Announcing AAM.
Agent Audit and Management — the externally-anchored, content-addressed, post-quantum-ready audit-permanence layer above any agent control plane. AAM does not authorize, authenticate, or execute. It produces the tamper-evident long-tail record of what AI agents actually did, in a form independently verifiable years later by an external party that does not need to trust the operator, the platform vendor, or Bonis Systems.
Bonis Systems names and ships AAM as a strategic category.
- AAM = Agent Audit and Management. The externally-anchored evidence layer above any agent control plane.
- Live in production. Knox primitive, twelve public agents, a canonical event taxonomy with 144 event types, post-quantum signatures across six NIST parameter sets, public verify endpoint, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor.
- Composes above any control plane. Knox runs above any agent control plane or hosted runtime, MCP, A2A, IETF ANS, AITH (arXiv:2604.07695), and any open-source orchestration framework.
- Vendor-neutral by construction. Records are content-addressed. Naming public products describes the operational landscape; it does not imply that any vendor is a partner, customer, prospect, or operational counterparty of Bonis Systems.
- Defensive only. Bonis never accesses third-party agent surfaces. Operators instrument their own emit path. Lawful authority decides what to do with the resulting evidence.
The control-plane category is forming this quarter.
Major platforms are reaching General Availability on agent control planes, hosted runtimes, and adjacent governance products on overlapping timelines this quarter.
Each of those products solves a distinct problem at a distinct layer of the agent stack — authorization, identity, execution, real-time observability, internal audit. None of them is the externally-anchored evidence layer. The layer that survives an acquisition, an outage, a key compromise, an internal-rewrite incident, or a years-later forensic inquiry has to be structurally separate from every system it audits.
Naming AAM as a category now gives technical buyers, regulators, acquirers, and platform vendors themselves a vocabulary for that layer. The vocabulary is unclaimed in current public agent-governance terminology. The primitive is shipped. This announcement documents both.
AAM is downstream of Safety, Alignment, and Observability.
Confusing AAM with adjacent categories is the most common error when reasoning about agent governance. AAM does not replace any of these layers; it composes alongside all of them and produces a different artifact.
AI Safety
Should an agent do a thing?
Pre-deployment behavioral research. AAM does not contribute to this layer; AAM observes the post-deployment outcome.
AI Alignment
Does the agent's objective match the operator's intent?
Training-time and deployment-time policy. AAM observes whether the deployed agent's actions are consistent with the policy claims years later.
AI Observability
What is the agent doing right now?
Real-time telemetry inside the operator's stack. AAM operates at the post-deployment evidence layer; the records survive after the observability stack rotates.
Agent Control Plane
What is the agent permitted to attempt?
Authorization, tool allow-lists, data scopes. AAM composes above any control plane and records what the agent actually did regardless of what was permitted.
Agent Identity
Who is the agent, cryptographically?
Agent identifiers, signing keys, name resolution. AAM embeds whichever identity scheme the operator runs in the chain-of-command stamp on each event.
Agent Runtime
How does the agent's call actually run?
Hosted execution, orchestration. AAM is runtime-neutral and operates above any runtime — hosted or in-house, public or sovereign.
Live in production. Verifiable from the public chain.
AAM is not a forward-looking roadmap announcement. It is a naming announcement for a category Bonis Systems is already shipping. The links below resolve to public surfaces.
Knox primitive
Content-addressed commitment, hash chain, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor. The audit-permanence primitive under every AAM event.
Twelve public agents
Document, registry, counter-party, pledge, monitoring, custody, collusion, surveillance, supply-chain, applicant compliance, counter-party dossier, cryptographic signature/KEM primitive. Each agent's bureau, charter, and event taxonomy is published on the page.
Canonical event taxonomy
144 canonical Knox event types covering agent lifecycle, agent memory, agent transactions, agent authority, federal-compliance reporting, automotive-AI driving decisions, MCP audit, payment-gateway runtime fingerprinting, BSR site-operations receipts, and spatial-evidence anchors.
Layer-4 post-quantum signatures
ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) shipped on terravault-00360-gkv on 2026-04-24. ML-DSA-87 is the same primitive specified in the AITH academic protocol (arXiv:2604.07695, Tamarin-verified).
Public verify endpoint
Any party with the anchor identifier or canonical commitment hash verifies the chain link, the hourly Merkle aggregation, and the Bitcoin block embedding the Merkle root. No Bonis cooperation required.
Control-plane integration brief
Worked example of the AAM seam above a publicly announced agent control plane. Categorical coverage for hosted-runtime providers and agent-governance products follows the same shape.
