Announcing AAM.
Agent Audit and Management — the externally-anchored, content-addressed, post-quantum-ready audit-permanence layer above any agent control plane. AAM does not authorize, authenticate, or execute. It produces the tamper-evident long-tail record of what AI agents actually did, in a form independently verifiable years later by an external party that does not need to trust the operator, the platform vendor, or Bonis Systems.
Bonis Systems names and ships AAM as a strategic category.
- AAM = Agent Audit and Management. The externally-anchored evidence layer above any agent control plane.
- Live in production. Knox primitive, eleven public agents, a canonical event taxonomy with ninety event types, post-quantum signatures across six NIST parameter sets, public verify endpoint, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor.
- Composes above any control plane. Knox runs above Microsoft Agent 365 (publicly announced GA 2026-05-01), AWS Bedrock agent runtime, Google Vertex AI agent runtime, Rubrik Agent Govern, MCP, A2A, IETF ANS, AITH (arXiv:2604.07695), and any open-source orchestration framework.
- Vendor-neutral by construction. Records are content-addressed. Naming public products describes the operational landscape; it does not imply that any vendor is a partner, customer, prospect, or operational counterparty of Bonis Systems.
- Defensive only. Bonis never accesses third-party agent surfaces. Operators instrument their own emit path. Lawful authority decides what to do with the resulting evidence.
The control-plane category is forming this quarter.
Major platforms are reaching General Availability on agent control planes, hosted runtimes, and adjacent governance products on overlapping timelines. Microsoft has publicly announced GA of Agent 365 for 2026-05-01 with a Tech Community AMA on 2026-05-12. Adjacent products from other major platforms are landing in the same quarter.
Each of those products solves a distinct problem at a distinct layer of the agent stack — authorization, identity, execution, real-time observability, internal audit. None of them is the externally-anchored evidence layer. The layer that survives an acquisition, an outage, a key compromise, an internal-rewrite incident, or a years-later forensic inquiry has to be structurally separate from every system it audits.
Naming AAM as a category now gives technical buyers, regulators, acquirers, and platform vendors themselves a vocabulary for that layer. The vocabulary is unclaimed across the named-competitor landscape Bonis Systems surveyed via cross-LLM intel sweep in late April 2026. The primitive is shipped. This announcement documents both.
AAM is downstream of Safety, Alignment, and Observability.
Confusing AAM with adjacent categories is the most common error when reasoning about agent governance. AAM does not replace any of these layers; it composes alongside all of them and produces a different artifact.
AI Safety
Should an agent do a thing?
Pre-deployment behavioral research. AAM does not contribute to this layer; AAM observes the post-deployment outcome.
AI Alignment
Does the agent's objective match the operator's intent?
Training-time and deployment-time policy. AAM observes whether the deployed agent's actions are consistent with the policy claims years later.
AI Observability
What is the agent doing right now?
Real-time telemetry inside the operator's stack. AAM operates at the post-deployment evidence layer; the records survive after the observability stack rotates.
Agent Control Plane
What is the agent permitted to attempt?
Authorization, tool allow-lists, data scopes. AAM composes above any control plane and records what the agent actually did regardless of what was permitted.
Agent Identity
Who is the agent, cryptographically?
Agent identifiers, signing keys, name resolution. AAM embeds whichever identity scheme the operator runs in the chain-of-command stamp on each event.
Agent Runtime
How does the agent's call actually run?
Hosted execution, orchestration. AAM is runtime-neutral and operates above any runtime — hosted or in-house, public or sovereign.
Live in production. Verifiable from the public chain.
AAM is not a forward-looking roadmap announcement. It is a naming announcement for a category Bonis Systems is already shipping. The links below resolve to public surfaces.
Knox primitive
Content-addressed commitment, hash chain, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor. The audit-permanence primitive under every AAM event.
Eleven public agents
Document, registry, counter-party, pledge, monitoring, custody, collusion, surveillance, supply-chain, applicant compliance, counter-party dossier. Each agent's bureau, charter, and event taxonomy is published on the page.
Canonical event taxonomy
Ninety canonical Knox event types covering agent lifecycle, agent memory, agent transactions, agent authority, federal-compliance reporting, automotive-AI driving decisions, MCP audit, payment-gateway runtime fingerprinting, BSR site-operations receipts, and spatial-evidence anchors.
Layer-4 post-quantum signatures
ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) shipped on terravault-00360-gkv on 2026-04-24. ML-DSA-87 is the same primitive specified in the AITH academic protocol (arXiv:2604.07695, Tamarin-verified).
Public verify endpoint
Any party with the anchor identifier or canonical commitment hash verifies the chain link, the hourly Merkle aggregation, and the Bitcoin block embedding the Merkle root. No Bonis cooperation required.
