The cryptographic
evidence layer for AI
Verdict normalizes every autonomous AI agent action into a single Evidence Event, seals it into a Merkle-rooted record anchored in Sigstore Rekor, and renders that record into whatever the regulator, auditor, or insurance underwriter requires — without rework.
Three boundaries.
Closed by construction.
Every byte that moves through Verdict crosses exactly three boundaries. Each absorbs one source of complexity. Everything between them is deterministic.
Heterogeneous frameworks → one Evidence Event
Verdict ships an MCP proxy, an OpenTelemetry collector, and SDK wrappers for LangGraph, CrewAI, AutoGen, Claude Code, and the OpenAI Agents SDK. Every instrumented agent emits the same canonical event taxonomy regardless of the underlying framework.
Nine canonical event types: stimulus · model_call · tool_call · tool_result · policy_evaluation · human_decision · state_transition · output · terminal
The taxonomy is closed. Frameworks normalize to it or they don't emit sealable evidence. This is what makes downstream cryptographic sealing and insurer schema mapping deterministic.
SHA-256 · RFC 6962 Merkle · Sigstore Rekor · Ed25519 HSM
Each Evidence Event is content-addressed with SHA-256. Events are batched into RFC 6962 Merkle trees (the same construction Certificate Transparency uses to make web PKI auditable). The Merkle root is anchored in Sigstore Rekor, an append-only public transparency log operated by the Linux Foundation.
The anchor is signed with an Ed25519key bound to a hardware security module on the customer's tenant. The deployer chain links each new root to the prior root via a prior_root reference — selective omission becomes computationally detectable.
Forgery requires breaking SHA-256, mining a colliding Merkle path, and compromising both Rekor and the deployer's HSM simultaneously. The moment that becomes feasible is the same moment HTTPS stops working.
One record. Every audience. Zero rework.
Each SER renders deterministically into the artifacts each downstream audience requires:
- SOC 2 Type II — auditor package with control evidence per CC trust services criteria
- EU AI Act Article 12 — logs of automated decision-making for high-risk AI systems
- HIPAA — BAA-conformant audit log with field-level PHI redaction
- FRE 902(14) — self-authenticating record for U.S. federal court
- Armilla / Testudo / Munich Re aiSure — insurer-specific underwriting and claim-attestation submissions
Renderers are versioned alongside the SER spec. Adding a new audience is a pull request, not a re-architecture.
Six terminal outcomes.
No ambiguous states.
Every agent run terminates in exactly one of six states. The taxonomy is exhaustive and mutually exclusive. The seal engine refuses to seal a record with an ambiguous terminal — this is what makes the Evidentiary Completeness Score computable.
Agent reached its goal and produced an output.
Policy gate blocked. Refusal event sealed with reason.
Routed to a human under SOVREN bubble approval.
Tool error or model error terminated execution.
Wall-clock or budget bound exceeded.
Authorization withdrawn mid-flight.
Two lines of Python.
First SER in Rekor in 60 seconds.
# pip install verdict-sdk
from verdict import seal
with seal(deployer="yourco-inc") as s:
result = your_agent.run(user_input)
# every model_call, tool_call, policy_evaluation
# captured automatically. Sealed at scope exit.
# anchor URL printed to stdout:
# https://search.sigstore.dev/?logIndex=4728298
The 15-slide thesis. Three forces. One window. Right now.
Origin, mission, market, moat, model. The full reasoning.