kernel MUST immediately:
(a) generate a CRITICAL Audit Alert (alert_trigger:
IDP_COMMITMENT_GAP), and
(b) fire HEM_AGENT_ESCALATED (Class 2) for the active session.
The kernel MUST NOT allow a session to continue after an
IDP_COMMITMENT_GAP without HEM resolution.
8.2. HEM Audit Events
The following HEM Event Log entries gain new fields under GAR:
HEM_TRIGGERED:
Existing entry type. GAR adds: policy_rationale_id (REQUIRED,
null if PRD absent -- absence recorded in audit_summary.
policy_rationale_gaps).
HEM_DECISION_RECEIVED:
Existing entry type. GAR adds: decision_rationale_class
(REQUIRED when DRR is mandatory for the decision type; OPTIONAL
otherwise).
The following new HEM Event Log entries are specified in
[I-D.sato-soos-hem] and recorded in the GAR Event Log:
HEM_DECISION_NOT_PERMITTED_FOR_TRIGGER_CLASS
HEM_TERMINATE_RATIONALE_REQUIRED
HEM_HUMAN_DECISION_CONSTITUTIONAL_VIOLATION
HEM_CHAIN_CONSTITUTIONAL_EXHAUSTED
KERNEL_AUDIT_ANOMALY
8.3. GAR Audit Events
The following Event Log entry types are introduced by this document:
SAR_GENERATED:
Recorded when a SAR is committed to the audit store. Fields:
sar_id, session_id, close_reason, kernel_signature.
AUDIT_ALERT_FIRED:
Recorded when an Audit Alert is generated. Fields: alert_id,
alert_trigger, alert_severity, session_id.
AUDIT_ALERT_DELIVERED:
Recorded when an Audit Alert is successfully delivered to an
Audit Principal. Fields: alert_id, principal_id, delivered_at.
AUDIT_ALERT_ACKNOWLEDGED:
Recorded when an Audit Principal acknowledges an Audit Alert.
Fields: alert_id, principal_id, acknowledged_at.
SCHEDULED_AUDIT_INITIATED:
Recorded when a Type 4 scheduled audit begins. Fields:
audit_id, initiated_by, scope_description, initiated_at.
SCHEDULED_AUDIT_COMPLETED:
Recorded when a Type 4 scheduled audit completes. Fields:
audit_id, completed_at, findings_count.
EXTERNAL_AUDIT_ACCESS_GRANTED:
Recorded when a Verified External Auditor is granted access.
Fields: auditor_id, granted_by, scope, expiry, granted_at.
AUDIT_PACKAGE_PRODUCED:
Recorded when a Verified External Auditor produces an Audit
Package. Fields: package_id, auditor_id, scope, produced_at,
package_hash.
EXTERNAL_AUDIT_ACCESS_REVOKED:
Recorded when Verified External Auditor access expires or is
revoked. Fields: auditor_id, revoked_at, revocation_reason.
PRD_REVIEW_DATE_EXCEEDED:
Recorded by the kernel's continuous self-audit when a PRD
review_date is exceeded. Fields: prd_id, policy_id,
review_date, detected_at. This entry MUST trigger a MEDIUM
Audit Alert (alert_trigger: PRD_REVIEW_DATE_EXCEEDED).
8.4. CAP Audit Events
The following CAP Event Log entries are specified in
[I-D.sato-soos-cap] and recorded in the GAR Event Log:
CAP_VIOLATION_DETECTED:
AI-initiated action refused by the Constitutional Evaluation
Engine. Fields: violation_id, tier, prohibition_id, action,
outcome, timestamp, kernel_signature.
CAP_HUMAN_VIOLATION_DETECTED:
Human principal decision refused by the Constitutional Evaluation
Engine. Fields: violation_id, tier, prohibition_id, decision,
outcome, timestamp, kernel_signature.
CAP_TIER1_CONFLICT_DETECTED:
Jurisdictional conflict detected at Tier 1. Fields: conflict_id,
conflicting_jurisdictions, resolution_method, hem_id, timestamp.
APPROVE_WITH_LEGAL_BASIS_RECORDED:
Principal submitted APPROVE_WITH_LEGAL_BASIS decision. Fields:
hem_id, principal_id, legal_basis (authority_type, authority_ref,
jurisdiction, expiry, document_hash), timestamp.
