Sigwarden
The flight recorder for AI agents.
A cryptographically signed, append-only record of what your AI agents actually did — every tool call, data access, authorization, and human approval.
Exported as an audit packet that re-verifies offline. With no connection to Sigwarden, and no trust in us.
[ mark@sigwarden.com ]Watch it catch a tamper — 90 seconds.
A support agent processes a $142.10 refund. An attacker with direct database access changes it to $14,210.00. Chain verification catches it and pinpoints the altered event.
The problem
AI agents are starting to move money, touch customer records, and act on behalf of institutions that answer to regulators.
When something goes wrong, "the model decided to" is not an answer an auditor accepts. You need to show exactly what the agent did, who authorized it, and prove the record wasn't altered afterward.
Most agent tooling was built to debug models, not to produce evidence.
What Sigwarden does
Append-only, hash-chained event log. Every agent action — prompt, tool call, data access, authorization, human approval — recorded as an immutable event, cryptographically linked to the one before it.
Mandatory Ed25519 signing. Every event is signed. There is no unsigned path. Verification fails closed.
Offline-verifiable audit packets. Export a trace as a self-contained packet with a standalone verifier. Your auditor checks the math themselves — no API call, no dependency on us, no trust required.
OSFI E-23 control mapping. Events map to specific control requirements, so the packet shows which evidence satisfies which control.
Tamper detection, not tamper claims. Alter a record in the database and the chain breaks. The exported packet documents the breach.
What Sigwarden does not do
(read this part — it's the most important section on this page)
Security products that only list strengths should worry you. Here is precisely where Sigwarden's guarantees end today:
The trust boundary. The signing key, database, and ingest path currently run inside the operator's environment. That means today's guarantees hold against outsiders, accidental corruption, and naive edits — not yet against a motivated insider holding both database and key access, a compromised ingest host, or an operator under legal compulsion. Closing that gap requires external witnessing of the chain head and key custody the operator cannot reach. Both are the next thing we're building. We'd rather tell you now than have your security team find it in week two.
Provenance is signed self-attestation. Sigwarden records what the instrumented agent reported. It proves the integrity of what was recorded — not, independently, that what was recorded is what occurred.
Completeness vs. truncation. A self-contained chain proves internal ordering. It does not, on its own, prove nothing was removed from the end. External anchoring is what makes truncation detectable.
Data flags are caller-asserted. PII / PHI / PCI markers are set by the caller. Sigwarden does not classify data.
No real-time enforcement. Sigwarden observes and records. It does not block actions. Pair it with an inline policy engine for preventive control.
A mapping is not a certification. Our control mapping shows how the primitives map to requirements. It is not a SOC 2 report, not an OSFI attestation, and not legal advice. Your compliance team owns the determination.
Roadmap
External witnessing. Continuous anchoring of the chain head to an independent transparency log, so operator-side rewrites and truncation become detectable by a third party.
Key custody separation. Non-exportable keys in HSM/KMS, a signing service with no database write access, and an externally-witnessed key registry.
Independent capture points. Instrumentation at tool gateways and model proxies, so provenance is corroborated rather than purely self-reported.
Who this is for
Risk, compliance, internal audit, and model-risk governance teams at regulated institutions — Canadian federally regulated financial institutions first, ahead of OSFI Guideline E-23.
If you are working on E-23 readiness and the agent-evidence question is on your list, I'd like twenty minutes of your honest reaction. Brutal is welcome.