A Log Is Not Evidence
The Comets had logs. What the investigators needed was a flight recorder — a record of the system, not records about it. Your agents are in exactly the same position, and the recorder has to already be on.

In January 1954, a de Havilland Comet climbed out of Rome, reached altitude, and disintegrated over the Mediterranean, killing everyone aboard. The Comet was not just any airplane. It was the world's first commercial jetliner, the pride of British engineering, the future made metal, and it had just torn itself apart in a clear sky for no reason anyone could see. The fleet was grounded, inspected, cleared, and returned to service. Sixteen days after it flew again, a second Comet climbed out of Rome and did exactly the same thing.

Now imagine being the investigator. You have two of the most advanced machines ever built, both destroyed, both with no survivors, and the wreckage of both sitting at the bottom of the sea. You have, in fact, a great deal of data. Maintenance logs, fuel records, radio transcripts, radar tracks, the whole paper trail of two flights. What you do not have is the one thing you need: the flights themselves. What actually happened in the cabin and the airframe in the seconds before the metal failed. The logs could tell you everything about the airplanes except the only thing that mattered, which was how they died.
A young Australian scientist named David Warren had, a few years earlier, proposed a solution so obvious in hindsight that its rejection is almost funny. Put a device on the aircraft that continuously records what is happening, as it happens, so that when the worst occurs, the machine itself can testify. Pilots' unions hated it. One publication of the era sneered that no plane would take off in Australia "with Big Brother listening." Warren persisted, the authorities eventually saw the point, and within a decade the flight recorder was mandatory across much of the world. We build them so tough and paint them so bright that the name for the essential record of any system, anywhere, is now borrowed from that little box: the black box.

Here is the detail everyone forgets, and it is the whole reason I am telling you about a 1954 plane crash. The Comets already had logs. Extensive ones. The investigators drowned in records about the flights and could not reconstruct the flights themselves. Warren's insight was not "you should record data," because they already recorded plenty. His insight was subtler and far more important: there is a fundamental difference between records about a system and a record of it, and the second kind cannot be reconstructed after the fact, because the information it captures exists only in the moment of the event and is gone the instant the event ends.
There is a line I have never been able to shake, the kind of thing a wisecracking animated sidekick tosses off in a kids' movie: so much sight, so little vision. That is a log file, in six words. A log sees everything. It understands nothing.
The A$440,000 document with nobody behind it
Fast-forward to October 2025, Canberra. Deloitte Australia delivers a report to the Department of Employment and Workplace Relations, a A$440,000 engagement reviewing, with an irony you could not make up, an automated penalty system that had been wrongly dunning welfare recipients. A researcher at the University of Sydney named Chris Rudge starts reading it carefully, the way academics read things, and begins checking the citations. Several of the academic references do not exist. A quote attributed to a Federal Court judgment appears in no Federal Court judgment. The revised version of the report, issued after the errors surfaced, quietly discloses something the original had not mentioned: parts of it had been produced with a generative AI model. Deloitte refunded the final installment.
The easy reading of this story is "AI hallucinated, firm embarrassed, lesson about checking your bots." The accurate reading is worse, and more useful. A Big Four consulting firm does not actually sell analysis. Anyone can produce analysis. What Deloitte sells, what commands the A$440,000, is vouched-for analysis. The signature at the bottom is the product. It says: a serious firm with a reputation to protect has stood behind these words. And what failed in Canberra was not the model. Models fabricate; that is a known and permanent material property, like steel fatiguing under repeated stress. What failed was that no human owner stood in the gap between the model's output and the firm's name on the cover. The vouching step, the single thing the entire fee was paying for, had been silently delegated to the very thing that needed vouching for.
Now run the tape forward to the review that inevitably follows an incident like this. An auditor or an investigator asks the obvious questions. Which specific sections did the model produce? Who reviewed each one before it shipped? What sources did the model actually consult when it generated that fabricated citation? On whose authority did AI-generated text flow into a signed government deliverable? And here is the thing, the thing this whole essay is built around: no log answers a single one of those questions. The logs, if they exist, say a user authenticated to an AI service and some tokens were consumed at some timestamps. So much sight. No vision.
