AERF (Authenticated Evidence Receipt Format) landed on Hacker News Monday as a public review draft targeting one of the thorniest unsolved problems in AI agent deployment: provable audit trails. The specification defines an open wire format for cryptographic receipts that record exactly what an AI agent did, which policy authorized it, when it happened, and the full evidence payload โ all wrapped in an Ed25519 signature over canonical JSON.
What Makes This Different
Unlike traditional logging systems that rely on trusted infrastructure to maintain integrity, AERF receipts are self-contained audit artifacts. The spec's authors describe it as "to agentic AI evidence what cosign is to container images and slsa-verifier is to build provenance" โ a small, boring, auditable file format paired with a verifier you can actually read. The reference Go verifier weighs in at roughly 200 lines using only the standard library. No external dependencies means no supply chain attack surface for the verification side.
Compliance Framework Mapping
The spec explicitly maps to eight governance frameworks: AIUC-1 (the primary target), HIPAA, SOC 2, ISO/IEC 42001, EU AI Act, NIST AI RMF, SR 11-7, and SOX 404. Rather than promising a full compliance solution, the authors are upfront about gaps โ AERF handles the evidence and logging layer only. The documentation lives in docs/COMPLIANCE.md as a navigation hub with per-framework mapping pages that spell out exactly which controls AERF touches and where it stops short.
Reference Implementation Status
The reference producer is agentmint-python, installable via pip install agentmint. However, the draft notes a divergence from two locked spec decisions (genesis sentinel C-6 and chain hash input C-7) in the v0.1.x library โ fixes are tracked in GitHub issue #2 for the next draft release. The current example receipt is intentionally a single genesis receipt to sidestep that gap. Test vectors, Python/TypeScript verifiers, CI workflows, pre-built binaries, and an AERF-AUTHZ authorization profile are all explicitly deferred to future drafts.
Key Technical Constraints
The spec is honest about what v0.1.0-draft.1 does not include: no hash-chain enforcement in the Go verifier (only signature verification ships), no RFC 3161 timestamp authority checks, and no normative compliance directory โ governance and contributing documents are still missing entirely. The wire format itself may change before stable v0.1.0, though locked decisions C-1 through C-20 are binding regardless.
Key Takeaways
- Ed25519-signed JSON receipts provide tamper-evidence without requiring AERF infrastructure to verify them
- Single-file Go verifier (~200 lines) uses only the standard library for maximum auditability
- Maps to HIPAA, SOC 2, EU AI Act, NIST AI RMF, and six other frameworks at the evidence layer only
- Public review draft status means production adoption should wait for v0.1.0 stable
The Bottom Line
This is the right idea at the right time โ as AI agents start touching sensitive workflows in healthcare, finance, and insurance, having cryptographic receipts that any auditor can verify without installing proprietary software isn't a nice-to-have, it's foundational infrastructure. The spec still has rough edges and the producer library needs alignment work before v0.1.0 stable, but the architecture choices are sound. If you're building anything with agentic AI in regulated domains, this is worth watching closely.