Notarized Agents: Receiver-Attested Confidential Receipts for AI Agent Actions

Researchers propose Sello, a cryptographic protocol that addresses a critical vulnerability in AI agent observability by having external services sign tamper-evident receipts of agent actions rather than agents logging their own activity. The system uses receiver-side signing, encryption, and public transparency logs to create an independent audit trail that prevents compromised agents from falsifying records.

The fundamental problem Sello addresses is a structural trust asymmetry in current AI systems: agents self-report their activities, creating an obvious attack surface where malicious or buggy agents can fabricate, omit, or alter activity logs with impunity. This becomes increasingly critical as AI agents gain autonomy over financial transactions, data access, and other high-stakes operations. The proposed solution inverts this model by placing trust in service providers rather than agent operators, who sign cryptographic receipts of observed interactions and publish them to immutable transparency logs.

This work builds on established cryptographic practices—Merkle trees, public-key encryption, and witness networks—but applies them specifically to the emerging AI agent ecosystem. The protocol combines four key components: receiver-side signing (services sign what they observed), HPKE encryption to owner keys, publication to cosigned Merkle logs, and token-based discovery mechanisms. These elements work together to create verifiable audit trails without requiring trust in either the agent or its operator.

For the broader AI-crypto ecosystem, this research highlights growing recognition that autonomous agents require new accountability mechanisms. As AI agents interact with blockchain systems, financial protocols, and sensitive services, the inability to audit their actions becomes a systemic risk. The protocol addresses use cases from AI-driven trading bots to autonomous contract management, where verifiable action logs prevent operator misconduct and enable regulatory compliance.

The authors acknowledge practical limitations including suppression attacks (malicious services refusing to sign), collusion between services, and the adoption-incentive problem where early adopters bear costs without network effects. Future work likely involves standardization across service providers and integration with emerging agent frameworks.

• →Current AI agents create self-signed activity logs, allowing compromised agents to fabricate or hide their actions with no independent detection mechanism.
• →Sello protocol delegates signing authority to service providers rather than agents, creating tamper-evident receipts published to public transparency logs.
• →The system uses receiver-side cryptographic signing combined with encrypted audit trails to prevent both agent tampering and operator collusion.
• →Protocol addresses critical infrastructure gaps as AI agents gain autonomy over financial and sensitive operations in blockchain and traditional systems.
• →Implementation faces practical challenges including service collusion risks, suppression attacks, and the need for cross-provider adoption incentives.