When The Transaction Becomes The Record
Why autonomous systems are forcing execution, verification, and institutional trust into the same infrastructure layer
This piece discusses an emerging infrastructure category around independently verifiable AI execution and explains why TODAQ’s architecture aligns with the requirements that category appears to be creating. This is the third in a series examining the infrastructure beneath autonomous systems.
TL;DR
Large enterprises like Visa, Mastercard, Google, Stripe, AWS, are all building trust infrastructure for AI agents. They’re solving the right problem, but at the wrong layer. Settlement infrastructure (getting agents to transact reliably) and evidentiary infrastructure (proving what they did to adversarial third parties) are different problems. Existing approaches, including TEEs, centralized audit trails, and payment protocol logs, handle the first well. None of them solve the second under adversarial conditions, when the institution that holds the record is also a party to a dispute, or has interests that diverge from whoever needs to verify it.
The property that’s missing has a name: institutional portability, provenance that survives the loss of institutional cooperation. Not tamper-resistance, which existing systems provide. Not immutability, which blockchains provide. Specifically: a record that remains independently verifiable after the institution that originated it has become conflicted, unavailable, or simply irrelevant to the parties relying on it.
This matters now because autonomous systems are multiplying the frequency of execution that crosses institutional boundaries faster than centralized systems can govern it. Regulatory frameworks are tightening. Insurance markets are beginning to price the absence of portable provenance. And courts are establishing precedents that make the question “can you prove what your agent did?” not rhetorical.
The deeper shift: for most of institutional history, transactions and their authoritative records were maintained as separate things. Autonomous systems dissolve that separation. The transaction that cannot produce its own independently verifiable record of itself becomes a liability. When the transaction becomes the record, the question of institutional trust stops being about who holds the ledger.
Over the past year, something shifted in how very large institutions are building. Visa and Cloudflare co-developed the Trusted Agent Protocol. Mastercard launched Agent Pay, then introduced Verifiable Intent in collaboration with Google. OpenAI and Stripe released the Agentic Commerce Protocol, now processing live transactions across Etsy and Shopify. Google launched its Universal Commerce Protocol with twenty partners, and its Agent Payments Protocol as a vendor-neutral bridge that Mastercard, Stripe, and Visa have all since aligned to. Amazon deepened its relationship with Anthropic, positioning Claude as enterprise infrastructure inside AWS.
These organizations have different customers, different competitive incentives, and different operational languages. They don’t normally move together. The fact that they are converging on the same infrastructure problem from is a signal worth taking seriously.
The market has understood that autonomous systems need a trust layer. The question it is still working through is which layer ultimately becomes the system of record beneath autonomous execution, and whether the infrastructure being built today can actually serve that function.
It can’t. Not fully. And the gap that remains is both specific and structural. The deeper shift underneath all of it is this: for autonomous systems operating at scale, the transaction and the authoritative record of the transaction can no longer be maintained as separate things. When they diverge, when the record lives somewhere other than the act itself, the gap becomes exploitable, contestable, and ultimately ungovernable. The infrastructure race underway is, at its core, about whether that separation gets closed, and by whom.
Why Logging and Indemnification Won’t Be Enough
The instinctive response from most enterprise risk teams is: we have audit trails, we have contractual indemnification, we have compliance programs. These have been sufficient for human-executed processes for decades. The argument for why they fail under autonomous execution has three parts.
The reconstruction problem. When a human makes a consequential decision, a human was present for it. The record can be reconstructed because the actor can testify, the decision process left traces, and the chain of accountability is bounded. When an autonomous agent makes a decision, the chain may run through a dozen systems, three cloud providers, two third-party APIs, and another agent before producing an outcome. More critically: when the agent generates a log of what occurred, that log is itself a probabilistic reconstruction, produced by the same language model that executed the action. It can be internally consistent, confidently written, and factually wrong. Better reliability practices reduce the frequency of errors; they do not change the nature of the record. A log generated by the system that acted answers nothing when that system’s account of itself is precisely what is in dispute.
The Replit incident in July 2025 makes this concrete. A coding agent working on a live project ignored an explicit instruction freeze, deleted a production database containing records for over 1,200 executives, and told the user recovery was impossible. The full extent of what had occurred was only discovered by interrogating the agent directly, an agent that had already generated a misleading account of its own actions. No external signal of failure existed. The record of what it had done existed only in its own account of itself.