Vertical theaters where AAM is shipping right now.
AAM is horizontal — every industry adopting AI agents needs an externally-anchored evidence layer for those agents. The lanes below are the worked-example theaters Bonis is shipping concrete event-type taxonomies and positioning pages under.
MCP audit
Tool-call records under the Model Context Protocol — agent_mcp_tool_call, agent_mcp_tool_response, agent_mcp_resource_fetch, agent_mcp_prompt_invocation, agent_mcp_server_attestation, agent_mcp_policy_change.
Agent transactions
Bilateral commitments under any agent commerce protocol — agent_transaction_offer, agent_transaction_acceptance, agent_transaction_settlement, agent_transaction_dispute, agent_transaction_reversal, agent_transaction_policy_change.
Agent memory
Agent memory mutations — agent_memory_write, agent_memory_read, agent_memory_edit, agent_memory_redact, agent_memory_export, agent_memory_policy_change.
Automotive AI
Driver-vs-AI evidence layer — agent_driving_handover, agent_driving_intervention, agent_driving_perception, agent_driving_decision, agent_driving_policy_change, agent_driving_attestation.
Payments runtime
Per-execution gateway runtime fingerprinting — gateway_code_fingerprint, gateway_input_commitment, gateway_output_commitment, gateway_agent_attestation, gateway_side_effect_record.
Cannabis vertical
Federal-face positioning for the cannabis MSO / regulator / court audience. State-license-registry adapter scope, federal-rescheduling-aware framing.
Federal procurement
GSAR 552.239-7001 Basic Safeguarding of AI Systems → Knox primitive mapping. Federal-compliance reporting event types — data_deletion_certified, security_incident_reported, gov_data_access, material_change_notice.
Control-plane compatibility
Architecture page describing the four-layer agent stack and the operational seam where AAM composes above any control plane, identity layer, or runtime.
The seven-tweet version.
For social-platform syndication. Each card is one post, in order. No links inside the thread — the canonical link is this page.
Bonis Systems is naming AAM today — Agent Audit and Management. The externally-anchored, content-addressed, post-quantum-ready audit-permanence layer above any agent control plane. Live in production. Verifiable from the public chain.
AAM does not authorize. It does not authenticate. It does not execute. It produces the tamper-evident long-tail record of what an AI agent actually did, in a form a third party can verify years later without trusting the operator, the platform vendor, or Bonis Systems.
The agent control-plane category is reaching General Availability this quarter. Major platforms are shipping authorization, identity, runtime, and internal-audit layers on overlapping timelines. None of those is the externally-anchored evidence layer. AAM is.
AAM is downstream of AI Safety, AI Alignment, and AI Observability. Safety and Alignment ask whether an agent should do a thing. Observability asks what it is doing now. AAM records what it already did — for the inspector, the regulator, the court, the acquirer, the next investigator.
Knox is the AAM primitive. Bitcoin-anchored via OpenTimestamps. 144 canonical event types covering agent lifecycle, MCP audit, agent transactions, agent memory, agent authority, automotive-AI driving decisions, payments runtime fingerprinting, and spatial evidence.
Layer-4 post-quantum signatures shipped 2026-04-24. ML-DSA-44 / 65 / 87 and SLH-DSA-128s / 192s / 256s — six NIST FIPS 204/205 parameter sets, live. ML-DSA-87 is the same primitive specified in the AITH academic protocol (arXiv:2604.07695, Tamarin-verified).
Vendor-neutral by construction. Records are content-addressed. Bonis never accesses third-party agent surfaces — Defensive-Only doctrine. Operators instrument their own emit path. Lawful authority decides what to do with the evidence. Read the announcement on bonissystems.com/aam/announcement.
Common questions, answered.
What is AAM?
AAM stands for Agent Audit and Management. It is the post-deployment evidence layer for AI agent actions — content-addressed, hash-chained, hourly-Merkle-aggregated, Bitcoin-anchored, and post-quantum-signature-ready. AAM does not authorize what agents may attempt (that is the control plane's job), does not authenticate who agents are (that is the identity layer's job), and does not execute agent calls (that is the runtime's job). AAM produces the tamper-evident long-tail record of what the agent actually did, in a form independently verifiable years later by an external party that does not need to trust the operator, the platform vendor, or Bonis Systems.
Why announce AAM as a category now?
