What is Agent Audit and Management (AAM)?

AAM is the category covering the cryptographic audit, attribution, and after-the-fact verification of every action taken by every AI agent, across every industry that adopts agents into its operations. It is downstream of AI safety and AI alignment, and adjacent to AI observability — a post-deployment evidence layer for agent actions.

How does AAM differ from AI safety, AI alignment, AI observability, and MLOps?

AI safety constrains what an agent is permitted to attempt. AI alignment shapes what an agent chooses to do. AI observability describes what an agent is doing right now. MLOps and AgentOps cover how an agent is built, deployed, and monitored. AAM is the post-deployment evidentiary record — what the agent actually did, with what inputs, against what policy — produced as a tamper-evident artifact that a third party can verify years later without trusting the vendor. AAM is downstream of safety and alignment, adjacent to observability, and orthogonal to MLOps; a mature stack runs all of them.

How is Bonis Systems positioned in AAM?

Bonis Systems operates a vendor-neutral cryptographic audit-permanence layer that sits above any control plane, any agent runtime, and any orchestration framework. Every agent action recorded through Knox is SHA-256 hashed, sequence-numbered, Merkle-aggregated, and anchored to the Bitcoin blockchain via OpenTimestamps — independently verifiable by any third party without cooperation from Bonis.

Does AAM compete with agent control planes or identity providers?

No. AAM sits above them. A control plane decides what agents are allowed to do. An identity provider decides who an agent is. AAM produces tamper-evident, court-admissible records of what an agent actually did — admissible regardless of which control plane authorized it or which identity provider authenticated it.

What standards does Bonis align with?

Knox Agent #11 Layer 4 already ships ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) post-quantum signatures via @noble/post-quantum. ML-DSA-87 is the same primitive specified in academic agent-trust protocols including AITH. Anchors meet the architectural requirements for FRE 902(13) and 902(14) self-authentication; admissibility in any given matter is determined by the presiding court.

Is Bonis a defensive or offensive security firm?

Defensive only. Bonis Systems is an evidence-layer firm — not law enforcement, not an offensive cyber operator. Permitted actions: defensive perimeter measures, evidence-layer escalation to platform owners, federal law enforcement, regulators, and courts. Strictly prohibited: hacking, denial of service, compromise, or sabotage of any external system, including provably adversarial ones. The takedown belongs to lawful authority; Bonis provides the evidence.

A category, and a layer

Agent Audit and Management.

Every industry adopting AI agents will need a cryptographic record of what those agents actually did — admissible after the fact, verifiable without trusting the vendor. Bonis Systems operates a vendor-neutral audit-permanence layer that sits above any control plane, any agent runtime, and any orchestration framework.

Vendor-neutralAbove any control planeBitcoin-anchoredFRE 902(13)/(14) architectural fitPost-quantum (ML-DSA-87)Defensive only

Read the AAM category announcement →

Disambiguation

AAM is not safety, not alignment, not observability, not MLOps.

Each of these disciplines answers a different question. AAM answers the one that arrives last and stays the longest: what did the agent actually do, and is the record still verifiable years from now.

AI Safety asks

What is the agent permitted to attempt?

AAM produces

A tamper-evident record of what it actually did, attempted or otherwise.

AI Alignment asks

What does the agent choose to do, and is that aligned with intent?

AAM produces

An after-the-fact record that survives the agent, the operator, and the vendor.

AI Observability asks

What is the agent doing right now, in real time?

AAM produces

A long-tail evidentiary record — admissible to a court a decade later.

MLOps / AgentOps asks

How is the agent built, deployed, and monitored?

AAM produces

What did the deployed agent commit to, on the record, that a third party can verify.

AAM is downstream of safety and alignment, adjacent to observability, and orthogonal to MLOps. A mature stack will run all of them. They do not replace each other.

AAM lanes

One primitive, many operational seams.

The same Knox audit-permanence layer treats different classes of agent action as discrete event taxonomies. Each lane below maps the primitive onto a specific operational seam — with its own anchors, its own FAQ, and its own worked examples.

Lane · Architecture map

Three-Layer Agent Architecture

Three layers, three customer types, one cryptographic spine. Layer 1 (AAM, audit-permanence) + Layer 2 (AI Production Discipline) + Layer 3 (Continuity & Adversarial Resilience). The map of where Bonis Systems operates across the agent stack.

