Network Working Group T. Sato Internet-Draft MyAuberge K.K. Intended status: Standards Track 9 June 2026 Expires: 9 December 2026 The Governance Audit Record (GAR) for Agentic AI Systems draft-sato-soos-gar-02 Abstract This document specifies the Governance Audit Record (GAR), the audit architecture for agentic AI systems. GAR defines five audit types, the Session Audit Record (SAR), the Audit Alert system, auditor principal categories, and the Audit Package for external regulatory inspection. GAR provides verifiable evidence that AI agent sessions were governed in accordance with the Intent Declaration Primitive [I-D.sato-soos-idp] and the Human Escalation Mechanism [I-D.sato-soos-hem]. GAR answers the governance question: can any of this be proven to a regulator? GAR is a domain-specific application of the SCITT (Supply Chain Integrity, Transparency and Trust) architecture [I-D.ietf-scitt-architecture] extended with causal ordering semantics for agentic governance events. GAR defines the Authority Lifecycle Event (ALE) category: a normative set of causally-ordered event types covering the complete agent session revocation and recovery lifecycle, including single-agent revocation, authority suspension, partial state recording, recovery initiation, credential restoration, and multi-agent delegation tree events. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 9 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction 2. Conventions and Definitions 3. Architecture Overview 4. Audit Types 4.1. Type 1 -- GEC Self-Audit 4.2. Type 2 -- Session-Close Audit 4.3. Type 3 -- Event-Triggered Alert 4.4. Type 4 -- Scheduled Audit 4.5. Type 5 -- On-Demand External Audit 5. Auditor Principal Categories 5.1. HEM Principal 5.2. Audit Principal 5.3. Verified External Auditor 5.4. GEC Self-Auditor 6. Session Audit Record 6.1. SAR Generation 6.2. SAR Schema 6.3. SAR Signing 6.4. SAR Retention 7. Audit Alert System 7.1. Alert Generation 7.2. Alert Schema 7.3. Normative Trigger List 7.4. Alert Delivery 8. Event Log Requirements 8.1. IDP Audit Events 8.2. HEM Audit Events 8.3. GAR Audit Events 8.4. CAP Audit Events 8.5. ALE Audit Events 9. Audit Package 9.1. Package Composition 9.2. Package Schema 9.3. Access Control 10. SCITT Integration 10.0. Relationship to SCITT 10.1. SAR as SCITT Signed Statement 10.2. Audit Package SCRAPI Submission 10.3. Conformance Level Requirements 11. EU AI Act Applicability 11.1. Article 12 Mapping 12. Authority Lifecycle Events 12.1. ALE Design Principles 12.2. ALE Causal Ordering Model 12.3. ALE-001: ALE_SESSION_REVOKED 12.4. ALE-002: ALE_AUTHORITY_SUSPENDED 12.5. ALE-003: ALE_PARTIAL_STATE_RECORDED 12.6. ALE-004: ALE_RECOVERY_INITIATED 12.7. ALE-005: ALE_PARTIAL_STATE_DISPOSITION 12.8. ALE-006: ALE_CREDENTIAL_RESTORED 12.9. ALE-007: ALE_KIA_REATTESTATION_COMPLETED 12.10. ALE-008: ALE_AUTHORITY_RESTORED 12.11. ALE-009: ALE_DELEGATION_CHILD_REVOKED 12.12. ALE-010: ALE_CLUSTER_PARTIAL_REVOCATION 12.13. ALE-011: ALE_SIBLING_REVOCATION_NOTICE 12.14. ALE-012: ALE_DELEGATION_TREE_RECOVERY_INITIATED 13. Security Considerations 14. IANA Considerations 14.1. GAR Audit Alert Triggers Registry 14.2. GAR Auditor Principal Types Registry 14.3. GAR Authority Lifecycle Event Types Registry 15. References 15.1. Normative References 15.2. Informative References Appendix C. Vibe Coding Assets C.1. Protocol Summary C.2. Key Identifiers C.3. Canonical Reference Appendix D. Changes from draft-sato-soos-gar-00 Author's Address 1. Introduction Agentic AI systems require governance across four questions: o What did the agent intend before acting? [I-D.sato-soos-idp] -- The Intent Declaration Primitive (IDP) for Agentic AI Systems o Who governed the agent's decisions? [I-D.sato-soos-hem] -- The Human Escalation Mechanism (HEM) for Agentic AI Systems o Were those decisions within the law? [I-D.sato-soos-cap] -- The Constitutional AI Protocol (CAP) for Agentic AI Systems o Can any of this be proven to a regulator? This document -- The Governance Audit Record (GAR) for Agentic AI Systems GAR is the evidentiary layer of this protocol family. IDP, HEM, and CAP generate governance events; GAR specifies how those events are collected, synthesized, signed, and made available for audit. If you are building an agentic AI system today, the absence of a standard audit record format means that when something goes wrong, you cannot prove to a regulator, insurer, or audit firm what your agent decided or whether that record was tampered with after the fact. GAR closes this gap by specifying a non-suppressible, causally-ordered, GEC-signed audit stream that survives adversarial conditions and is anchored to a SCITT transparency log. Without it, your agent's governance record is a log file -- deletable, editable, and legally worthless. SA-13 adds the Authority Lifecycle Event (ALE) category to GAR. ALE events record the complete authority lifecycle of an agent session: from initial revocation through partial state recording, human review, recovery initiation, credential restoration, and authority reinstatement. This lifecycle corresponds to the right half of the revocation-recovery protocol that CAEP's session-revoked signal leaves unspecified. ALE events are causally ordered via prior_event_id fields and form an independently auditable chain alongside the session's Event Log. The ALE schemas are defined in Section 12. Multi-agent topology events (ALE-009 through ALE-012) extend the single-agent lifecycle to cover delegation tree revocation, cluster achievability collapse, and sibling revocation notification. The architectural property GAR enforces is non-suppressibility: the Governing Enforcement Component (GEC) MUST generate audit artifacts automatically, MUST sign them, and MUST NOT allow any agent, application, or principal to suppress, modify, or delete them. This property -- the GEC cannot suppress bad news from its principals -- is the foundation of accountable AI governance. GAR defines five audit types ranging from continuous GEC self-audit (Type 1) to on-demand external regulatory inspection (Type 5). The Session Audit Record (SAR) is the primary audit artifact: a complete, GEC-signed record of every governance event in a session, generated automatically at session close. The SAR is a candidate SCITT Signed Statement [I-D.ietf-scitt-architecture]. Section 10 specifies the SCITT integration: how SARs are submitted to a SCITT transparency log and how Audit Packages are submitted via SCRAPI. At Level 3 GEC conformance, SCITT submission is REQUIRED. This specification is a companion to [I-D.sato-soos-idp], [I-D.sato-soos-hem], [I-D.sato-soos-cap], [I-D.sato-soos-sov], and [I-D.sato-soos-mjwt]. Readers should be familiar with those documents before reading this document. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The following terms are defined in this document or inherited from companion specifications: Audit Principal: A registered principal with read-only access to governance audit artifacts. Distinct from a HEM Principal. Receives Audit Alerts and reviews Session Audit Records. Governing Enforcement Component (GEC): As defined in [I-D.sato-soos-idp]: a runtime component that enforces authorization policy, records agent actions to a tamper- evident Event Log, and mediates agent access to governed objects. The GEC may be implemented as an application-layer library (Level 1), an isolated process or sidecar (Level 2), or an attested hardware execution environment (Level 3). See [I-D.sato-soos-idp] Section 9 for conformance level definitions. GEC-signed: A record signed by the Governing Enforcement Component using the signing key appropriate to its conformance level. The JSON field name kernel_signature is preserved for wire-format compatibility. The label field within kernel_signature MUST indicate the GEC's conformance level (L1, L2, or L3). Governance Audit Record (GAR): The audit architecture specified in this document, comprising five audit types, the SAR, the Audit Alert system, and the Audit Package. GEC Self-Auditor: An architectural property of the GEC, not a human role. The GEC evaluates its own Event Log after every commitment and generates KERNEL_AUDIT_ANOMALY entries when inconsistencies are detected. IDP Commitment Gap: A condition detected by the GEC when an agent's actual state transition does not match the agent's declared IDP commitment. Classified as a critical audit finding. IDP Commitment Verification Record: A GEC-generated record produced after every governed state transition, recording whether the agent's action matched its IDP commitment. Rationale Store: A GEC-managed object store, separate from the Event Log, holding Policy Rationale Declaration (PRD) objects and Decision Rationale Records (DRR) indexed by their respective identifiers. Session Audit Record (SAR): A GEC-generated, GEC-signed summary of all governance events in a session, produced automatically at session close. Sovereign Object (SO): As defined in [I-D.sato-soos-sov]: a causally ordered, policy- governed, typed, living document that evolves through a predefined finite state space under GEC authority. Verified External Auditor: A regulator, accounting firm, or other external party granted time-limited, scope-limited read access to GEC audit artifacts by the operator. Produces an Audit Package. Authority Lifecycle Event (ALE): A GAR event category introduced in Section 12. ALE events record the authority status lifecycle of an agent session: revocation, suspension, partial state, recovery, credential restoration, and authority reinstatement. ALE events are causally ordered via prior_event_id and form a chain independently verifiable from the session's primary Event Log. ALE Causal Chain: The sequence of ALE events for a given agent_id or session_id, linked via prior_event_id fields into a directed acyclic graph. The GEC MUST ensure that every ALE entry references a prior_event_id that exists in the ALE store, with the exception of ALE-001 (ALE_SESSION_REVOKED) and ALE-002 (ALE_AUTHORITY_SUSPENDED), which are causal chain roots. mandate_hold: A normative hold placed on MJWT issuance for an agent during a recovery flow. Recorded as mandate_hold: true in ALE_RECOVERY_INITIATED (ALE-004). Any MJWT issuance attempt for an agent with an active mandate_hold MUST be rejected with error code AGENT_IN_RECOVERY. Lifted when ALE_AUTHORITY_RESTORED (ALE-008) is committed with mandate_hold_lifted: true. SO Cluster: A coordination group of Sovereign Object instances whose goals are aggregated under a shared completion rule (QUORUM | ALL_COMPLETE | FIRST_COMPLETE | ANY). The GEC tracks cluster achievability and records ALE_CLUSTER_PARTIAL_REVOCATION (ALE-010) when any member is revoked. 3. Architecture Overview The GAR architecture comprises five audit types operating at different timescales and with different principals: +----------------------------------------------------------+ | GOVERNING ENFORCEMENT COMPONENT (GEC) | | | | [IDP Events] [HEM Events] [CAP Events] [GAR Events] | | | | | | | | v v v v | | +--------------------------------+ | | | EVENT LOG | | | | append-only, GEC-signed | | | +--------------------------------+ | | | | | +------------+------------+ | | | | | | v v | | [Type 1: Self-Audit] [Type 2: SAR at close] | | continuous session summary | | | | | | v v | | GEC_AUDIT_ANOMALY SAR (GEC-signed) | | | | | +--------|-------------------------|--------------------+ | v v [Type 3: Audit Alerts] [Type 4: Scheduled Audit] to Audit Principals cross-session patterns | v [Type 5: Audit Package] [SCITT Transparency Log] to Verified External Auditor SAR Signed Statements The GEC is the sole source of audit truth. No agent, application, HEM Principal, or Audit Principal can generate, modify, or suppress GEC audit artifacts. 4. Audit Types 4.1. Type 1 -- GEC Self-Audit The GEC MUST evaluate its own Event Log after every Event Log commitment. If the GEC detects an inconsistency -- a state transition without a corresponding IDP submission, a HEM resolution without a recorded trigger, a mandate referenced by an IDP that does not exist in the mandate store -- the GEC MUST generate a KERNEL_AUDIT_ANOMALY Event Log entry. KERNEL_AUDIT_ANOMALY entries are immutable once written. The GEC MUST NOT suppress KERNEL_AUDIT_ANOMALY entries. A KERNEL_AUDIT_ANOMALY entry MUST immediately trigger a Type 3 Audit Alert at CRITICAL severity (Section 7.3). The GEC MUST also generate an IDP Commitment Verification Record after every governed state transition (Section 8.1). An IDP_COMMITMENT_GAP result MUST be treated as a critical audit finding equivalent to KERNEL_AUDIT_ANOMALY for alert severity purposes. 4.2. Type 2 -- Session-Close Audit The GEC MUST generate a Session Audit Record (SAR) automatically at the close of every governed session. SAR generation is not requestable by any external party -- it fires unconditionally on session close. The SAR specification is in Section 6. 4.3. Type 3 -- Event-Triggered Alert The GEC MUST generate an Audit Alert when a normative trigger condition is detected. Audit Alerts are delivered to all registered Audit Principals for the governed session. The normative trigger list is in Section 7.3. 4.4. Type 4 -- Scheduled Audit Audit Principals MAY initiate cross-session pattern audits covering a specified time range or SO Type population. The GEC MUST expose a GEC Query Interface for this purpose [I-D.sato-soos-idp]. Type 4 audits produce cross-session pattern reports and MUST be recorded as SCHEDULED_AUDIT_INITIATED and SCHEDULED_AUDIT_COMPLETED Event Log entries. The GEC SHOULD initiate a Type 4 audit automatically when a PRD review_date is exceeded, covering all sessions governed by the overdue policy. 4.5. Type 5 -- On-Demand External Audit Operators MAY grant Verified External Auditors time-limited, scope- limited read access to GEC audit artifacts. Access grants MUST be recorded as EXTERNAL_AUDIT_ACCESS_GRANTED Event Log entries. Access revocation MUST be recorded as EXTERNAL_AUDIT_ACCESS_REVOKED. Audit Packages produced by Verified External Auditors are specified in Section 9. At Level 3 conformance, Audit Packages SHOULD be submitted to a SCITT transparency log via SCRAPI (Section 10.2). 5. Auditor Principal Categories GAR defines four distinct auditor categories. These are not interchangeable. 5.1. HEM Principal A HEM Principal is registered in a designation chain and resolves HEM escalations. A HEM Principal is NOT an auditor. HEM Principals do not receive Audit Alerts and do not have access to the Rationale Store or Event Log beyond what is included in the HEM Escalation Request. 5.2. Audit Principal An Audit Principal is a registered principal with principal_type: AUDIT. Audit Principals receive Audit Alerts, review Session Audit Records, and may initiate Type 4 scheduled audits. An Audit Principal MUST NOT appear in a HEM designation chain. The GEC MUST reject SO Type configurations that place an Audit Principal in a designation chain. Audit Principals have read-only access to: o The Event Log (via GEC Query Interface [I-D.sato-soos-idp]) o The Rationale Store o Session Audit Records o IDP Commitment Verification Records Audit Principals MUST NOT be able to modify any GEC artifact. 