·4 min read

Execution Isn't Authorization

You can have perfect call logs, and still have no idea why your agent did what it did.

#product#audit-ledger#engineering
Jeevsidak Singh
Founder, Ledgix · Apr 20, 2026 · 4 min read

title: "Execution Isn't Authorization" description: "You can have perfect call logs, and still have no idea why your agent did what it did." date: "2026-04-20" author: "Jeevsidak" tags: ["product", "audit-ledger", "engineering"]

Your agent, the one with access to your support inbox, just sent an email at 2 am to a customer you parted ways with six months ago. The email was polite, coherent, and referenced a real ticket number. It even signed off with your support lead's name.

You pull the logs. The API call is there, authenticated with no errors. The OAuth token was valid, and the email was well-formed. By every observable metric, the agent did its job.

But you have no idea why that email was ever sent. Was it in response to some user instruction? Was it a hallucinated sub-goal from some reasoning chain? Was it a prompt injection buried in an inbound ticket it processed overnight?

Your logs, even good ones, can't ever answer this question. They capture everything that happened, yet have nothing to say about whether a human ever authorized this action or the intent behind it.

That email is already in someone's inbox. You can't unsend it. And telling the customer, "our agent did it, and we're not sure why," isn't really a good look.

The standard toolkit is tolerable for deterministic software, but when it comes to agents, it tends to break down.

What an Audit Ledger Actually Captures

The core idea is to commit a causal record at the moment of each tool call, not just the call itself, but a cryptographic link to the user's intent and the policy version that authorized it.

The entry looks something like this:

{
  "entry_id": "01HYB7K3M4FXQZ9V2N6PTJD8RC",
  "timestamp": "2026-04-18T02:13:44Z",
  "action": "email.send",
  "actor": "agent:support-v3",
  "intent_ref": "sha256:a3f9c2...e841",
  "policy_ref": "sha256:c71bd0...3f09",
  "outcome": "approved",
  "proof": "<merkle-inclusion-proof>"
}

The field that matters most here is 'intent_ref': a hash of the specific user turn that initiated this task. Not the entire session, just the message/policy that triggered this chain. 'policy_ref' captures the policy version in effect at the time of the call, and 'proof' makes the entry tamper-evident via a Merkle inclusion proof. Both are there, so you can answer, "Was this approved under the rules that existed at the time?"

One tradeoff to be honest about: a hash gives you verifiability, not reconstructability. The ledger proves that a specific user authorized this action. You can directly and easily verify this claim if you hold the original referenced text; the ledger doesn't store it. For teams with e-discovery or legal hold requirements, you keep the plaintext in a separate, access-controlled vault and link it on demand. The ledger holds the commitment; you hold the key.

How intent drift gets caught

The ledger records what happened. The mechanism that prevents bad things from happening is a policy judge that runs at the moment of every tool call, not at the moment of user consent.

OAuth is evaluated once, when the user connects an integration. The scope approved is correct at that moment, but by the time the agent calls 'email.send' at 2 am, OAuth can only tell you the app has send access. It can't tell you whether the user's current intent includes sending that specific email to that specific recipient.

A policy judge can. It checks the pending action against constraints like "only send to email addresses referenced explicitly in the initiating user message" or "block any outbound email to a contact marked as churned". If the agent's reasoning has drifted, the call fails before it hits the wire.

Critically, the ledger records rejections too. A pattern of blocked send attempts, especially ones not tied to any user-visible action, is often the first signal that something has gone wrong upstream. In the 2 am scenario, a ledger full of rejections is almost as useful as one full of approvals: the policy was working, the agent attempted out-of-mandate actions, and here is exactly when it started.

2 am With Ledgix

Let's go back to the same 2 am scenario we talked about in the beginning, but now you have Ledgix integrated.

This time, when the agent attempts email.send to a contact marked as churned, the policy judge blocks it before it hits the wire. The ledger records a rejection, timestamped, linked to the reasoning chain it produced, and tied to the policy version that caught it.

You wake up to a flag, not a crisis. You can see exactly when the agent started attempting these actions, where it can be traced back to, and whether the policy held throughout. Nothing left your system that a human didn't sanction.

That's the difference between a log that tells you what happened and a ledger that tells you whether it should have.

Go Deeper

The Ledgix docs cover the wire format, SDK integration, and policy language. If you're evaluating fit, start there; you'll know within 20 minutes.

If you'd rather see it run on your own traffic first, book a demo.

— Jeevsidak