Your Agent Can't Be Audited, and That's About to Be a Problem
Your Agent Can't Be Audited, and That's About to Be a Problem
by Steve Harmon
Every serious conversation about deploying AI agents ends at the same wall. Not capability. Not cost. The wall is a question someone in the room eventually asks:
"When it acts, and it's wrong, how will we know why?"
For almost every agent in production today, the honest answer is: we won't. We'll have logs. We'll have the prompt. We'll have a trace of tool calls. What we won't have is the decision itself, the thing that connects what the agent observed to what it did, in a form anyone can examine after the fact.
Retrieval answers the wrong question
The last three years of AI infrastructure solved the question of what is true. Retrieval, grounding, citations. An agent can now tell you where a fact came from. Useful, but not the same problem. Acting agents face a different question:
Was this worth acting on, and how would we know if it wasn't?
A citation tells you the fact was real. It tells you nothing about whether acting on it was justified, what the agent believed the fact implied, or what future evidence would have proven the call wrong. An agent can be perfectly grounded and completely unaccountable.
When an agent recommends or takes an action, three questions need answers after the fact:
What did it act on?
Why did it judge that worth acting on?
What would have made that judgment wrong?
An agent that can't answer these can't be audited. It can't be trusted in a decision path. And it can't be insured, which is the part that bites first. Insurers, compliance teams, and procurement departments don't price capability. They price accountability. As agents move from demos into workflows that touch money, customers, and legal exposure, "we have the logs" stops clearing the bar. Everyone building agent products is going to discover this at contract time.
The minimum accountable record
The fix is not a better model. It's a structural requirement on output. For every action an agent recommends or takes, it should emit a record with four components:
signal what changed, with sources and a timestamp
judgment why it matters, with a confidence and a reference to the signal
action what should happen, with a reference to the judgment
falsifier what would make this wrong, as a concrete, checkable condition
The references form a chain. The judgment points at the signal it rests on. The action points at the judgment it discharges. That chain is what makes an action traceable to the change that prompted it. Not reconstructed from logs afterward. Stated by the agent at decision time.
The falsifier is the piece almost nothing emits today, and it matters most. An agent that states in advance what would reverse its own call has done something no confidence score does: it has made itself checkable. Not "was the output plausible" but "did the stated condition trigger." Correctness stops being an impression and becomes a measurement you can run.
Conformance, not certification theater
I'm publishing this as an open standard. FJP-CONF is a conformance suite for what the spec calls Judgment-Grounded Records. Four cumulative levels:
L0 Structural. The agent externalizes its decision at all: a well-formed record, all four components.
L1 Grounded. The signal is attributable and the reference chain resolves. The action traces to a source.
L2 Falsifiable. The falsifier is concrete and checkable, not a vacuous catch-all. The agent has said in advance what would prove it wrong.
L3 Accountable. Records are retained. Given a record ID, the agent returns the original record and re-evaluates whether its falsifier has since triggered. A past action can be audited against what actually happened.
Two design choices matter here.
Method is out of scope, on purpose. The suite tests observable output, not internal process. Any model, any pipeline, any heuristic. Two agents may reach opposite conclusions and both conform. Conformance asserts that a decision is accountable, not that it's correct. Correctness gets measured over time, by whether falsifiers trigger. This is also what keeps the standard vendor-neutral: nobody has to adopt anyone's architecture to adopt the record.
Claims are reproducible. "Conforms to FJP-CONF v0.1, Level 2" is a sentence anyone can verify by running the public suite against your agent's output. The gate is not a vendor's word or a paid certification. It's a runnable check. Stdlib-only Python, no dependencies, Apache 2.0.
Why now
Agent frameworks are converging on how agents act: tool use, planning, orchestration. Nothing has converged on how agents account for acting. Every team invents its own decision logging. So every audit is bespoke, every post-mortem is archaeology, and no two agents' decisions are comparable.
We've been here before. Interoperability problems of this shape get solved the same way every time: a minimal shared record, a public...