When the AI was driving, who has the receipt?
Every vehicle shipping AI driving assistance logs telemetry internally. The manufacturer owns the only copy. Driver-vs-AI blame is structurally unresolvable when the entity whose AI may have caused the crash is also the sole custodian of the evidence.
The party with the most to lose from disclosure owns the only record.
Tesla’s Autopilot and FSD vehicles, Mercedes-Benz Drive Pilot Level 3 vehicles, BMW Personal Pilot, Ford BlueCruise, GM Super Cruise, Toyota Teammate, Honda SENSING Elite, Hyundai-Kia HDA2, and the Waymo robotaxi fleet each operate their own vehicle telemetry pipelines. Each manufacturer decides what gets stored, what retention applies, what gets surfaced to investigators, and what gets disclosed in litigation, NHTSA inquiry, or NTSB review.
When an AI driving assistant is implicated in a crash, the evidence about what the AI actually did exists only inside the manufacturer’s own pipeline. There is no independent third-party copy. The vehicle owner, the driver, the regulator, the insurer, the opposing counsel, and the court all see what the manufacturer chooses to surface. Subpoena fights become the central proceeding rather than the merits of the crash.
AAM closes the gap without coupling to any single vehicle architecture. The audit primitive is content-addressed: the SHA-256 of the driving event, the chain-of-command stamp identifying the agent build and the policy under which it acted, and the sequence link to the previous event in the vehicle’s stream. Knox anchors each, aggregates the hourly Merkle root, and publishes the root to the Bitcoin blockchain. The manufacturer cannot silently rewrite a history that exists outside its own systems.
Every interaction at the agent surface becomes a Knox event.
The vehicle agent surface is small, structured, and content-addressable. Six interaction shapes map to canonical Knox event types — each with a chain-of-command stamp and content-addressed pointers to the underlying telemetry.
Control transfer from driver to AI, or from AI back to driver. Knox commits the SHA-256 of the handover artifact, the timestamp, the agent build identifier, and the policy under which the handover was permitted. The question of who was driving at the moment of any event becomes resolvable from the chain alone.
An AI override of driver input — emergency braking, lane keeping correction, evasive steering — or a driver yank disengaging the AI. Knox commits the artifact and links it to the surrounding handover state, so the request-response binding between driver action and AI response is reconstructible.
An object detected, classified, or tracked by the perception stack. Knox commits the perception identifier, the SHA-256 of the bound classification artifact, and the timestamp at which the detection resolved. Perception drift across builds is observable across time, not assumed.
A steer, brake, or accel command issued by the AI with its bound rationale and confidence. Knox commits the SHA-256 of the decision artifact and links it to the perception events and policy in effect at the moment of action. The audit chain reconstructs not only the command but the agent’s stated reason for it.
An over-the-air firmware or policy update applied to the vehicle at a specific moment. Knox commits the SHA-256 of the policy artifact at the moment of application, so the agent’s permitted behavior at the moment of any prior or subsequent event is recoverable independent of the manufacturer’s later fleet state.
The vehicle agent itself produces an attestation — agent identity, build version, declared sensor surface, declared decision surface. Knox commits the attestation, so the agent’s claimed shape at the moment of operation is recoverable independent of any subsequent firmware change.
The questions are predictable. The records should be too.
Once an AI-implicated incident is being investigated, the same five questions arrive on every case. AAM primitives produce records architected to answer each one without re-trusting the manufacturer, the agent vendor, or the operator.
Who was driving at the moment of impact — driver or AI?
The handover anchor and its sequence link to the previous handover identify the exact party in control at the exact timestamp. The Bitcoin anchor pins the moment in time independent of the manufacturer’s record.
Did the AI override the driver, or did the driver override the AI?
The intervention anchor commits the SHA-256 of the override artifact at the moment it occurred. The direction of override — AI to driver, or driver to AI — is recorded, not reconstructed from manufacturer telemetry after the fact.
What did the perception stack actually see, classified as what, when?
The perception anchor commits the SHA-256 of the bound classification artifact and the moment of detection. A subsequent silent rewrite of perception logs does not propagate to the public chain.
Was the AI operating on the firmware version of record?
The policy-change anchor commits the SHA-256 of the firmware or policy artifact in effect at the moment of every prior driving event. Over-the-air rollouts and silent reversions are observable years after the fact.
Can we reconstruct the full event chain if the manufacturer is gone, hostile, or no longer cooperating?
Every Knox anchor is content-addressed and Bitcoin-anchored. Reconstruction does not require the original manufacturer, the original telemetry pipeline, or the original vendor to remain online or cooperative.
What composing AAM above vehicle telemetry gives you.