Lane · Layer 2

AI Production Discipline

Pre-deploy methodology that catches the defect before it ships — so the audit layer never has to memorialize a fault. Six primitives: Truth Protocol three-source, multi-pass measurement, Stop-and-Save Rule, Coachbuilt floor, Stealth Posture, Evidence Ledger.

Lane · Layer 3

Continuity & Adversarial Resilience

What survives when the world breaks. Evidence generator (Knox Edge Anchor) and identity generator (HSM/TPM-bound PQC) preserve the chain when the network drops, infrastructure fails, or an adversary takes a swing. Anchor primitives and PQC stack shipped; Edge Anchor and HSM binding in active scope.

Lane

Agent Memory

Every memory write, read, edit, redaction, export, and policy change becomes a Bitcoin-anchored, court-admissible event. Vendor-neutral, above any memory store.

Lane

Agent Transactions

Every offer, acceptance, settlement, dispute, and reversal becomes a tamper-evident commitment record. Vendor-neutral, above any marketplace or payment rail.

Lane · Compatibility

Control-Plane Compatibility

A control plane authorizes what agents may attempt. AAM records what they actually did. Knox composes above any control plane — Microsoft Agent 365, Rubrik Agent Govern, AWS Bedrock, Vertex AI, in-house — without coupling.

Lane · Compatibility

Model Context Protocol

An open spec for tool calls, met by an open chain for the record. Tool calls, resource fetches, and prompt invocations through any MCP server become tamper-evident anchors — without modifying the server itself.

Lane · Live

Knox Anchor MCP Server

The audit-permanence layer, exposed as typed MCP tools any compatible agent runtime can call. Streamable HTTP transport. Seven tools. Stateless. The MCP envelope over the live Knox primitive — no second chain, no second key system.

Lane · Federal

GSAR 552.239-7001

A public mapping of GSA's draft AI safeguarding clause to Knox primitives — American AI eligibility, 72-hour CISA reporting, eyes-off data handling, traceability, 90-day artifact preservation. Architecture, not advocacy.

Lane · Theater

Automotive AI Agent Audit

Every vehicle shipping AI driving assistance logs telemetry internally; the manufacturer owns the only copy. Driver-vs-AI blame is structurally unresolvable when the entity whose AI may have caused the crash is the sole custodian of evidence. Vendor-neutral, Bitcoin-anchored, court-admissible architecture.

Lane · Theater

Payments AI Agent Audit

Every transaction passing through a payment gateway flows through code the merchant cannot independently verify at the moment of execution. PCI-DSS audits configuration, not per-transaction code-and-data integrity. Vendor-neutral cryptographic audit-permanence above any payment gateway.

Lane · Reference

Knox Event Taxonomy

Public reference for the 98 canonical Knox event types — the audit-permanence schema under every AAM record. Sourced from src/lib/knox-anchor.ts, mirrored at /bonis/agent-feed.json, and reproducible by an outside party without contacting Bonis Systems.

Lane · Standards

AITH Protocol Alignment

AITH (AI Trust Handshake, arXiv:2604.07695) is a published post-quantum continuous delegation protocol — how an agent is granted, bounded, and revoked. Knox is the cryptographic audit-permanence layer that records what the bounded agent then did. Same primitives — ML-DSA-87 (NIST FIPS 204) and SHA-256 — complementary layers, formally-verified on both sides.

The category

Every industry × every agent × every action.

Healthcare, financial services, government, energy, legal, commerce — agents are entering every operational seam. Each agent action is a state change with consequences: a transaction initiated, a record updated, a contract executed, a document generated, a refund issued, a privilege asserted. None of those actions is self-authenticating by default.

AAM is the post-deployment evidence layer that closes the gap. It is downstream of AI safety (which constrains what agents are permitted to attempt) and AI alignment (which shapes what agents choose to do), and adjacent to AI observability (which describes what agents are doing right now). AAM is the long-tail record: what did the agent do, when, with what inputs, against what policy, and is the record still verifiable in ten years.

The same answer must hold whether the question arrives from an internal auditor, a regulator, a court, an insurance carrier, a counter-party, or a future operator who has never met the people who deployed the agent.

The architecture

One primitive, several layers, zero proprietary lock-in.

Bonis built AAM the way NVIDIA built guardrails for open-source AI: as the trust layer above a heterogeneous ecosystem, not as a competing control surface. The primitives below are the already-shipping mechanics of the layer.

Knox anchor

SHA-256 commitment over the agent action payload. Sequence-numbered per stream, hash-linked to the previous anchor. Tampering with any historical record breaks the chain — independent of Bonis.