SESSION_CAP_SUSPENDED:
Session suspended due to CAP violation. Fields: session_id,
violation_id, suspended_at.
9. Audit Package
9.1. Package Composition
An Audit Package is produced by a Verified External Auditor and
covers a declared scope (session range, SO Type filter, or time
window). The Audit Package is a kernel-signed compilation of:
o All SARs within scope
o All Event Log entries within scope
o All PRD records from the Rationale Store for policies governing
sessions within scope
o All DRR records from the Rationale Store for decisions within
scope
o All Audit Alert records within scope
o All CAP Violation Records within scope
9.2. Package Schema
An Audit Package MUST contain the following fields:
package_id:
Kernel-generated UUID.
auditor_id:
Verified External Auditor identifier.
scope:
Declaration of what the package covers. Fields: session_range,
so_type_filter (optional), time_window.
sar_records:
Array of all SARs within scope.
event_log_records:
Array of all Event Log entries within scope.
prd_records:
Array of all PRD objects from the Rationale Store for policies
governing sessions within scope.
drr_records:
Array of all DRR objects from the Rationale Store for decisions
within scope.
audit_alert_records:
Array of all Audit Alert records within scope.
cap_violation_records:
Array of all CAP Violation Records within scope.
chain_of_custody:
Block containing:
package_hash: SHA-256 hash of all package content fields.
kernel_signature: Ed25519 signature over package_hash.
produced_by: Verified External Auditor identifier.
produced_at: ISO 8601 UTC timestamp.
9.3. Access Control
The kernel MUST verify that the requesting party holds a valid,
unexpired Verified External Auditor access grant before producing
an Audit Package. The access grant MUST be scoped to include the
requested sessions.
Audit Package production MUST be recorded as AUDIT_PACKAGE_PRODUCED
in the Event Log.
10. EU AI Act Applicability
10.1. Article 12 Mapping
EU AI Act Article 12 requires high-risk AI systems to automatically
generate logs enabling post-market monitoring and audit. The
following table maps Article 12 provisions to GAR mechanisms.
This mapping is normative: the Event Log fields and SAR structure
specified in this document satisfy Article 12(3) traceability
requirements for deployments governed by [I-D.sato-soos-hem].
Operators may reference
this section directly in conformance documentation.
+------------------------------+--------------------------------+------+
| Article 12 Provision | GAR Mechanism | Sec. |
+------------------------------+--------------------------------+------+
| 12(1) Automatic logging | Event Log: append-only, | 8 |
| capability | kernel-generated, cannot be | |
| | suppressed | |
+------------------------------+--------------------------------+------+
| 12(2) Logging period | SAR close_timestamp + operator | 6.4 |
| commensurate with purpose | retention configuration; | |
| | SHOULD minimum 12 months | |
+------------------------------+--------------------------------+------+
| 12(3) Traceability of AI | hem_id chain across Event Log | 8 |
| system operation | entries -- full causal history | |
| | reconstructible from any event | |
+------------------------------+--------------------------------+------+
| 12(3) Human oversight audit | principal_type + principal_id | 8.2 |
| record | + decision_type + DRR on every | |
| | HEM_DECISION_RECEIVED entry | |
+------------------------------+--------------------------------+------+
| 12(3) Policy audit record | PRD + prd_id on every | 8.2 |
| | HEM_TRIGGERED entry | |
+------------------------------+--------------------------------+------+
Table 2: EU AI Act Article 12 Mapping
11. Security Considerations
The GAR audit architecture relies on the following security
properties:
Kernel signing key integrity:
All SAR, Audit Alert, IDP Commitment Verification Record, and
Audit Package chain-of-custody signatures depend on the integrity
of the kernel's Ed25519 signing key. Operators MUST protect the
kernel signing key using hardware security module (HSM) controls
or equivalent. Key compromise MUST be treated as a critical
security incident requiring immediate rotation and re-signing of
all affected audit artifacts.
Event Log append-only property:
The Event Log MUST be implemented as an append-only data structure.
No API MUST allow deletion or modification of existing entries.
Audit Principals and Verified External Auditors MUST have read-
only access.
Non-suppressibility:
The kernel MUST NOT expose any interface that allows an agent,
application, HEM Principal, or Audit Principal to suppress SAR
generation, Audit Alert firing, or IDP Commitment Verification.
Implementations MUST be reviewed for any code path that could
conditionally skip these operations.