5.3. Verified External Auditor A Verified External Auditor is a regulator, accounting firm, or other external party granted temporary read access by the operator. Access is time-limited and scope-limited. The operator declares the access scope (session range, SO Type filter, time window) and expiry at grant time. A Verified External Auditor produces an Audit Package (Section 9) covering the declared scope. The Audit Package is GEC-signed as of the production timestamp. 5.4. GEC Self-Auditor The GEC Self-Auditor is an architectural property, not a human role. It refers to the Type 1 continuous self-audit function executed by the GEC after every Event Log commitment. It cannot be disabled, configured, or bypassed. 6. Session Audit Record 6.1. SAR Generation The GEC MUST generate a SAR automatically at the close of every governed session regardless of close reason (normal completion, TERMINATE decision, mandate expiry, session timeout, or error). SAR generation MUST be atomic with session close. The GEC MUST NOT return a session close confirmation to any external party before the SAR is committed to the audit store. The GEC MUST sign every SAR using Ed25519 with the GEC's signing key. The signing key MUST be consistent with the GEC's conformance level: at Level 1, an application-managed key; at Level 2, a key held by the isolated GEC process; at Level 3, a key bound to a RATS-attested execution environment [I-D.sato-soos-idp] Section 9. The GEC signing key is published via the operator's JWKS endpoint. 6.2. SAR Schema A SAR MUST contain the following fields. All fields are REQUIRED unless stated otherwise. sar_id: GEC-generated UUID v7 [RFC9562]. Unique identifier for this SAR. session_id: The session identifier. Links the SAR to all Event Log entries for this session. so_id: The Sovereign Object instance identifier [I-D.sato-soos-sov] Section 4.2.1. Links the SAR to the specific SO Instance governed during this session. mandate_id: The governing mandate identifier. The jti claim of the Mandate JWT [I-D.sato-soos-mjwt] in force at session open. mission_ref: The MissionDeclaration reference. Null if no mission was declared for this session. open_timestamp: ISO 8601 UTC timestamp of session open. close_timestamp: ISO 8601 UTC timestamp of session close. close_reason: Controlled vocabulary. One of: NORMAL_COMPLETION | TERMINATE_DECISION | MANDATE_EXPIRY | SESSION_TIMEOUT | ERROR | CAP_SUSPENSION. causal_parent_id: The sar_id of the Session Audit Record that causally preceded this record in the governance event chain. OPTIONAL. Present when this SAR records a session that was directly triggered by the outcome of governance evaluation in a prior session (for example: a HEM escalation in session A resolved with APPROVE_WITH_CONSTRAINTS, causing session B to open under the conditional constraints). NULL for the first session in a causal chain. This field is the primary mechanism by which GAR extends SCITT's append-only model with directed causal graph semantics. session_sequence_number: A monotonically increasing integer assigned by the GEC at session open, scoped to the GEC instance. The GEC MUST increment this counter for every governed session and MUST NOT reuse values. Together with sar_id and causal_parent_id, this field supports causal chain reconstruction across sessions. Verifiers SHOULD check for gaps in session_sequence_number sequences as an indicator of suppressed sessions. governance_decision: The terminal governance disposition for the session. Controlled vocabulary: ALLOW | DENY | ESCALATE | SUSPEND. Populated from the terminal Event Log entry for the session: ALLOW: session completed with all governed actions authorized. DENY: session terminated by GEC DENY or CAP refusal. ESCALATE: session closed while a HEM escalation was unresolved. SUSPEND: session suspended by CAP_SUSPENSION. idp_submissions: Array of IDP summary records. Each entry contains: idp_id: IDP identifier. goal_summary: Human-readable goal description. cedar_outcome: PERMIT | DENY | HEM_ROUTED. hem_triggered: Boolean. hem_decision: Decision type if HEM was triggered, null otherwise. hem_events: Array of HEM event summary records. Each entry contains: hem_id: HEM event identifier. trigger_class: One of the ten defined trigger classes (Classes 1-10) per [I-D.sato-soos-hem] Section 5. trigger_source: AGENT_DETECTED | TRAVELER_REQUEST | SYSTEM_EVENT. policy_rationale_id: PRD identifier, null if absent. decision_type: Final decision type. decision_rationale_class: DRR rationale class, null if absent. resolution_time_seconds: Integer. Wall time from trigger to resolution. state_transitions: Array of state transition records. Each entry contains: from_state: Prior Sovereign Object state. to_state: Resulting Sovereign Object state. action: Cedar action string. timestamp: ISO 8601 UTC. cap_violations: Array of CAP violation records. Each entry contains: violation_id: CAP Violation Record identifier. tier: 0 | 1 | 2. prohibition_id: Prohibition identifier. action: Action attempted. outcome: REFUSED | SESSION_SUSPENDED | HEM_FIRED. ale_events: Array of ALE event summary records for this session. OPTIONAL; present only when one or more ALE events were recorded. Each entry contains: ale_event_id: ALE event UUID v7. ale_event_type: ALE event type string (e.g., ALE_SESSION_REVOKED). occurred_at: ISO 8601 UTC timestamp. recovery_ref: Recovery flow UUID v7 if part of a recovery flow; null otherwise. summary: Human-readable one-line description. Full ALE event schemas are in the ALE store (Section 12). The SAR ale_events array carries summary data only. audit_summary: Summary counts block. Contains: total_transitions: Integer. hem_events_count: Integer. terminate_count: Integer. auto_approve_count: Integer. policy_rationale_gaps: Integer. HEM events with no PRD. decision_rationale_gaps: Integer. HEM events where DRR was required but absent. cap_violation_count: Integer. jurisdictional_conflicts: Integer. ale_events_count: Integer. ALE events in this session. transparency_refs_missing: Integer. DENY/ESCALATE/SUSPEND entries without record_id. Non-zero is a conformance finding per [I-D.sato-soos-cap] Section 12a.6. kernel_signature: Ed25519 signature over the canonical serialization of all SAR fields except kernel_signature itself. The label field within this signature MUST indicate the GEC's conformance level (L1, L2, or L3). The field name kernel_signature is preserved for wire-format compatibility. The idp_submissions, hem_events, state_transitions, and cap_violations arrays carry reference fields and key summary data only. Full detail for each record is available in the Event Log and Rationale Store. The SAR is a governance summary and index, not a duplicate of the Event Log. 6.3. SAR Signing The GEC MUST sign the SAR using Ed25519 prior to committing it to the audit store. The canonical serialization for signing is the JSON serialization of all fields except kernel_signature, with keys in lexicographic order and no whitespace. Audit Principals and Verified External Auditors MUST verify the kernel_signature before relying on SAR content. 6.4. SAR Retention Operators SHOULD retain Session Audit Records for a minimum of 12 months from session close_timestamp. Operators subject to EU AI Act Article 12 obligations MUST retain SARs for the period required by applicable law. The GEC SHOULD warn Audit Principals when a SAR approaches its configured retention expiry. At Level 3 conformance, SARs MUST additionally be submitted to a SCITT transparency log per Section 10. SCITT submission provides independent tamper-evidence that complements the GEC's internal non-suppressibility guarantee. 