The agent control-plane category is forming in public this quarter — major platforms are reaching General Availability on agent control planes, hosted runtimes, and adjacent governance products on overlapping timelines. Each of those layers solves a distinct problem (authorization, identity, execution, real-time observability). None of them is the externally-anchored evidence layer. Naming AAM as a category now gives technical buyers, regulators, and acquirers a vocabulary for the layer that is structurally separate from the systems being audited.
How is AAM different from AI Safety, AI Alignment, or AI Observability?
AI Safety and AI Alignment address whether an agent should do a thing — pre-deployment policy and behavioral research. AI Observability addresses what an agent is doing right now — real-time telemetry inside the operator's stack. AAM is downstream of all three: it addresses what an agent already did, in a form that survives the stack and remains verifiable independently of the operator and the platform vendor years after the action. AAM composes alongside Safety, Alignment, and Observability — not in competition with any of them.
How is AAM different from internal audit logs?
Every control plane, runtime, and operator can — and does — write its own audit log. Each of those logs is useful inside the organization that runs it, and each is, by construction, mutable by that organization. The questions that arrive after an incident, after an acquisition, after a contract dispute, after a regulator opens a file, are not questions the original operator's audit log can credibly answer alone. AAM is the externally-anchored, content-addressed chain that an outside party can verify without subpoenaing the operator. That property — independence from the system being audited — is what makes the record useful to a third party.
What does Bonis ship under AAM today?
Knox, the AAM primitive, is live in production. Twelve public agents wrap Knox for specific verification surfaces (document, registry, counter-party, pledge, monitoring, custody, collusion, surveillance, supply-chain, applicant compliance, counter-party dossier, cryptographic signature/KEM primitive). The canonical Knox event taxonomy in src/lib/knox-anchor.ts covers agent lifecycle, agent memory, agent transactions, agent authority, federal-compliance reporting, automotive-AI driving decisions, MCP audit, payment-gateway runtime fingerprinting, BSR site-operations receipts, and spatial-evidence anchors. Layer-4 post-quantum signatures (ML-DSA-44/65/87, SLH-DSA-128s/192s/256s) shipped on 2026-04-24. The verify endpoint and public anchor endpoint are operational at terravaulthq.com.
Who is AAM for?
Three buyer profiles. (1) Operators deploying AI agents in regulated commerce who need an evidence layer their auditors, regulators, and counter-parties can trust independently of the platform vendor. (2) Federal agencies, civil litigators, insurance carriers, and acquirers who consume third-party agent-action records and want a verification path that does not require cooperation from the operator. (3) Platform vendors building agent control planes who want a vendor-neutral audit-permanence layer their customers can compose above without the vendor itself becoming the audit anchor. AAM is structurally downstream of all three; the buyer is whichever party needs the externally-verifiable record, not the party producing it.
Does AAM require Bitcoin specifically?
Knox anchors via OpenTimestamps to the Bitcoin chain because Bitcoin is the longest-running, most independently-replicated public chain. The anchor primitive is conceptually chain-agnostic — what matters is that the chain is public, durable, and not under the control of the system being audited. Operators who require multi-chain anchoring can opt into the multi-chain routing surface; the canonical reference anchor remains Bitcoin via OpenTimestamps because that is the chain with the longest verification track record and the broadest external verification tooling.
Is AAM a competitor to major agent control planes, hosted runtimes, or governance products?
No. AAM is structurally above any of those. A control plane authorizes; AAM records. A hosted runtime executes; AAM records. A governance product produces internal audit and undo capabilities; AAM produces the externally-anchored chain those products cannot produce themselves without becoming an external party. The relationship is composition, not competition. Operators do not have to choose between an audit-permanence layer and a control plane.
How does an external party verify a Knox-anchored AAM record?
By calling the public Knox verify endpoint with the anchor identifier or canonical commitment hash, or by reconstructing the verification independently from the Bitcoin chain via OpenTimestamps. The verification proves the commitment existed at the recorded time. It does not require the operator, the platform vendor, or Bonis Systems to be online or cooperative. This is the property that makes AAM records useful to a third party years after the action.
Is AAM defensive or offensive infrastructure?
Defensive only. Bonis Systems does not access any third-party control plane, runtime, or operator surface. Operators who want a Knox-anchored record instrument their own emit path. Bonis provides the audit primitive; lawful authority — courts, regulators, platform owners — decides what to do with the resulting evidence. The Defensive-Only doctrine is binding across every Knox surface and every public AAM page.
References here describe the operational landscape, not relationships.
References to MCP, A2A, IETF ANS, and AITH on this page describe public agent-stack protocols in which AAM operates. Operators evaluating AAM should consult each standard’s own published specification for authoritative definitions.
USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.