Audit Principal separation:
Audit Principals MUST be registered separately from HEM
Principals. The same party SHOULD NOT hold both roles for
the same SO Type. Separation prevents a principal from
suppressing audit findings about their own HEM decisions.
Verified External Auditor access:
Kernel interfaces for Verified External Auditor access MUST
enforce scope limitations at the query layer. Access grants
MUST expire automatically. The kernel MUST reject queries
outside the declared scope.
PRD review_date enforcement:
Operators MUST ensure that PRD review_date values reflect
genuine governance review cycles. Stale PRDs with extended
review_dates undermine the living governance record property
that PRD is designed to provide.
12. IANA Considerations
12.1. GAR Audit Alert Triggers Registry
This document establishes the "Governance Audit Record Audit Alert
Triggers" registry. The registry is maintained at:
https://www.iana.org/assignments/gar-audit-alert-triggers
Registration procedure: Specification Required.
Initial values:
+------------------------------------------+-----------+-----------+
| Trigger Identifier | Severity | Reference |
+------------------------------------------+-----------+-----------+
| KERNEL_AUDIT_ANOMALY | CRITICAL | Sec. 7.3 |
| IDP_COMMITMENT_GAP | CRITICAL | Sec. 7.3 |
| TERMINATE_DECISION | HIGH | Sec. 7.3 |
| AUTO_APPROVE_DISPOSITION | HIGH | Sec. 7.3 |
| HEM_CHAIN_EXHAUSTED | HIGH | Sec. 7.3 |
| MISSION_REVOKE_CASCADE | HIGH | Sec. 7.3 |
| HEM_TERMINATE_RATIONALE_REQUIRED | MEDIUM | Sec. 7.3 |
| THREE_OR_MORE_HEM_EVENTS_IN_SESSION | MEDIUM | Sec. 7.3 |
| PRD_REVIEW_DATE_EXCEEDED | MEDIUM | Sec. 7.3 |
| POLICY_RATIONALE_GAPS_IN_SAR | LOW | Sec. 7.3 |
+------------------------------------------+-----------+-----------+
Table 3: Initial GAR Audit Alert Triggers Registry Values
12.2. GAR Auditor Principal Types Registry
This document establishes the "Governance Audit Record Auditor
Principal Types" registry. The registry is maintained at:
https://www.iana.org/assignments/gar-auditor-principal-types
Registration procedure: Standards Action.
Initial values:
+---------------------------+---------------------------------------+
| Type | Description |
+---------------------------+---------------------------------------+
| HEM_PRINCIPAL | Resolves HEM escalations. |
| | NOT an auditor. |
+---------------------------+---------------------------------------+
| AUDIT_PRINCIPAL | Receives Audit Alerts, reviews SARs, |
| | initiates Type 4 scheduled audits. |
| | Read-only kernel access. |
+---------------------------+---------------------------------------+
| VERIFIED_EXTERNAL_AUDITOR | Regulator or accounting firm. |
| | Time-limited, scope-limited kernel |
| | access. Produces Audit Packages. |
+---------------------------+---------------------------------------+
| KERNEL_SELF_AUDITOR | Architectural property of the kernel. |
| | Not a human role. |
+---------------------------+---------------------------------------+
Table 4: Initial GAR Auditor Principal Types Registry Values
13. References
13.1. Normative References
[I-D.sato-soos-hem]
Sato, T., "The Human Escalation Mechanism (HEM) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-hem-00, May 2026,
.
[I-D.sato-soos-idp]
Sato, T., "The Intent Declaration Primitive (IDP) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-idp-00, May 2026,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174, May 2017,
.
[RFC8936] Hunt, P., Ed., Brock, M., Backman, A., and M. Jones,
"Poll-Based Security Event Token (SET) Delivery Using
HTTP", RFC 8936, DOI 10.17487/RFC8936, November 2020,
.
13.2. Informative References
[I-D.sato-soos-cap]
Sato, T., "The Constitutional AI Protocol (CAP) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-cap-00, May 2026.
(forthcoming)
[EU-AI-ACT]
European Parliament and Council, "Regulation (EU)
2024/1689 laying down harmonised rules on artificial
intelligence", OJ L 2024/1689, July 2024,
.
Author's Address
Tom Sato
MyAuberge K.K.
Chino, Nagano
Japan
Email: tomsato@myauberge.jp
URI: https://activitytravel.pro/