Manufacturer-neutral
Any vehicle telemetry pipeline, authored by any manufacturer, can be paired with Knox by instrumenting an emit path on the operator’s side. The vehicle pipeline does not need to know about Knox, consent to Knox, or be modified for Knox.
Independently verifiable
Anchors are published to the Bitcoin blockchain via OpenTimestamps. Verification does not require Bonis, the manufacturer, or any third party to be online, in business, or cooperative. The receipt outlives the fleet.
Court-admissible architecture
Anchors and the affidavits derived from them are architected to meet the self-authentication requirements of FRE 902(13) and 902(14). Admissibility in any given matter remains a determination of the presiding court; the structural requirements are met by construction.
Post-quantum resilient
Driving-class commitments may carry post-quantum signatures via Knox Agent #11 Layer 4 — ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205). The audit chain remains verifiable under threat models that assume future quantum-capable adversaries — relevant for vehicles in service for fifteen to twenty years.
Cross-checkable with manufacturer logs
The manufacturer’s own telemetry continues to operate as designed. The public-chain record provides an independent comparison point. Divergence between the two — silent rewrites, redactions, or omissions — is detectable rather than assumed.
Open-spec aligned
OpenTimestamps is an open protocol. Bitcoin is a public chain. The TLA+ specification of the Knox anchor pipeline is public source. The full audit path lives on open standards, with no proprietary vehicle-specific lock-in.
The pattern is in the public record.
The structural conflict — manufacturer as both AI operator and sole evidence custodian — is documented across multiple high-profile incidents. Each is sourced to public regulator records, court filings, or NTSB investigations. None of the below names a Bonis prospect, partner, or customer; they are cited as public-record proof of the gap that AAM closes.
Uber test vehicle, Tempe AZ
Pedestrian Elaine Herzberg was killed by an Uber self-driving test vehicle. The backup operator was initially charged with negligent homicide; the matter resolved in 2023 with a plea to a reduced charge of endangerment. The AI’s actions were available only through Uber’s own logs. NTSB investigation HWY18MH010 documented the safety-culture and logging environment.
Tesla Autopilot — recurring NHTSA inquiries
The National Highway Traffic Safety Administration has run multiple Defect Petition and Engineering Analysis investigations into Tesla Autopilot and FSD performance. Vehicle data has been manufacturer-controlled throughout each inquiry.
Cruise robotaxi, San Francisco
A Cruise vehicle struck and dragged a pedestrian on October 2, 2023. The California Public Utilities Commission suspended Cruise’s operating permit on October 24, 2023 in part over evidence-handling concerns regarding internal logs. GM dissolved the Cruise robotaxi business in December 2024.
Federal class-action discovery — FSD telemetry
Federal class-action proceedings against Tesla have included extensive discovery disputes specifically over what FSD telemetry was preserved and produced. The disputes are themselves public PACER record across multiple dockets.
Independent logging is becoming required, not optional.
NHTSA Standing General Order 2021-01
Mandates incident reporting for vehicles equipped with ADAS Level 2 and ADS Level 3+ systems. Reporting cadence and content are set by the order; the underlying telemetry that feeds it remains manufacturer-controlled.
SGO 2021-01 · ADAS / ADS reporting · in forceUN ECE R155 / R156
International type-approval regulations for vehicle cybersecurity (R155) and software updates (R156). In force across Europe, Japan, Korea, and adopted by additional jurisdictions. The direction-of-travel is stricter independent verifiability.
UNECE WP.29 · type approval · in forceFMVSS 127 — Automatic Emergency Braking
Federal Motor Vehicle Safety Standard for AEB systems in light vehicles. Compliance verification depends on event-level performance data; vendor-neutral logging serves the standard’s intent.
FMVSS 127 · AEB compliance · publishedCalifornia DMV autonomous vehicle permits
Permit conditions require disengagement reporting and event preservation. The underlying telemetry remains operator-controlled; the public-chain record supplies the independent verification layer the permit conditions are reaching toward.
CA DMV · autonomous-vehicle permit · in forceOne HTTP call per driving event.
The operator does not have to wait for a Knox automotive SDK to ship. The public anchor endpoint is already live, and any vehicle telemetry pipeline that can issue an HTTP POST can pair its driving event surface with Knox today.
Evidence layer, not enforcement.
Bonis does not access vehicles, does not intercept manufacturer telemetry without consent, does not disable, modify, or interfere with vehicle operation in any way, and does not undertake any active disruption of any external system. Knox is invitational: a manufacturer, fleet operator, regulator, vehicle owner, or third-party telemetry provider who wants a tamper-evident record of every driving event instruments their own emit path. Bonis produces the audit primitive; lawful authority — courts, NTSB, NHTSA, state DMVs, state AGs — decides what to do with the resulting evidence.