Microsoft Agent 365 integration brief
Worked example of the AAM seam above one publicly announced control plane. Sibling briefs for AWS Bedrock, Google Vertex AI, and Rubrik Agent Govern follow the same shape.
Vertical theaters where AAM is shipping right now.
AAM is horizontal — every industry adopting AI agents needs an externally-anchored evidence layer for those agents. The lanes below are the worked-example theaters Bonis is shipping concrete event-type taxonomies and positioning pages under.
MCP audit
Tool-call records under the Model Context Protocol — agent_mcp_tool_call, agent_mcp_tool_response, agent_mcp_resource_fetch, agent_mcp_prompt_invocation, agent_mcp_server_attestation, agent_mcp_policy_change.
Agent transactions
Bilateral commitments under any agent commerce protocol — agent_transaction_offer, agent_transaction_acceptance, agent_transaction_settlement, agent_transaction_dispute, agent_transaction_reversal, agent_transaction_policy_change.
Agent memory
Agent memory mutations — agent_memory_write, agent_memory_read, agent_memory_edit, agent_memory_redact, agent_memory_export, agent_memory_policy_change.
Automotive AI
Driver-vs-AI evidence layer — agent_driving_handover, agent_driving_intervention, agent_driving_perception, agent_driving_decision, agent_driving_policy_change, agent_driving_attestation.
Payments runtime
Per-execution gateway runtime fingerprinting — gateway_code_fingerprint, gateway_input_commitment, gateway_output_commitment, gateway_agent_attestation, gateway_side_effect_record.
Cannabis vertical
Federal-face positioning for the cannabis MSO / regulator / court audience. State-license adapters, Metrc / BioTrack integration scope, federal-rescheduling-aware framing.
Federal procurement
GSAR 552.239-7001 Basic Safeguarding of AI Systems → Knox primitive mapping. Federal-compliance reporting event types — data_deletion_certified, security_incident_reported, gov_data_access, material_change_notice.
Control-plane compatibility
Architecture page describing the four-layer agent stack and the operational seam where AAM composes above any control plane, identity layer, or runtime.
The seven-tweet version.
For social-platform syndication. Each card is one post, in order. No links inside the thread — the canonical link is this page.
Bonis Systems is naming AAM today — Agent Audit and Management. The externally-anchored, content-addressed, post-quantum-ready audit-permanence layer above any agent control plane. Live in production. Verifiable from the public chain.
AAM does not authorize. It does not authenticate. It does not execute. It produces the tamper-evident long-tail record of what an AI agent actually did, in a form a third party can verify years later without trusting the operator, the platform vendor, or Bonis Systems.
The agent control-plane category is reaching General Availability this quarter. Major platforms are shipping authorization, identity, runtime, and internal-audit layers on overlapping timelines. None of those is the externally-anchored evidence layer. AAM is.
AAM is downstream of AI Safety, AI Alignment, and AI Observability. Safety and Alignment ask whether an agent should do a thing. Observability asks what it is doing now. AAM records what it already did — for the inspector, the regulator, the court, the acquirer, the next investigator.
Knox is the AAM primitive. Bitcoin-anchored via OpenTimestamps. Ninety canonical event types covering agent lifecycle, MCP audit, agent transactions, agent memory, agent authority, automotive-AI driving decisions, payments runtime fingerprinting, and spatial evidence.
Layer-4 post-quantum signatures shipped 2026-04-24. ML-DSA-44 / 65 / 87 and SLH-DSA-128s / 192s / 256s — six NIST FIPS 204/205 parameter sets, live. ML-DSA-87 is the same primitive specified in the AITH academic protocol (arXiv:2604.07695, Tamarin-verified).
Vendor-neutral by construction. Records are content-addressed. Bonis never accesses third-party agent surfaces — Defensive-Only doctrine. Operators instrument their own emit path. Lawful authority decides what to do with the evidence. Read the announcement on bonissystems.com/aam/announcement.
Common questions, answered.
What is AAM?
AAM stands for Agent Audit and Management. It is the post-deployment evidence layer for AI agent actions — content-addressed, hash-chained, hourly-Merkle-aggregated, Bitcoin-anchored, and post-quantum-signature-ready. AAM does not authorize what agents may attempt (that is the control plane's job), does not authenticate who agents are (that is the identity layer's job), and does not execute agent calls (that is the runtime's job). AAM produces the tamper-evident long-tail record of what the agent actually did, in a form independently verifiable years later by an external party that does not need to trust the operator, the platform vendor, or Bonis Systems.
Why announce AAM as a category now?
The agent control-plane category is forming in public this quarter — Microsoft has publicly announced General Availability of Agent 365 for 2026-05-01 with a Tech Community AMA on 2026-05-12, and adjacent agent-governance and hosted-runtime products from other major platforms are reaching GA on similar timelines. Each of those layers solves a distinct problem (authorization, identity, execution, real-time observability). None of them is the externally-anchored evidence layer. Naming AAM as a category now gives technical buyers, regulators, and acquirers a vocabulary for the layer that is structurally separate from the systems being audited.