7. Audit Alert System 7.1. Alert Generation The GEC MUST generate an Audit Alert when any normative trigger condition listed in Section 7.3 is detected. Alert generation is synchronous with the triggering event -- the GEC MUST generate the alert before returning any response to the triggering agent or principal. 7.2. Alert Schema An Audit Alert MUST contain the following fields: alert_id: GEC-generated UUID v7. alert_severity: CRITICAL | HIGH | MEDIUM | LOW. alert_trigger: Identifier of the normative trigger condition. See Section 7.3. session_id: The session in which the trigger occurred. so_id: The Sovereign Object instance identifier for the session in which the trigger occurred [I-D.sato-soos-sov]. hem_id: The HEM event identifier, if the trigger is HEM-related. Null otherwise. cap_violation_id: The CAP Violation Record identifier, if the trigger is CAP- related. Null otherwise. detail: Human-readable description of the trigger condition. REQUIRED. timestamp: ISO 8601 UTC timestamp of alert generation. kernel_signature: Ed25519 signature over canonical serialization of all fields except kernel_signature. delivered_to: Array of Audit Principal identifiers to whom the alert was delivered. 7.3. Normative Trigger List The following trigger conditions MUST generate an Audit Alert. Trigger identifiers are registered in the GAR Audit Alert Triggers registry (Section 14.1). +-----------------------------------------+-----------+ | Trigger | Severity | +-----------------------------------------+-----------+ | KERNEL_AUDIT_ANOMALY | CRITICAL | | IDP_COMMITMENT_GAP | CRITICAL | | CAP_TRANSPARENCY_VIOLATION | CRITICAL | | TERMINATE_DECISION | HIGH | | AUTO_APPROVE_DISPOSITION | HIGH | | HEM_CHAIN_EXHAUSTED | HIGH | | MISSION_REVOKE_CASCADE | HIGH | | MANDATE_NARROWING_VIOLATION | HIGH | | HEM_TERMINATE_RATIONALE_REQUIRED | MEDIUM | | THREE_OR_MORE_HEM_EVENTS_IN_SESSION | MEDIUM | | PRD_REVIEW_DATE_EXCEEDED | MEDIUM | | POLICY_RATIONALE_GAPS_IN_SAR | LOW | +-----------------------------------------+-----------+ Table 1: Normative Audit Alert Triggers MANDATE_NARROWING_VIOLATION is added in this revision. It is triggered when the GEC detects that a presented Child Mandate violates the Narrowing Property as defined in [I-D.sato-soos-mjwt] Section 5. This is a HIGH severity finding because it indicates an attempted authorization escalation. 7.4. Alert Delivery Audit Alerts MUST be delivered to all registered Audit Principals for the governed session. Delivery MUST be recorded as an AUDIT_ALERT_FIRED Event Log entry, followed by AUDIT_ALERT_DELIVERED on successful delivery. Implementations SHOULD use the Shared Signals Framework (SSF) [RFC9672] for cross-system Audit Alert delivery. Audit Principals SHOULD acknowledge Audit Alerts. Acknowledgement MUST be recorded as AUDIT_ALERT_ACKNOWLEDGED. 8. Event Log Requirements The Event Log is the append-only, GEC-maintained record of all governance events in a session. This section specifies the GAR- specific Event Log entries that MUST be supported. 8.1. IDP Audit Events IDP_SUBMITTED: Recorded when an IDP is submitted to the GEC. Entry type specified in [I-D.sato-soos-idp]. IDP_COMMITMENT_VERIFIED: Recorded after every governed state transition. The GEC MUST generate an IDP Commitment Verification Record and commit this event. Fields: idp_id, state_transition_id, verified_at, match_result (MATCHED | IDP_COMMITMENT_GAP), kernel_signature. IDP_COMMITMENT_GAP: Recorded when match_result is IDP_COMMITMENT_GAP. This is a critical audit finding. The GEC MUST immediately: (a) generate a CRITICAL Audit Alert (alert_trigger: IDP_COMMITMENT_GAP), and (b) fire HEM_AGENT_ESCALATED (Class 2) for the active session. The GEC MUST NOT allow a session to continue after an IDP_COMMITMENT_GAP without HEM resolution. 8.2. HEM Audit Events The following HEM Event Log entries gain new fields under GAR: HEM_TRIGGERED: Existing entry type. GAR adds: policy_rationale_id (REQUIRED, null if PRD absent -- absence recorded in audit_summary. policy_rationale_gaps). HEM_DECISION_RECEIVED: Existing entry type. GAR adds: decision_rationale_class (REQUIRED when DRR is mandatory for the decision type; OPTIONAL otherwise). The following HEM Event Log entries are recorded in the GAR Event Log. Their normative semantics are defined in [I-D.sato-soos-hem]; the fields listed here are the GAR-required fields for audit purposes. HEM_DECISION_NOT_PERMITTED_FOR_TRIGGER_CLASS: Recorded when a human principal submits a decision type that is not valid for the active trigger class (e.g., APPROVE on a Class 6 trigger). Fields: hem_id, trigger_class, submitted_decision_type, rejection_code (HEM_DECISION_INVALID), timestamp. HEM_TERMINATE_RATIONALE_REQUIRED: Recorded when a TERMINATE decision is rejected because no DRR with safety_basis was provided. Fields: hem_id, principal_id, rejection_code (HEM_DRR_REQUIRED), timestamp. MUST trigger a MEDIUM Audit Alert (alert_trigger: HEM_TERMINATE_RATIONALE_REQUIRED). HEM_HUMAN_DECISION_CONSTITUTIONAL_VIOLATION: Recorded when a human principal's HEM decision is refused by the CAP Constitutional Evaluation Engine because it would authorize a Tier 0 or Tier 1 prohibited action. Fields: hem_id, principal_id, decision_type, violation_tier (0|1), prohibition_id, timestamp. MUST trigger a CRITICAL Audit Alert. HEM_CHAIN_CONSTITUTIONAL_EXHAUSTED: Recorded when the full HEM designation chain has been exhausted because every submitted decision was refused by the CAP CEE. Equivalent to HEM_CHAIN_EXHAUSTED but with constitutional refusal as the exhaustion cause. Fields: hem_id, refusal_count, final_prohibition_id, timestamp. MUST trigger a CRITICAL Audit Alert. KERNEL_AUDIT_ANOMALY HEM_LAYER_DISCREPANCY: Recorded when SOOS-HEM fires and the triggering IDP reasoning_basis contains no uncertainty signal. Governance review event only; does not create a separate HEM lifecycle. Fields per [I-D.sato-soos-hem] Section 6.5: hem_id, trigger_class, idp_id, idp_reasoning_mode, idp_confidence_level, idp_hem_urgency, discrepancy_note, timestamp. 8.3. GAR Audit Events The following Event Log entry types are introduced by this document: SAR_GENERATED: Recorded when a SAR is committed to the audit store. Fields: sar_id, session_id, so_id, close_reason, causal_parent_id (null if no causal predecessor), session_sequence_number, governance_decision, kernel_signature. SAR_SCITT_SUBMITTED: Recorded when a SAR is submitted to a SCITT transparency log. Fields: sar_id, scitt_entry_id, transparency_log_uri, submitted_at, kernel_signature. See Section 10.1. PTD_QUERIED: Recorded when the PTD query interface is accessed. Fields: requester_id (if authenticated), timestamp, ptd_version, cedar_policy_hash. Per [I-D.sato-soos-cap] Section 12a.4. Note on DENY/ESCALATE/SUSPEND entries (SA-10): Every Event Log entry with governance_decision DENY, ESCALATE, or SUSPEND MUST carry a record_id field referencing the CAP-RRS Regulation Record ([I-D.sato-soos-cap-rrs]) that caused the decision, or a policy_reference fallback when no record_id exists (e.g., Tier 3 policies). This requirement is upgraded from SHOULD to MUST. A non-zero transparency_refs_missing count in the SAR audit_summary is a Type 1 self-audit finding. See also [I-D.sato-soos-cap] Section 12a.6 (CAP_TRANSPARENCY_VIOLATION). AUDIT_ALERT_FIRED: Recorded when an Audit Alert is generated. Fields: alert_id, alert_trigger, alert_severity, session_id, so_id. AUDIT_ALERT_DELIVERED: Recorded when an Audit Alert is successfully delivered to an Audit Principal. Fields: alert_id, principal_id, delivered_at. AUDIT_ALERT_ACKNOWLEDGED: Recorded when an Audit Principal acknowledges an Audit Alert. Fields: alert_id, principal_id, acknowledged_at. SCHEDULED_AUDIT_INITIATED: Recorded when a Type 4 scheduled audit begins. Fields: audit_id, initiated_by, scope_description, initiated_at. SCHEDULED_AUDIT_COMPLETED: Recorded when a Type 4 scheduled audit completes. Fields: audit_id, completed_at, findings_count. EXTERNAL_AUDIT_ACCESS_GRANTED: Recorded when a Verified External Auditor is granted access. Fields: auditor_id, granted_by, scope, expiry, granted_at. AUDIT_PACKAGE_PRODUCED: Recorded when a Verified External Auditor produces an Audit Package. Fields: package_id, auditor_id, scope, produced_at, package_hash. EXTERNAL_AUDIT_ACCESS_REVOKED: Recorded when Verified External Auditor access expires or is revoked. Fields: auditor_id, revoked_at, revocation_reason. PRD_REVIEW_DATE_EXCEEDED: Recorded by the GEC's continuous self-audit when a PRD review_date is exceeded. Fields: prd_id, policy_id, review_date, detected_at. This entry MUST trigger a MEDIUM Audit Alert (alert_trigger: PRD_REVIEW_DATE_EXCEEDED). 