What evidence actually is
The word "evidence" has a real definition, and it is worth being precise about it, because the gap between what a log captures and what evidence requires is exactly the gap that every agent deployment I have ever examined is currently standing in without knowing it.
Ask what an auditor, a regulator, or a court will actually demand about an agent's action, strip away the jargon, and it compresses every time to four properties.
First, what happened. The action itself, completely: what was read, what was changed, what moved, and where it went. Not "an export occurred" but the shape of the export.
Second, on whose authority. The chain that connects the action back to a human being or a policy that a human being owns. Not "the agent did it," which is a non-answer, but who stood behind the agent when it did.
Third, under which policy. What rule made this specific action permitted at the specific moment it ran. Not what the policy document says today, months later, but what actually applied then, in that run, at that instant.
Fourth, and this is the one people forget, checkable by someone who distrusts you. A hostile third party, an adversarial auditor, an opposing counsel, must be able to verify the record without taking your word for anything, including your word about the record itself.
Now hold a typical log line up against those four properties. Here is a real-shaped one: 2026-07-02T09:42:07 agent=support-bot-v3 action=export target=slack status=200. What happened? Partially. Something was exported to Slack. What, exactly? Silence. On whose authority? Silence. Under which policy? Silence. Checkable by a hostile party? It is a line in a text file that you control and could have edited, so, no. That log line scores one out of four, and the one it partially gets, "what happened," it gets so incompletely as to be nearly useless in the room where it matters.
| What evidence requires | What the log line answers |
|---|---|
| What happened, completely | Partially — “an export occurred.” The shape of it: silence |
| On whose authority | Silence |
| Under which policy, at that moment | Silence |
| Checkable by someone who distrusts you | No — a text file you control and could have edited |
2026-07-02T09:42:07 agent=support-bot-v3 action=export target=slack status=200, scored against the four properties. One out of four, and the one is generous.
And here is the part that makes this structural rather than fixable-by-adding-fields. The authority and the policy context, properties two and three, live inside the run. While the agent is acting, it reads a record, consults a rule, weighs a decision, and calls a tool, and in that moment the reason the action was permitted genuinely exists, in the live state of the running agent. And then the run ends, and that context evaporates, precisely like Warren's Comet flights. You cannot go back and reconstruct why an action was allowed, because the "why" was never written to any durable place. It happened, briefly, in the space between two tool calls, and then the process exited and took the reason with it. Identity can tell you the agent signed in. The audit log can tell you a record changed. Neither can tell you why it was allowed, because that answer had a lifespan of milliseconds and nobody caught it while it was alive.
This is why "we have logging" is, to me, the least reassuring sentence in all of agent governance. The Comet had logging. The logging attended the funeral, holding a folder full of timestamps, unable to say a word about how anyone died.
The deadline moved. The obligation did not.
Regulation is arriving on this line, which is a decent sign that the line is real and not something a vendor invented to sell you a product. But I want to spend exactly one section on it, because the record is the argument here, not the statute, and because most of what gets written about the EU AI Act's dates is wrong in a direction that flatters the writer.
So, the dates, read correctly. Under the Digital Omnibus agreed in late 2025, the strict obligations for most standalone high-risk systems in Annex III, the categories many agents actually fall into, hiring, credit, biometrics, critical infrastructure, are deferred to December 2027, and for AI embedded in regulated physical products, medical devices, machinery, toys, to August 2028. What actually lands on August 2, 2026 is much narrower: transparency. Users must be told when they are interacting with an AI system, and synthetic content must be disclosed as such. Real obligations, worth doing, and not the record-keeping regime this essay is about.
When the high-risk articles do arrive, the ones worth reading are the unglamorous ones. Article 12 requires automatic recording of events over a high-risk system's lifetime. Articles 9 through 17 collectively demand risk management, technical documentation, human oversight, and record-keeping. Article 26 puts duties on the deployer, the company using the system, not only on the vendor who built it. And get the penalty tier right, because people love to quote the scariest number: breaching the high-risk obligations runs up to 15 million euros or 3 percent of global turnover, while the 35-million-euro, 7-percent figure in the headlines is a different tier, reserved for the outright prohibited practices. Quoting the wrong tier, like quoting the wrong year, is exactly the kind of small imprecision a compliance reader notices and quietly downgrades you for, and I would rather be correct and slightly less dramatic.