How is AAM different from AI Safety, AI Alignment, or AI Observability?
AI Safety and AI Alignment address whether an agent should do a thing — pre-deployment policy and behavioral research. AI Observability addresses what an agent is doing right now — real-time telemetry inside the operator's stack. AAM is downstream of all three: it addresses what an agent already did, in a form that survives the stack and remains verifiable independently of the operator and the platform vendor years after the action. AAM composes alongside Safety, Alignment, and Observability — not in competition with any of them.
How is AAM different from internal audit logs?
Every control plane, runtime, and operator can — and does — write its own audit log. Each of those logs is useful inside the organization that runs it, and each is, by construction, mutable by that organization. The questions that arrive after an incident, after an acquisition, after a contract dispute, after a regulator opens a file, are not questions the original operator's audit log can credibly answer alone. AAM is the externally-anchored, content-addressed chain that an outside party can verify without subpoenaing the operator. That property — independence from the system being audited — is what makes the record useful to a third party.
What does Bonis ship under AAM today?
Knox, the AAM primitive, is live in production. Eleven public agents wrap Knox for specific verification surfaces (document, registry, counter-party, pledge, monitoring, custody, collusion, surveillance, supply-chain, applicant compliance, dossier). The canonical Knox event taxonomy in src/lib/knox-anchor.ts covers agent lifecycle, agent memory, agent transactions, agent authority, federal-compliance reporting, automotive-AI driving decisions, MCP audit, payment-gateway runtime fingerprinting, BSR site-operations receipts, and spatial-evidence anchors. Layer-4 post-quantum signatures (ML-DSA-44/65/87, SLH-DSA-128s/192s/256s) shipped on 2026-04-24 (terravault-00360-gkv). The verify endpoint and public anchor endpoint are operational at terravaulthq.com.
Who is AAM for?
Three buyer profiles. (1) Operators deploying AI agents in regulated commerce who need an evidence layer their auditors, regulators, and counter-parties can trust independently of the platform vendor. (2) Federal agencies, civil litigators, insurance carriers, and acquirers who consume third-party agent-action records and want a verification path that does not require cooperation from the operator. (3) Platform vendors building agent control planes who want a vendor-neutral audit-permanence layer their customers can compose above without the vendor itself becoming the audit anchor. AAM is structurally downstream of all three; the buyer is whichever party needs the externally-verifiable record, not the party producing it.
Does AAM require Bitcoin specifically?
Knox anchors via OpenTimestamps to the Bitcoin chain because Bitcoin is the longest-running, most independently-replicated public chain. The anchor primitive is conceptually chain-agnostic — what matters is that the chain is public, durable, and not under the control of the system being audited. Operators who require multi-chain anchoring can opt into the multi-chain routing surface; the canonical reference anchor remains Bitcoin via OpenTimestamps because that is the chain with the longest verification track record and the broadest external verification tooling.
Is AAM a competitor to Microsoft Agent 365, AWS Bedrock, Google Vertex, or Rubrik Agent Govern?
No. AAM is structurally above any of those. A control plane authorizes; AAM records. A hosted runtime executes; AAM records. A governance product produces internal audit and undo capabilities; AAM produces the externally-anchored chain those products cannot produce themselves without becoming an external party. The relationship is composition, not competition. Operators do not have to choose between an audit-permanence layer and a control plane.
How does an external party verify a Knox-anchored AAM record?
By calling the public Knox verify endpoint with the anchor identifier or canonical commitment hash, or by reconstructing the verification independently from the Bitcoin chain via OpenTimestamps. The verification proves the commitment existed at the recorded time. It does not require the operator, the platform vendor, or Bonis Systems to be online or cooperative. This is the property that makes AAM records useful to a third party years after the action.
Is AAM defensive or offensive infrastructure?
Defensive only. Bonis Systems does not access any third-party control plane, runtime, or operator surface. Operators who want a Knox-anchored record instrument their own emit path. Bonis provides the audit primitive; lawful authority — courts, regulators, platform owners — decides what to do with the resulting evidence. The Defensive-Only doctrine is binding across every Knox surface and every public AAM page.
References here describe the operational landscape, not relationships.
Naming Microsoft Agent 365, AWS Bedrock, Google Vertex AI, Rubrik Agent Govern, MCP, A2A, IETF ANS, and AITH on this page describes the publicly-announced agent stack in which AAM operates. It does not imply that any vendor named here is a partner, customer, prospect, or operational counterparty of Bonis Systems. Operators evaluating AAM should consult each vendor’s own published product documentation for authoritative product definitions, license terms, and roadmap.
USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.