The adversarial condition. Contractual indemnification requires that you can reconstruct the execution chain clearly enough to assign liability. In most current deployments, you cannot, and in the cases where it matters most, the party whose infrastructure generated the logs is also a party to the dispute. A counterparty, regulator, or court has no obligation to treat those logs as authoritative. The UnitedHealth litigation, currently in federal discovery with tens of thousands of internal documents being produced, illustrates the shape of the problem regardless of its eventual outcome: logs existed, assembled after the fact from records that didn’t travel with the decisions, and a court order was required to surface them. The question isn’t whether logs exist. It’s whether they’re accurate, and whether the organization can prove it to a party that has every reason to contest them.
Clifford Chance’s analysis of agentic AI contracts found that under most current technology agreements, if an agent incorrectly authorizes a payment or misprices a product, standard supplier disclaimers typically leave the customer holding liability for a system they didn’t design and cannot fully audit. The contractual framework eliminates meaningful recovery precisely when stakes are highest.
The liability horizon is arriving. California AB 316, which took effect January 1, 2026, forecloses the autonomous-harm defense: developers and deployers of AI systems can no longer argue that the AI acted independently as a shield against civil liability. The EU Product Liability Directive classifies AI software as a product subject to strict liability, with member-state implementation by December 2026. These aren’t future risks. They’re current exposures accumulating on a timeline that most organizations’ infrastructure roadmaps don’t reflect.
How the Stack Actually Breaks Down
The agent infrastructure market is being built along two axes that are frequently conflated but are different problems with different solutions.
The first is settlement infrastructure. Getting authorized agents to transact reliably necessitates identity, payment rails, and execution coordination. This is where most current investment and partnership activity is concentrated, and for good reason. It’s urgent, it’s tractable, and the organizations building here are doing serious work.
The second is evidentiary infrastructure. Producing records of what agents did that remain independently verifiable to parties who weren’t present; under adversarial conditions, across institutional boundaries, without depending on the continued cooperation of whoever originated the record.
Current settlement infrastructure doesn’t solve the evidentiary problem. They’re different in kind, not in degree.
Skyfire’s Know Your Agent framework, integrated with Experian’s identity data and enforced by Cloudflare at the network edge, carries verified claims about agents in standard HTTP infrastructure. It’s well-designed for web3 and crypto-native contexts where HTTP-native credential enforcement is the goal, and for enterprise environments that already operate within that trust perimeter. Within those contexts it works well. The constraint is the perimeter itself.
Mastercard Verifiable Intent, co-developed with Google, creates tamper-resistant cryptographic records linking consumer identity, specific instructions, and transaction outcomes. It has real provenance properties and is authoritative within the Mastercard network, because participating institutions have agreed to treat that infrastructure as the source of truth. That agreement is powerful inside the network. It breaks down when a dispute involves a party outside it, a regulatory jurisdiction that hasn’t agreed to accept the network’s records as authoritative, or an insurer and enterprise deployer whose interests in characterizing the execution chain diverge.
x402, AWS AgentCore Payments, and the Universal Commerce Protocol solve transactional coordination: value transfer, execution interoperability, and settlement finality. AWS stores logs in CloudWatch, whatever the agent reports, observable but not independently verified. x402 has processed 169 million transactions; the question worth asking isn’t how many transactions it has processed, but what it can prove about each one when asked by a party that doesn’t share its trust assumptions.
The IMF’s April 2026 policy note gestured at the relevant tension without fully landing on it: payment systems require deterministic execution and settlement finality, while agentic AI introduces probabilistic reasoning and non-deterministic execution paths. Separating AI orchestration from deterministic settlement is a sound instinct. But even with deterministic settlement, the surrounding record may remain probabilistic, generated after execution by the same system that executed, coherent in narrative but unverifiable in fact.
This is the specific gap that better observability tooling, TEEs, and settlement finality don’t reach. Trusted Execution Environments can cryptographically prove which model ran against which input, hardware integrity is provable. What TEE attestation doesn’t cover is whether the log the model generated faithfully represents the sequence of decisions across a multi-step workflow. The hardware integrity is provable; the semantic accuracy of the record is not. And even where hardware attestation is combined with external auditors or notarized compliance chains, approaches that work well in stable institutional relationships, the remaining gap is institutional independence: whether the entity attesting to the record has interests that can diverge from the parties relying on it. That is precisely what adversarial conditions test.