Here is the only part I actually care about. A deferral to December 2027 changes the deadline. It does not change the obligation, and it certainly does not change the incidents. The four questions in Articles 9 through 17 are the same four properties I listed above, translated into the language of a directive, and they are coming on some date, whatever the final date turns out to be. If your plan is to start recording when Brussels makes you, you are planning to install the flight recorder after the crash. The Comets were not on anyone's compliance calendar either.
The custodian problem
There is one more move in this argument, and it is the one that costs my company something to make, which is exactly why you should trust it more than the parts that flatter us.
Suppose a vendor, any vendor, sells you a beautiful evidence system for your agents. Sealed records, all four properties, cryptographically signed, the works. One question still remains, and it is the question that quietly decides whether the whole thing is worth anything: who holds the record? If the answer is "the same platform that runs your agents," then you have rebuilt the Deloitte problem one layer down, at the infrastructure level. The party whose agents are being held to account is also the custodian of the evidence against them. No serious auditor accepts that arrangement from a human. A contractor does not get to perform their own building inspection and file the only copy of the report. A defendant does not get to keep the exhibits in his own garage and promise he did not touch them.
For an evidence layer to actually be worth the name, it has to be open, portable, and owned by you. Readable without the vendor's permission. Exportable without the vendor's continued existence. And durable across every model and framework you will churn through over the next five years, because you will churn through many, and the record of what your agents did has to outlive all of them and every vendor that touched them. That is the honest structural reason the accountability layer we build is open source, and I want to be plain that it is a structural argument and not a licensing preference or a marketing choice. An accountability system you cannot take with you when you leave is not accountability. It is a subscription to one particular company's version of events, and the day you stop paying, the truth about your own agents goes dark.
The recorder has to already be on
Aviation's black box never prevented a single crash, and that was never the claim anyone made for it. What it did was end the era of unanswerable crashes. Before Warren's box, planes fell out of the sky and sometimes nobody ever learned why, and the same failure was free to happen again. After it, every crash produced an answer, and every answer compelled a fix, and the fixes compounded, decade over decade, into the almost unbelievable safety of modern flight. We board planes casually today, strap in without a thought, precisely because when something goes wrong we find out why, every single time, and the finding forces the change. Accountability did not slow aviation down. Accountability is the reason aviation got to scale into something billions of people trust with their lives without thinking about it.
Your agents will have their Comet moments. Some already have; we spent other essays on them. When yours arrives, the sequence will be depressingly predictable. The incident. The questions from people who are angry and entitled to answers. The meeting where someone says, with total confidence, "let's just pull the logs." And then the long, quiet afternoon when everyone in the room slowly realizes that the logs have so much sight and so little vision, that they can prove an authenticated actor did something at 09:42:07 and can prove absolutely nothing about what it was allowed to do or why.
The only variable you actually control is a decision that has to be made now, in the boring, uneventful months before anything has gone wrong: whether the recorder was on.
David Warren's father was killed in a plane crash in 1934, over the Bass Strait, when the boy was nine. The cause was never determined. There was no recorder. He spent the rest of his life building the machine that answers the question nobody could answer about his own father's death. We are, all of us, luckier than he was, and in a specific way that is worth naming. We get to install the recorder before the crash. We know it is coming. We have been told, repeatedly, by other people's wreckage. The only thing left is to decide whether we listen while it is still cheap to listen.
The Decision Record in Guard0 is our version of Warren's orange box: the run, captured live, because afterward the run is gone. It stays open, portable, and yours, for the reason above, not the reasons a marketing page would give.
References
- David Warren and the invention of the flight recorder
- The de Havilland Comet crashes
- Fortune: Deloitte's AI report refund
- CFO Dive: the Deloitte AI debacle as a corporate finance wake-up call
- EU AI Act implementation timeline
- Gibson Dunn on the Digital Omnibus and postponed high-risk deadlines
- Holland & Knight on the EU AI Act's August 2026 obligations
Get Started
Start free on Cloud
Dashboards, AI triage, compliance tracking. Free for up to 5 projects.
Start free →Accountability at scale
SSO, RBAC, CI/CD gates, self-hosted deployment, SOC2 compliance.