Merkle aggregation

Hourly binary Merkle tree across all anchors. The root is a single 32-byte commitment to every agent action of that hour, regardless of customer or stream.

Bitcoin anchoring

Each Merkle root published to the Bitcoin blockchain via OpenTimestamps. Verifiability does not depend on Bonis being online, in business, or cooperative.

Post-quantum signatures

Knox Agent #11 Layer 4 ships ML-DSA-44 / 65 / 87 (FIPS 204) and SLH-DSA-128s / 192s / 256s (FIPS 205) via @noble/post-quantum. ML-DSA-87 is the same primitive cited in academic agent-trust specs.

Self-authenticating affidavit

Every anchor resolves to a court-ready affidavit architected for FRE 902(13) and 902(14) self-authentication — the affidavit is generated from the public anchor, not a Bonis attestation.

Agent discovery & accountability

A growing roster of named Knox agents (verification, registry, counter-party, pledge, custody, monitoring, collusion, surveillance, signature validation, agent discovery) — each with a public charter and bureau assignment.

Vendor neutrality

Above any control plane.

A control plane authorizes what an agent may attempt. An identity provider authenticates who an agent is. A runtime executes the agent. A framework orchestrates the agent's calls. Each is a layer that may be vendor-specific.

AAM, as Bonis runs it, sits above all of those — receiving structured action records from any of them, hashing them client-side or server-side, and anchoring them to a public chain. The audit layer is independent of who authorized the action and who executed it. That independence is the property that makes the record useful to a regulator, a court, or a counter-party.

Concretely: a Bonis anchor for an agent action originating inside Vendor A's control plane is verifiable using the same Bitcoin tooling as an anchor for an agent action originating inside Vendor B's. The customer never has to choose between the audit layer and the control plane they prefer.

Standards alignment

Open specs, public chain.

Post-quantum cryptography

NIST FIPS 204 (ML-DSA / Dilithium) and FIPS 205 (SLH-DSA / SPHINCS+) shipped on Knox Agent #11 Layer 4. ML-DSA-87 is the highest-strength parameter set and is the same primitive cited in academic agent-trust specifications.

@noble/post-quantum · 6 parameter sets · live

Public-chain anchoring

OpenTimestamps protocol over Bitcoin. The proof is portable — any third party with an OpenTimestamps client and a Bitcoin full node can verify any Bonis anchor without Bonis being in the loop.

opentimestamps.org · Bitcoin · independent

Federal Rules of Evidence

Anchors and the affidavits derived from them are architected to meet the self-authentication requirements of FRE 902(13) and 902(14). Admissibility in any given matter is determined by the presiding court.

FRE 902(13) · 902(14) · architectural fit

Formal methods

The anchor pipeline has a TLA+ specification of its hash-link, sequence-monotonicity, and Merkle-root invariants. The spec is public, the source is public, the verifier is public.

TLA+ · /bonis/spec · public source

Defensive-only doctrine

Evidence layer, not enforcement.

Bonis Systems operates as the evidence layer beneath law enforcement, regulators, and courts — never as a substitute for them. The doctrine is binding across every Knox agent and every external action.

Permitted

Defensive perimeter measures (rate limits, blocklists, abuse detection on Bonis-owned surfaces).
Evidence-layer escalation to platform owners.
Reporting to federal law enforcement, regulators, and courts.
Public disclosure of architectural facts already on-chain.

Prohibited absolutely

Hacking, denial of service, compromise, or sabotage of any external system.
Active counter-attack, even against provably adversarial agents.
Pretextual access, identity spoofing, or unauthorized scraping.
Any action a court would not bless if read out loud at trial.

What is verifiable today

Live, public, independently checkable.

Public anchor endpoint

bonissystems.com/api/knox/public-anchor

Auto-seeds a public-demo key on first call. Drop any file at the homepage to anchor a SHA-256 of it without it leaving your browser.

Public health check

bonissystems.com/api/knox/health

Returns operational status of the anchor pipeline.

Knox agents roster

bonissystems.com/agents

Each agent published with its charter, bureau, and event taxonomy entry.

Agent feed for crawlers

bonissystems.com/agent-feed.json

Machine-readable self-description for AI agents and crawlers.

Formal specification

bonissystems.com/spec

TLA+ source for the anchor pipeline invariants.

Court-ready evidence kit

bonissystems.com/legal-kit

Verifier source, sample affidavit, FRE 902 reference card.

USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.