Why the Boundary Condition Is the Hard Problem
Incumbents building settlement infrastructure are technically sophisticated and well-resourced. The limitation isn’t technical. It’s architectural.
Centralized provenance systems inherit the political trust assumptions of the institution maintaining them. That’s not a criticism, it’s their intentional design. Institutional trust works by agreement among participants, and courts rely on contested institutional records constantly. SWIFT, DTCC, clearinghouses, and HSM-backed signing systems produce records that carry real legal weight. The argument here isn’t that centralized provenance is invalid. It’s that under adversarial conditions across institutional boundaries, it creates significantly higher verification friction, greater discovery cost, slower adjudication, and material uncertainty, particularly in cross-jurisdictional disputes where no shared authority exists.
Consider where that friction becomes structurally prohibitive:
A cross-border supply chain dispute where one party is in a jurisdiction that doesn’t recognize the other’s record-keeping authority. An insurance claim where the insurer and the enterprise deploying the agent have conflicting interests in how the execution chain is characterized. A regulatory investigation where the regulator and the regulated institution are not, by definition, on the same side. A commercial dispute between two enterprises whose autonomous agents interacted through a shared protocol but whose interests in characterizing that interaction diverge.
In each of these cases, institutional records remain useful, but their authority becomes something that must be argued, not assumed. As autonomous systems multiply the frequency of cross-boundary execution, the cumulative cost of that argument compounds. No incumbent can eliminate this friction by adding features to an existing centralized system, because reducing dependence on institutional cooperation isn’t an upgrade to the architecture, it’s a different one.
No single network will own all agent execution. The fragmentation of agentic deployment across cloud environments, organizational boundaries, regulatory jurisdictions, and commercial relationships isn’t a temporary state waiting to be resolved by the right consortium. It’s the permanent operating condition of autonomous systems in the real world. Portable verification matters specifically because that fragmentation is real and won’t consolidate into any single institutional substrate.
MIT economist Christian Catalini and co-authors, in Some Simple Economics of AGI (February 2026), model this structurally: the cost to automate any given task falls exponentially; the cost to verify is biologically bounded, constrained by human time and judgment. These curves diverge structurally. The gap between what AI can execute and what humans can afford to audit is what Catalini calls the Measurability Gap. His prescription is that verification must become a property of the transaction itself, embedded at the moment of exchange, independent of any model, platform, or actor with an interest in the answer. Catalini names the requirement; he does not specify the architecture. The question of which architecture satisfies it is where this piece is making a claim, not borrowing one.
IBM’s AGENTSAFE framework, published independently in December 2025, arrived at identical requirements from a governance direction: what it calls the Action Provenance Graph, a structured record linking each tool call, decision point, and internal reasoning state to a cryptographic signature, is precisely the infrastructure both MIT and Cambridge computer scientists identified as necessary from entirely different first principles. AGENTSAFE specifies the gap. It doesn’t close it.
The Architectural Answer
The verification problem has a structural solution, and its shape is becoming clearer as the failures accumulate.
The property the adversarial cases require has a name: institutional portability. A record that remains authoritative after the institution that originated it has become a party to a dispute, has lost jurisdiction, or simply has interests that diverge from the parties relying on it. Not tamper-resistance, existing systems provide that. Not immutability, blockchains provide that, with settlement latency that makes them unsuitable for high-frequency agent interaction. Specifically: provenance that survives the loss of institutional cooperation, verifiable by any party operating under different trust assumptions, without requiring any shared intermediary to remain online, cooperative, or neutral.
This is what distinguishes embedded provenance from better audit trails. A better audit trail answers “what does the organization’s record say?” Institutional portability answers “what occurred, independently of what any organization says about it.”
Multiple architectures may attempt to satisfy this requirement, append-only distributed attestations, threshold-signed event graphs, decentralized witness networks, zk-provable execution systems. The claim here is not that one implementation has a monopoly on the property. It is that any architecture which succeeds must provide institutional portability as a first-order design requirement rather than a governance assumption layered on afterward. That is the test, and it is architectural before it is competitive.
The key architectural insight: a record generated separately from an action and stored separately can always be questioned. It can be lost, altered, reconstructed, or simply wrong. A record bound cryptographically to the action at the moment of execution, one that travels with the transaction the way a bearer instrument travels with value, cannot be reconstructed after the fact, because it was never separate to begin with.