8.4. CAP Audit Events The following CAP Event Log entries are specified in [I-D.sato-soos-cap] and recorded in the GAR Event Log: CAP_VIOLATION_DETECTED: AI-initiated action refused by the Constitutional Evaluation Engine. Fields: violation_id, tier, prohibition_id, action, outcome, timestamp, kernel_signature. CAP_HUMAN_VIOLATION_DETECTED: Human principal decision refused by the Constitutional Evaluation Engine. Fields: violation_id, tier, prohibition_id, decision, outcome, timestamp, kernel_signature. CAP_TIER1_CONFLICT_DETECTED: Jurisdictional conflict detected at Tier 1. Fields: conflict_id, conflicting_jurisdictions, resolution_method, hem_id, timestamp. APPROVE_WITH_LEGAL_BASIS_RECORDED: Principal submitted APPROVE_WITH_LEGAL_BASIS decision. Fields: hem_id, principal_id, legal_basis (authority_type, authority_ref, jurisdiction, expiry, document_hash), timestamp. SESSION_CAP_SUSPENDED: Session suspended due to CAP violation. Fields: session_id, violation_id, suspended_at. 8.5. ALE Audit Events The following Event Log entry types are introduced by this document for Authority Lifecycle Events. ALE entries are recorded in the ALE store, which is a separate, append-only store within the GEC audit infrastructure, distinct from the primary Event Log. ALE entries are linked to the primary Event Log via prior_event_id references. Full ALE event schemas are specified in Section 12. The following three ALE event types are specified in this subsection because they arise from resource governance events (SA-15a, DR-DATA-ARCH-01) rather than the revocation-recovery lifecycle: ALE_CLUSTER_BUDGET_TRANSFER (ALE-018): Recorded when a BUDGET_TRANSFER Cedar action is executed, moving unexpended resource budget from one SO Cluster member to another. Fields: event_id, prior_event_id, occurred_at, cluster_id, source_agent_id, source_session_id, destination_agent_id, destination_session_id, transferred_resource_type (TIME | COMPUTE | MEMORY | API_CALLS | CUSTOM), transferred_amount, remaining_cluster_budget, transfer_authority (GEC_INITIATED | OPERATOR_CONFIGURED), gec_signature. The GEC MUST record ALE_CLUSTER_BUDGET_TRANSFER before completing the BUDGET_TRANSFER Cedar action. ALE_CLUSTER_BLOCK_START (ALE-019): Recorded when a SO Cluster enters CLUSTER_BLOCKED state. A cluster enters CLUSTER_BLOCKED when its coordinator SO is under HEM escalation or CAP suspension and new member sessions cannot be authorized until the block is resolved. Fields: event_id, prior_event_id, occurred_at, cluster_id, orchestrator_session_id, block_reason (HEM_ESCALATION_PENDING | CAP_SUSPENSION | OPERATOR_HOLD), block_ref (hem_id or cap_violation_id), affected_member_count, estimated_resolution_time (ISO 8601, OPTIONAL), gec_signature. The GEC MUST deliver a CLUSTER_STATUS_CHANGE Context Package trigger to all active cluster members when this entry is committed, with cluster_achievability: DEGRADED. ALE_CLUSTER_BLOCK_END (ALE-020): Recorded when a SO Cluster exits CLUSTER_BLOCKED state. Fields: event_id, prior_event_id (MUST reference ALE-019 for this cluster), occurred_at, cluster_id, orchestrator_session_id, resolution_type (HEM_RESOLVED | CAP_CLEARED | OPERATOR_RELEASED), resolution_ref, block_duration_seconds, gec_signature. The GEC MUST deliver a CLUSTER_STATUS_CHANGE Context Package trigger to all blocked member sessions when this entry is committed. 9. Audit Package 9.1. Package Composition An Audit Package is produced by a Verified External Auditor and covers a declared scope (session range, SO Type filter, or time window). The Audit Package is a GEC-signed compilation of: o All SARs within scope o All Event Log entries within scope o All PRD records from the Rationale Store for policies governing sessions within scope o All DRR records from the Rationale Store for decisions within scope o All Audit Alert records within scope o All CAP Violation Records within scope 9.2. Package Schema An Audit Package MUST contain the following fields: package_id: GEC-generated UUID v7. auditor_id: Verified External Auditor identifier. scope: Declaration of what the package covers. Fields: session_range, so_type_filter (optional), time_window. sar_records: Array of all SARs within scope. event_log_records: Array of all Event Log entries within scope. prd_records: Array of all PRD objects from the Rationale Store for policies governing sessions within scope. drr_records: Array of all DRR objects from the Rationale Store for decisions within scope. audit_alert_records: Array of all Audit Alert records within scope. cap_violation_records: Array of all CAP Violation Records within scope. chain_of_custody: Block containing: package_hash: SHA-256 hash of all package content fields. kernel_signature: Ed25519 signature over package_hash. produced_by: Verified External Auditor identifier. produced_at: ISO 8601 UTC timestamp. 9.3. Access Control The GEC MUST verify that the requesting party holds a valid, unexpired Verified External Auditor access grant before producing an Audit Package. The access grant MUST be scoped to include the requested sessions. Audit Package production MUST be recorded as AUDIT_PACKAGE_PRODUCED in the Event Log. 10. SCITT Integration 10.0. Relationship to SCITT GAR is a domain-specific application of the SCITT architecture [I-D.ietf-scitt-architecture]. It inherits SCITT's core properties: append-only transparency log, Signed Statements produced by an identified Issuer, and receipt-based inclusion proofs for Relying Parties. These properties are not modified by this specification. GAR extends SCITT in one specific dimension: the causal ordering of governance events. SCITT is artifact-centric. A SCITT Signed Statement asserts a claim about an artifact at a point in time. The append-only log preserves the history of statements about artifacts, but the statements themselves are not causally related to one another in the SCITT data model. GAR is event-centric. A GAR entry (specifically, a Session Audit Record) records a governance decision -- ALLOW, DENY, ESCALATE, or SUSPEND -- about an agent action. The causal relationship between GAR entries is normatively significant: action B was caused by the outcome of governance evaluation of action A. A DENY in session A may directly cause a HEM escalation that opens session B. A conditional ALLOW in session A may impose constraints carried forward into session B's mandate. This causal structure has no equivalent in the base SCITT data model. To carry this structure, GAR declares the following extensions to the SCITT Signed Statement payload: causal_parent_id: The sar_id of the causally preceding SAR. NULL for the root of a causal chain. session_sequence_number: Monotonically increasing per GEC instance. Gap detection enables suppression auditing. governance_decision: Terminal disposition (ALLOW | DENY | ESCALATE | SUSPEND) for the session. These three fields constitute the GAR SCITT causal ordering extension. All other SCITT properties are inherited without modification. A GAR-compliant SCITT transparency log SHOULD index SAR Signed Statements by causal_parent_id to support causal chain traversal queries. 