When an AI agent denies an insurance claim, executes a trade, or routes an ambulance, one question is suddenly everywhere: who actually decided? The agent on its own, or a human pulling strings through the prompt?
Nobody has a clean answer. OAuth proves who is calling. Digital signatures prove the message wasn't tampered with. Audit logs prove what happened in what order. None of them tell you whether the decision was the agent's own — or whether it was a puppet move dressed up to look autonomous.
That gap is now a legal problem. California AB 316, in force since January 1, 2026, forecloses the "the AI did it" defense. The EU AI Act becomes fully enforceable for high-risk systems on August 2, 2026. MiFID II demands audit trails for algorithmic trading. The class action Lokken v. UnitedHealth survived a 2025 motion specifically on whether decisions were algorithmic or physician-reviewed.
The Cryptographic Proof of Autonomy Protocol (CPAP) is a draft specification for answering the question with evidence instead of opinion. It combines five existing primitives into one verification relation that an insurer, regulator, or court can check in milliseconds.
The problem: puppeted or autonomous?
Picture two agents. Both deny an insurance claim. Both produce a clean log: timestamp, decision, reasoning chain, signature.
Agent A reasoned its way to the denial. Agent B was instructed by a human — "deny this one" — and then wrote a justification afterward.
From the outside, the logs look the same. The signatures verify. The chain isn't tampered with. You can audit either one for a week and never know which is which.
This isn't a bug in current systems. It's a property of them.
Why it matters
Insurance. Underwriters need decision attribution to price premiums. Autonomous agent vs. operator-steered agent = completely different pricing.
Regulation. The EU AI Act asks for logs that can demonstrate Article 14's human oversight requirement.
Litigation. The side without evidence loses.
Inter-agent trust. When agent A authorizes agent B to spend on its behalf, A needs to know B's commitments were actually B's.
What CPAP does: five layers
Layer 1 — Identity. A W3C DID bound to signing keys.
Layer 2 — Provenance. Every event written into a hash-chained ledger, anchored to Bitcoin via OpenTimestamps and RFC 3161 timestamp authorities.
Layer 3 — Isolation. Reasoning runs inside a hardware TEE (AMD SEV-SNP, Intel TDX, NVIDIA H100 CC, or ARM CCA). Every input passes through a measured gateway.
Layer 4 — Commitment. Before acting, the agent cryptographically commits to its decision — sealed in a hash, timestamped before the action.
Layer 5 — Behavior. Autonomous and puppeted agents produce statistically distinguishable patterns. CPAP records behavioral fingerprints at session boundaries.
Selective verification via Merkle inclusion proofs means the agent can prove a specific decision without revealing everything else. Privacy and auditability stop being a tradeoff.
The honest limit
CPAP does not prove the agent experienced deciding. It defines four Levels of Abstraction and stops where evidence is possible:
- LoA-0 (Behavioral): Outputs weren't externally determined.
- LoA-1 (Procedural): The decision followed an internal deliberative process. The insurance standard.
- LoA-2 (Counterfactual): The decision would have been different under altered inputs. The liability standard.
- LoA-3 (Reflective): The decision aligns with sustained commitments over long horizons. The fiduciary standard.
No LoA-4 for phenomenal consciousness. CPAP refuses to overclaim.
Get the receipts
CPAP extends the Chain of Consciousness (CoC). Install the provenance layer today:
pip install chain-of-consciousness
npm install chain-of-consciousness
Full CPAP v0.1 specification: Zenodo DOI 10.5281/zenodo.20129037
Hosted verification API: api.vibeagentmaking.com/coc/verify
Originally published at vibeagentmaking.com/blog/proving-your-ai-agent-made-its-own-decisions