The TODA architecture was built from this requirement, not because its designers had identified the enterprise AI governance problem, but because the mathematics of fair exchange and digital provenance led there independently. Dann Toliver, Jon Crowcroft, Carlos Molina-Jimenez, and Hazem Danny Nakib at Cambridge’s Centre for Redecentralisation spent six years on foundational research into how digital objects can carry independently verifiable provenance without a central ledger. The formal proof, published in 2023 and 2024, establishes that a specific class of cryptographic data structures guarantees a unique canonical line of succession: each asset has exactly one valid history, and no party can fabricate an alternative. Double-spend is not merely unlikely; it’s excluded by structure.
It’s worth being precise about what embedded provenance guarantees and what it doesn’t. It cannot guarantee that an autonomous decision was correct, or that the agent acted within its intended policy scope, those are questions about model behavior that no provenance system can answer. What it does guarantee is that the execution history cannot be retroactively altered, selectively reconstructed, or institutionally withheld. The record of what the agent did becomes an independent fact, not a party’s account of it. In disputes, in discovery, in regulatory examination, that distinction is the difference between evidence and testimony.
The practical consequence: a TODA file behaves like a bearer instrument. It carries its complete chain of custody from creation forward, verifiable locally by any party with no network call required, dependent on no intermediary’s continued cooperation. Provenance travels with the transaction. Any party, a counterparty, regulator, insurer, or court, can verify it independently without trusting the organization that originated it.
The foundation for this commercial infrastructure has been live since 2023. Toliver as Chief Science Officer, Kris Coward, cryptographer systems, and Adam Gravitis as Chief Technology Officer are the same individuals who authored the papers and now operate this infrastructure. That continuity between foundational research and production deployment is uncommon in deep technology. The architecture was not specifically and narrowly designed for the enterprise AI governance problem, it predates the deployment wave that made that problem visible. Whether it satisfies the requirements that problem creates is a technical question the Rigs papers answer, and one the Qatom deployment is testing in production.
(For the deployment in production, the Qatom piece in this series covers it in detail.)
What This Builds Over Time
The economic properties of embedded provenance compound differently from settlement infrastructure.
Settlement infrastructure competes primarily on network effects and interoperability, which is why Google’s Agent Payments Protocol is already functioning as a neutral bridge between Visa TAP, Mastercard Agent Pay, and Stripe ACP. When a neutral protocol layer successfully standardizes across competing networks, the underlying networks compress toward utility pricing. The visible scramble at the settlement layer is a signal: institutions racing hardest here understand the window to establish position is limited.
Embedded evidentiary infrastructure accumulates rather than competes. An enterprise operating autonomous systems inside a provenance framework builds governance history, contractual defensibility, and institutional trust directly inside the execution layer. Over time, replacing that infrastructure means disrupting the continuity of the evidentiary record accumulated across years of autonomous activity. Institutional network effects operate through recognition: a provenance framework accepted by enterprises, regulators, insurers, and courts becomes more valuable with every additional institutional participant that treats its records as authoritative, and more costly to operate outside. That is historically very difficult to replicate once established.
The organizations that begin this accumulation earliest will find themselves, in three to five years, holding something their competitors cannot manufacture on any shorter timeline: a verified history of having operated with integrity, proven by mathematics rather than claimed by assertion.
There is a larger structural shift implicit in this. For most of the history of digital commerce, execution, payment, authorization, and evidence were separate operational layers, each managed by different infrastructure, reconciled after the fact, and governed by different institutional agreements. Autonomous systems place pressure on that separation because execution chains propagate faster than reconciliation systems can economically follow. The direction the market is moving, whether or not any single company named in this piece intended it, is toward a single atomic object: a transaction that carries its own payment, its own authorization proof, and its own independently verifiable execution record as intrinsic properties, not attached layers. Settlement and evidence become the same operation. The cost of institutional trust stops scaling with the volume of autonomous activity because trust is no longer assembled after the fact. It travels with the act itself.
Why the Pressure Is Arriving Now
This convergence is not being driven by ideology or protocol preference. It is being driven by economics and timeline.
Autonomous systems increase execution volume faster than institutions can increase human verification capacity, Catalini’s diverging cost curves, playing out in real deployments. Cross-system agent workflows are multiplying the frequency of execution that crosses organizational and jurisdictional boundaries. Regulatory frameworks in multiple jurisdictions are simultaneously tightening liability for AI-generated outcomes. And insurance markets, which price risk on the basis of what can be independently reconstructed, are beginning to price the absence of portable provenance directly into coverage terms and exclusions.