10.1. SAR as SCITT Signed Statement The Session Audit Record (SAR) is a SCITT Signed Statement as defined in [I-D.ietf-scitt-architecture]. It carries all properties required of a SCITT Signed Statement: it is produced by an identified Issuer (the GEC), signed with a key bound to that Issuer's attested execution environment, and carries a payload that a Relying Party can evaluate against a known governance policy. This specification constitutes GAR's formal declaration as a SCITT application profile. Implementations that submit SARs to a SCITT transparency log MUST conform to both this specification and [I-D.ietf-scitt-architecture]. The SAR SCITT Signed Statement payload is the canonical JSON serialization of the SAR as defined in Section 6.2. The COSE [RFC9052] protected header MUST include: o alg: EdDSA (Ed25519) o kid: Key identifier of the GEC's signing key o content_type: application/soos.gar.sar+json o issuer: GEC identifier o causal_parent_id: The sar_id of the causally preceding SAR, or absent if this SAR is the root of a causal chain. This field in the COSE protected header allows SCITT transparency log operators to index causal relationships without parsing the SAR payload. Upon successful SCITT submission, the GEC MUST record a SAR_SCITT_SUBMITTED Event Log entry (Section 8.3) containing the SCITT transparency log entry identifier and the transparency log URI. 10.2. Audit Package SCRAPI Submission The Audit Package (Section 9) maps directly onto the SCRAPI POST /entries endpoint [I-D.ietf-scitt-architecture]. A Verified External Auditor MAY submit an Audit Package to a SCITT transparency log via SCRAPI. Once registered, the append-only guarantee of the SCITT transparency log ensures that the Audit Package cannot be altered or removed independently of what the operator or GEC does. The SCRAPI submission provides the external tamper-evidence property that complements GAR's internal non-suppressibility guarantee. SCRAPI Audit Package submission MUST be recorded as AUDIT_PACKAGE_PRODUCED in the Event Log with a scitt_entry_id field if submission is performed. 10.3. Conformance Level Requirements SCITT submission requirements vary by GEC conformance level, as defined in [I-D.sato-soos-idp] Section 9: Level 1 (Application Profile): SCITT SAR submission is RECOMMENDED. Non-suppressibility is probabilistic; SCITT submission is the primary compensating control. Operators SHOULD configure automatic SAR submission to a SCITT transparency log. Level 2 (Isolated Profile): SCITT SAR submission is RECOMMENDED. The isolated GEC process provides architectural non-suppressibility; SCITT provides independent external evidence. Level 3 (Kernel Profile): SCITT SAR submission is REQUIRED. Every SAR MUST be submitted to a SCITT transparency log before the GEC returns a session close confirmation. The SAR_SCITT_SUBMITTED Event Log entry MUST precede or be atomic with SAR_GENERATED. 11. EU AI Act Applicability 11.1. Article 12 Mapping EU AI Act Article 12 requires high-risk AI systems to automatically generate logs enabling post-market monitoring and audit. The following table maps Article 12 provisions to GAR mechanisms. This mapping is normative: the Event Log fields and SAR structure specified in this document satisfy Article 12(3) traceability requirements for deployments governed by [I-D.sato-soos-hem]. Operators may reference this section directly in conformance documentation. +------------------------------+--------------------------------+------+ | Article 12 Provision | GAR Mechanism | Sec. | +------------------------------+--------------------------------+------+ | 12(1) Automatic logging | Event Log: append-only, | 8 | | capability | GEC-generated, cannot be | | | | suppressed | | +------------------------------+--------------------------------+------+ | 12(2) Logging period | SAR close_timestamp + operator | 6.4 | | commensurate with purpose | retention configuration; | | | | SHOULD minimum 12 months | | +------------------------------+--------------------------------+------+ | 12(3) Traceability of AI | hem_id chain across Event Log | 8 | | system operation | entries -- full causal history | | | | reconstructible from any event | | +------------------------------+--------------------------------+------+ | 12(3) Human oversight audit | principal_type + principal_id | 8.2 | | record | + decision_type + DRR on every | | | | HEM_DECISION_RECEIVED entry | | +------------------------------+--------------------------------+------+ | 12(3) Policy audit record | PRD + prd_id on every | 8.2 | | | HEM_TRIGGERED entry | | +------------------------------+--------------------------------+------+ Table 2: EU AI Act Article 12 Mapping 12. Authority Lifecycle Events 12.1. ALE Design Principles The Authority Lifecycle Event (ALE) category records the complete authority status lifecycle of an agent session. Four design principles govern the ALE system: Non-suppressibility: Every authority state transition MUST produce a signed ALE entry. No agent, application, or operator can suppress ALE generation. The GEC's non-suppressibility guarantee (Section 4) applies to ALE entries with the same force as to SARs and Event Log entries. Causal completeness: The ALE causal chain for any session MUST be reconstructible from the ALE store alone. Every ALE entry except chain roots (ALE-001 and ALE-002) MUST carry a prior_event_id that references an existing ALE entry for the same agent or session. External signing for R-3 events: ALE entries arising from R-3 (Attestation Integrity Failure) revocations MUST be signed by an external KIA Verification Service, not the GEC instance under attestation. A compromised kernel cannot self-attest its own recovery. See ALE-007 (Section 12.9). Recovery gate enforcement: ALE_RECOVERY_INITIATED (ALE-004) carries mandate_hold: true. The GEC MUST reject any MJWT issuance for an agent with an active mandate_hold. Only ALE_AUTHORITY_RESTORED (ALE-008) with mandate_hold_lifted: true opens the re-authorization gate. 12.2. ALE Causal Ordering Model ALE events form a directed causal chain within a recovery flow. The normative single-agent chain is: ALE-001 (SESSION_REVOKED) -> ALE-003 (PARTIAL_STATE_RECORDED) [if PARTIAL or UNKNOWN] -> ALE-004 (RECOVERY_INITIATED) -> ALE-005 (PARTIAL_STATE_DISPOSITION) [if PARTIAL states exist] -> ALE-006 (CREDENTIAL_RESTORED) or ALE-007 (KIA_REATTESTATION) -> ALE-008 (AUTHORITY_RESTORED) Account-level suspension uses ALE-002 as chain root instead of ALE-001. Multi-agent events (ALE-009 through ALE-012) are causally linked to the single-agent chain of the triggering revocation event via prior_event_id. Each ALE entry MUST carry prior_event_id referencing the immediately preceding event in its causal chain. Gap detection: a verifier SHOULD flag any ALE chain where prior_event_id references a missing entry, as this indicates a suppressed or lost event. ALE event identifiers ALE-013 through ALE-017 are reserved for future use. They are not defined in this document. Implementations MUST NOT assign semantics to these identifiers without a standards- track document updating this specification. 