Governance for AI agents that take real actions

Enforcement and evidence are the same event.

Obsign sits in the path of every action your AI agents take. It decides allow / deny / redact in microseconds — before the action runs — and seals a cryptographically tamper-evident, court-grade record of that decision that an examiner can verify offline. Even your own operator can't rewrite history.

Request a pilot See how it works ↓

Built for US financial services — agents that move money, trade, and underwrite.

The problem

AI agents now move money. Can you prove what they did?

Agents act autonomously through tool calls — approving, paying, trading. You need two things at the same instant: to stop an out-of-policy action before it executes, and to prove, court-grade, exactly what was decided and why. Today these are separate and breakable — policy gateways write editable logs, and audit trails are mutable by the very operator who runs them. When a regulator asks “prove your agent didn't move that money,” most teams can't.

$390M+

collected by the SEC in a single 2024 sweep of firms that couldn't preserve their records. Recordkeeping failures carry real money.

How it works

One event: enforce, and prove.

At the Model Context Protocol boundary — the emerging standard wiring agents to their tools — every action is decided synchronously and sealed asynchronously, off the hot path.

Synchronous · microseconds · fail-closed

AI agent

tools/call

→

Intercept

at the MCP boundary

→

Decide · µs

Cedar policy

→

ALLOW

tool runs

DENY

blocked, cited

One event

Asynchronous · off the hot path · verify offline

Canonical record

inputs hashed

→

Merkle tree

hash-chained

→

Ed25519 sign

signed checkpoint

→

Independent witness

+ trusted timestamp

→

Court-ready bundle ✓

verify with a public key

Decide in microseconds

In-process, formally-verified policy — allow, deny, or redact — before the action executes. Fail-closed by construction: an error never becomes an allow.

Seal, tamper-evident

Hash-chain + Merkle tree + signed checkpoint + an independent witness. Editing, deleting, reordering, or back-dating any record is detectable — even by the operator.

Verify offline

A self-contained evidence bundle anyone can re-check with only a public key — no trust in Obsign required. Sensitive inputs are hashed, never stored.

Why it matters now

A US regulator already endorsed the exact design — a tamper-evident audit trail.

The SEC's 2022 amendment to Rule 17a-4 explicitly permits a tamper-evident audit trail as an alternative to write-once storage. FINRA's 2026 priorities ask firms to keep audit trails, require human checkpoints before execution, and block out-of-bounds AI actions. Obsign is built to that standard.

✓SEC Rule 17a-4 — the audit-trail alternative reads almost line-for-line like Obsign's evidence bundle.

✓FINRA 3110 — supervise, evidence the review in writing, block out-of-bounds actions.

✓EU AI Act Art. 12 — automatic lifetime logging for high-risk AI; Obsign adds the tamper-evidence it doesn't.

✓Independent, not self-certified — evidence an operator can't credibly attest about itself.

It's real

A working, tested system — not a slide.

Built test-first against an adversary that continuously tries to forge the seal. The demo blocks a live $4.8M agent wire inline, seals it, and an offline verifier rejects a back-dated copy.

299

automated tests, 0 failing

100%

of tamper classes provably caught

~200µs

decision p99 (budget 10ms)

LIVE

verified against real MCP servers