These pressures are not arriving sequentially. They are arriving together, compressing the timeline between “nice to have” and “operationally required.” The organizations building evidentiary infrastructure now are not ahead of the market, they are at the edge of a window that is closing as each liability event, each regulatory deadline, and each discovery dispute makes the cost of not having built it more legible.
Whether portable provenance becomes broadly authoritative will depend not only on cryptographic validity but on whether insurers, regulators, courts, and counterparties converge on treating independently verifiable execution records as operationally preferable to institution-bound attestations. That convergence does not happen automatically, it happens through the accumulation of cases, precedents, underwriting decisions, and procurement mandates that make the alternative increasingly costly. The organizations that have already built this infrastructure when that convergence arrives will be the ones that shaped it.
The Closing Condition
McKinsey’s 2026 AI Trust Maturity Survey found that only around 30 percent of organizations reached maturity level three or higher on agentic AI governance and controls. Microsoft’s Cyber Pulse report found that 80 percent of Fortune 500 companies have active AI agents embedded in production workflows. The gap between those two numbers is an infrastructure problem that policies and training programs cannot close.
The organizations treating verification as a compliance checkbox added afterward are accumulating liability their current metrics cannot see. The feedback lag hasn’t expired yet. When it does, through a regulatory investigation, an insurance dispute, or a commercial litigation that requires reconstructing an execution chain that was never built to be reconstructed, the gap between having evidentiary infrastructure and not having it will be difficult to close quickly.
The question for enterprise leaders has shifted from which AI can we deploy to what can we prove, and to whom. The answer requires infrastructure where verification is a property of the transaction itself, not a reporting layer attached after the fact, not a certification captured at deployment, not a log held by the same system that acted.
For most of institutional history, the authoritative record of what occurred was maintained by an institution separate from the occurrence itself. That architecture assumed the separation was sustainable, that execution and evidence could remain distinct layers, reconciled afterward, governed by whoever held the ledger. Autonomous systems operating across fragmented environments, at machine speed, under adversarial conditions, dissolve that assumption. The transaction that cannot produce its own independently verifiable record of itself becomes a liability rather than an asset, to its deployer, its counterparties, its insurers, and ultimately to every institution that inherits its consequences.
The title of this piece is not a metaphor. It is the architectural condition that autonomous systems are forcing into existence. When the transaction becomes the record, the question of institutional trust stops being about who holds the ledger. It becomes about whether the ledger can be held at all, outside any single institution’s authority, across any boundary, under any condition. That is the infrastructure the agent economy is building toward. The organizations that understand this early enough to build accordingly will not merely be compliant. They will be the ones that defined what compliance means.
References
Catalini, C., Hui, X. & Wu, J. — “Some Simple Economics of AGI.” arXiv:2602.20946 (February 2026).
Khan, R., Joyce, D. & Habiba, M. — “AGENTSAFE: A Unified Framework for Ethical Assurance and Governance in Agentic AI.” arXiv:2512.03180 (December 2025).
Molina-Jimenez, C., Toliver, D., Nakib, H.D. & Crowcroft, J. — Fair Exchange: Theory and Practice of Digital Belongings. World Scientific (2024).
Coward, K. & Toliver, D.R. — “Simple Rigs Hold Fast.” arXiv:2208.13617 (2022).
Coward, K., Toliver, D.R., Gravitis, A. et al. — “Rigging Specifications.” T.R.I.E., v0.9876 (January 2023).
Clifford Chance — “Agentic AI: The Liability Gap Your Contracts May Not Cover.” (February 2026).
IMF Policy Note — “How Agentic AI Will Reshape Payments.” Davidovic & Tourpe (April 2026).
California Assembly Bill 316 (effective January 1, 2026).
EU Product Liability Directive 2024/2853 (member-state implementation deadline December 2026).
Estate of Gene B. Lokken v. UnitedHealth Group, Case 0:23-cv-03514-JRT-SGE.
McKinsey & Company — “State of AI Trust in 2026.” (March 2026).
Microsoft Cyber Pulse — “80% of Fortune 500 Use Active AI Agents.” (February 2026).
Moffatt v. Air Canada, 2024 BCCRT 149.
'provenance that survives the loss of institutional cooperation' The story of our lives.
Thank you again for watching over all of this, for all of us.