12.3. ALE-001: ALE_SESSION_REVOKED Fires: when any revocation trigger causes AEP_SESSION_CLOSED with closure_reason MANDATE_REVOKED. This is the causal chain root for single-session revocations. Trigger classes R-1 through R-6 are defined in [I-D.sato-soos-mad] Section 3.6.4. Fields: event_type ("ALE_SESSION_REVOKED"), event_id (UUID v7), prior_event_id (causal link to last AEP event; REQUIRED), occurred_at, session_id, agent_id, mandate_jwt_id, so_id, revocation_class (R-1|R-2|R-3|R-4|R-5|R-6), revocation_reason, revocation_source (CAEP_SIGNAL|OPERATOR|CAP_VIOLATION|PT_THRESHOLD| KIA_ATTESTATION|CASCADE), trigger_event_ref, completion_state (CLEAN|PARTIAL|UNKNOWN), natural_breakpoint_reached (boolean), irreversible_actions_taken (boolean), rollback_available (boolean), so_state_at_revocation, iterations_completed, cascade_depth, gec_signature. When completion_state is PARTIAL or UNKNOWN, the GEC MUST immediately commit ALE_PARTIAL_STATE_RECORDED (ALE-003). 12.4. ALE-002: ALE_AUTHORITY_SUSPENDED Fires: when all sessions for an agent are suspended at account or operator level. Equivalent to RISC account-disabled. Causal chain root for account-level suspension flows. Fields: event_type ("ALE_AUTHORITY_SUSPENDED"), event_id, prior_event_id, occurred_at, agent_id, suspension_reason (CREDENTIAL_COMPROMISE| OPERATOR_HOLD|REGULATORY_HOLD|KIA_ATTESTATION_FAILURE| PT_SYSTEMIC_FAILURE), suspension_source (RISC_SIGNAL|OPERATOR| REGULATORY_AUTHORITY), trigger_event_ref, affected_session_ids[], affected_so_ids[], recovery_permitted (boolean), operator_authority_ref (REQUIRED when source is OPERATOR), gec_signature. 12.5. ALE-003: ALE_PARTIAL_STATE_RECORDED Fires: when completion_state in ALE-001 is PARTIAL or UNKNOWN. The GEC MUST commit this entry before session close is confirmed. Fields: event_type ("ALE_PARTIAL_STATE_RECORDED"), event_id, prior_event_id (MUST reference ALE_SESSION_REVOKED; REQUIRED), occurred_at, session_id, so_id, so_state_at_suspension, last_committed_action, last_committed_event_id, uncommitted_idp_ref, irreversible_actions[] ({action, event_id, occurred_at}), rollback_path[] ({action, from_state, to_state}), hem_escalation_id (UUID v7; REQUIRED), disposition_required_by (ISO 8601), gec_signature. The GEC MUST fire HEM_TRIGGERED immediately after committing this entry, using hem_escalation_id as the HEM event identifier, with trigger_class: 3. 12.6. ALE-004: ALE_RECOVERY_INITIATED Fires: when an operator or human principal initiates a recovery flow. Establishes the mandate_hold gate. Fields: event_type ("ALE_RECOVERY_INITIATED"), event_id, prior_event_id (MUST reference ALE-001 or ALE-002; REQUIRED), occurred_at, agent_id, recovery_ref (UUID v7; recovery flow ID), initiated_by (OPERATOR|HUMAN_PRINCIPAL|REGULATORY_AUTHORITY), initiator_ref, revocation_ref, recovery_type (CREDENTIAL_ROTATION| KIA_REATTESTATION|PT_REHABILITATION|OPERATOR_REINSTATEMENT| REGULATORY_CLEARANCE), estimated_completion (OPTIONAL), mandate_hold (boolean; MUST be true), gec_signature. mandate_hold: true is normatively required. Any MJWT issuance attempt for this agent_id while mandate_hold is active MUST be rejected with error code AGENT_IN_RECOVERY. 12.7. ALE-005: ALE_PARTIAL_STATE_DISPOSITION Fires: when a human principal decides the fate of a PARTIAL SO state. Fields: event_type ("ALE_PARTIAL_STATE_DISPOSITION"), event_id, prior_event_id (MUST reference ALE_PARTIAL_STATE_RECORDED; REQUIRED), occurred_at, recovery_ref, session_id, so_id, disposition (ROLLBACK|COMPLETE|ABANDON|DEFER), decided_by, principal_signature (REQUIRED), disposition_rationale (REQUIRED), rollback_target_state (REQUIRED when disposition is ROLLBACK), completion_agent_id (REQUIRED when disposition is COMPLETE), completion_mandate_ref (REQUIRED when disposition is COMPLETE), abandon_compensation[] ({action, rationale}), defer_deadline (ISO 8601; REQUIRED when disposition is DEFER), gec_signature. ALE_AUTHORITY_RESTORED (ALE-008) MUST NOT be committed while any PARTIAL state for this agent has disposition DEFER or is unresolved. 12.8. ALE-006: ALE_CREDENTIAL_RESTORED Fires: when a compromised or expired credential has been rotated. Fields: event_type ("ALE_CREDENTIAL_RESTORED"), event_id, prior_event_id (links to ALE_RECOVERY_INITIATED), occurred_at, recovery_ref, agent_id, credential_type (MJWT|KIA_ATTESTATION| WIMSE_SVID|ALL), new_credential_ref, old_credential_ref, rotation_method (KEY_ROTATION|REATTESTATION|REISSUANCE), pt_score_at_restoration (float 0.0-1.0), gec_signature. 12.9. ALE-007: ALE_KIA_REATTESTATION_COMPLETED Fires: for R-3 revocations only. CRITICAL: This entry MUST be signed by an external KIA Verification Service, NOT the GEC being re-attested. The field name kia_verifier_signature replaces gec_signature. Fields: event_type ("ALE_KIA_REATTESTATION_COMPLETED"), event_id, prior_event_id (links to ALE_RECOVERY_INITIATED), occurred_at, recovery_ref, gec_instance_id, prior_attestation_id, new_attestation_id, new_cedar_policy_hash, new_kernel_version, attestation_gap_duration (integer; seconds), sessions_during_gap[] (session_ids during gap), kia_verifier_signature (Ed25519; REQUIRED), kia_verifier_id. Sessions in sessions_during_gap MUST be flagged in GAR with an ATTESTATION_GAP_WARNING note. Their StateTransitionEvents are not automatically invalidated (INV-17 horizontal non-contamination applies), but the gap period MUST be disclosed in any Audit Package for these sessions. 12.10. ALE-008: ALE_AUTHORITY_RESTORED Fires: when all recovery conditions are met. This is the normative endpoint of the recovery lifecycle and the gate that lifts mandate_hold. Fields: event_type ("ALE_AUTHORITY_RESTORED"), event_id, prior_event_id (MUST reference ALE-006 or ALE-007; REQUIRED), occurred_at, recovery_ref, agent_id, restored_by (OPERATOR|REGULATORY_AUTHORITY), restoration_scope (FULL|CONSTRAINED), constraints[] (Cedar fragments; REQUIRED when CONSTRAINED), prior_revocation_ref, partial_state_disposition_ref (REQUIRED if any PARTIAL states existed), pt_score_at_restoration (float; REQUIRED), mandate_hold_lifted (boolean; MUST be true), new_mandate_jwt_id (OPTIONAL), gec_signature. pt_score_at_restoration below the operator-configured re-authorization threshold requires restoration_scope: CONSTRAINED. 12.11. ALE-009: ALE_DELEGATION_CHILD_REVOKED Fires: on the parent agent's GEC session when a child mandate is revoked. The GEC MUST deliver a DELEGATION_EVENT Context Package trigger to the parent session at next SENSE. Fields: event_type ("ALE_DELEGATION_CHILD_REVOKED"), event_id, prior_event_id (causal link to last event in parent session; REQUIRED), occurred_at, parent_session_id, parent_mandate_jwt_id, revoked_child_mandate_id, revoked_agent_id, revoked_so_id, revocation_class (R-1 through R-6), child_completion_state (CLEAN|PARTIAL|UNKNOWN), delegation_depth, cascade_depth_remaining, cluster_id (null if not in cluster), parent_goal_impact (BLOCKING|NON_BLOCKING|UNKNOWN), gec_signature. When parent_goal_impact is BLOCKING, the DELEGATION_EVENT Context Package trigger MUST carry goal_impact: BLOCKING, and the parent agent MUST NOT submit the next ACT without re-delegating or escalating to HEM. 12.12. ALE-010: ALE_CLUSTER_PARTIAL_REVOCATION Fires: on the SO Cluster coordination record when any cluster member is revoked. Fields: event_type ("ALE_CLUSTER_PARTIAL_REVOCATION"), event_id, prior_event_id (causal link to ALE_SESSION_REVOKED of revoked member; REQUIRED), occurred_at, cluster_id, orchestrator_session_id, revoked_member_agent_id, revoked_member_so_id, revoked_completion_state, members_still_active[], members_completed[], members_revoked[], aggregation_rule (QUORUM|ALL_COMPLETE|FIRST_COMPLETE|ANY), cluster_achievability (ACHIEVABLE|DEGRADED|UNACHIEVABLE), recommended_disposition (CONTINUE|HALT_REMAINING|REASSIGN_REVOKED), gec_signature. When cluster_achievability is UNACHIEVABLE: recommended_disposition MUST be HALT_REMAINING; the GEC MUST commit ALE-009 to the Orchestrator session with parent_goal_impact: BLOCKING; the GEC SHOULD halt remaining active cluster members. 12.13. ALE-011: ALE_SIBLING_REVOCATION_NOTICE Fires: on any agent session sharing a SO instance with a revoked peer. Receipt does NOT invalidate the notified agent's work. INV-4 horizontal non-contamination [I-D.sato-soos-mad] means sibling revocation does not cascade horizontally. Fields: event_type ("ALE_SIBLING_REVOCATION_NOTICE"), event_id, prior_event_id (causal link to last event in notified session; REQUIRED), occurred_at, notified_session_id, notified_agent_id, shared_so_id, revoked_agent_id, revoked_session_id, revoked_mandate_jwt_id, revocation_class, last_revoked_event_id, peer_relationship (SIBLING|COUSIN|UNRELATED_SAME_SO), contamination_assessment (CLEAN_SEPARATION|INTERLEAVED|UNKNOWN), gec_signature. 12.14. ALE-012: ALE_DELEGATION_TREE_RECOVERY_INITIATED Fires: on the root orchestrator session when recovery begins for any revoked descendant. Fields: event_type ("ALE_DELEGATION_TREE_RECOVERY_INITIATED"), event_id, prior_event_id (causal link to ALE_DELEGATION_CHILD_REVOKED; REQUIRED), occurred_at, root_mandate_jwt_id, orchestrator_session_id, recovery_ref (UUID v7; tree-level recovery flow ID), revoked_subtree_root, revoked_agents[] ({agent_id, mandate_jwt_id, completion_state, so_id}), still_active_agents[] ({agent_id, mandate_jwt_id, so_id}), partial_so_ids[], tree_recovery_strategy (REDELEGATION| PARTIAL_COMPLETION|FULL_ABORT|HUMAN_DECISION), mandate_hold_scope (SUBTREE_ONLY|FULL_TREE), gec_signature. mandate_hold_scope: FULL_TREE means the root orchestrator session also receives MANDATE_REVOCATION trigger at next SENSE. 13. Security Considerations The GAR audit architecture relies on the following security properties: GEC signing key integrity: All SAR, Audit Alert, IDP Commitment Verification Record, and Audit Package chain-of-custody signatures depend on the integrity of the GEC's Ed25519 signing key. At Level 3, the key MUST be bound to a RATS-attested execution environment. At Level 2, the key MUST be held in the isolated GEC process, inaccessible to agent code. At Level 1, key protection is application-managed; HSM controls are RECOMMENDED. Key compromise MUST be treated as a critical security incident requiring immediate rotation and re- signing of all affected audit artifacts. Event Log append-only property: The Event Log MUST be implemented as an append-only data structure. No API MUST allow deletion or modification of existing entries. Audit Principals and Verified External Auditors MUST have read-only access. Non-suppressibility: The GEC MUST NOT expose any interface that allows an agent, application, HEM Principal, or Audit Principal to suppress SAR generation, Audit Alert firing, or IDP Commitment Verification. Implementations MUST be reviewed for any code path that could conditionally skip these operations. Audit Principal separation: Audit Principals MUST be registered separately from HEM Principals. The same party SHOULD NOT hold both roles for the same SO Type. Separation prevents a principal from suppressing audit findings about their own HEM decisions. Verified External Auditor access: GEC interfaces for Verified External Auditor access MUST enforce scope limitations at the query layer. Access grants MUST expire automatically. The GEC MUST reject queries outside the declared scope. PRD review_date enforcement: Operators MUST ensure that PRD review_date values reflect genuine governance review cycles. Stale PRDs with extended review_dates undermine the living governance record property that PRD is designed to provide. SCITT submission integrity: At Level 3, SAR submission to a SCITT transparency log is REQUIRED. Implementations MUST verify that the SCITT transparency log returns a valid receipt before recording SAR_SCITT_SUBMITTED. A failed SCITT submission at Level 3 MUST be treated as a critical audit finding and MUST trigger a CRITICAL Audit Alert. Personal data in ALE event records: ALE event records may contain personal data as defined in Regulation (EU) 2016/679 (GDPR) Article 4(1). In particular: agent_id and Party Registry identifiers may be directly or indirectly linked to natural persons; revocation_reason and disposition_rationale fields MUST NOT contain personal data beyond what is necessary for the governance record purpose; session_id and mandate_jwt_id values may constitute pseudonymous identifiers under GDPR Article 4(5). Operators MUST assess ALE retention periods against applicable data protection law. Operators subject to GDPR SHOULD consider whether ALE records containing identifiers linked to natural persons are subject to the Article 17 right to erasure, and MUST ensure that erasure obligations can be satisfied without compromising the integrity of the audit causal chain -- for example, by pseudonymizing personal identifiers in archived ALE records while preserving causal ordering fields. Session revocation and re-authorization: For session revocation trigger taxonomy and continuation mandate authority, see [I-D.sato-soos-mad] Sections 3.6.4 and 3.6.6. 14. IANA Considerations 14.1. GAR Audit Alert Triggers Registry This document establishes the "Governance Audit Record Audit Alert Triggers" registry. Registration procedure: Specification Required. Initial values: +------------------------------------------+-----------+-----------+ | Trigger Identifier | Severity | Reference | +------------------------------------------+-----------+-----------+ | KERNEL_AUDIT_ANOMALY | CRITICAL | Sec. 7.3 | | IDP_COMMITMENT_GAP | CRITICAL | Sec. 7.3 | | CAP_TRANSPARENCY_VIOLATION | CRITICAL | Sec. 8.3 | | TERMINATE_DECISION | HIGH | Sec. 7.3 | | AUTO_APPROVE_DISPOSITION | HIGH | Sec. 7.3 | | HEM_CHAIN_EXHAUSTED | HIGH | Sec. 7.3 | | MISSION_REVOKE_CASCADE | HIGH | Sec. 7.3 | | MANDATE_NARROWING_VIOLATION | HIGH | Sec. 7.3 | | HEM_TERMINATE_RATIONALE_REQUIRED | MEDIUM | Sec. 7.3 | | THREE_OR_MORE_HEM_EVENTS_IN_SESSION | MEDIUM | Sec. 7.3 | | PRD_REVIEW_DATE_EXCEEDED | MEDIUM | Sec. 7.3 | | POLICY_RATIONALE_GAPS_IN_SAR | LOW | Sec. 7.3 | +------------------------------------------+-----------+-----------+ Table 3: Initial GAR Audit Alert Triggers Registry Values 14.2. GAR Auditor Principal Types Registry This document establishes the "Governance Audit Record Auditor Principal Types" registry. Registration procedure: Standards Action. Initial values: +---------------------------+---------------------------------------+ | Type | Description | +---------------------------+---------------------------------------+ | HEM_PRINCIPAL | Resolves HEM escalations. | | | NOT an auditor. | +---------------------------+---------------------------------------+ | AUDIT_PRINCIPAL | Receives Audit Alerts, reviews SARs, | | | initiates Type 4 scheduled audits. | | | Read-only GEC access. | +---------------------------+---------------------------------------+ | VERIFIED_EXTERNAL_AUDITOR | Regulator or accounting firm. | | | Time-limited, scope-limited GEC | | | access. Produces Audit Packages. | +---------------------------+---------------------------------------+ | GEC_SELF_AUDITOR | Architectural property of the GEC. | | | Not a human role. | +---------------------------+---------------------------------------+ Table 4: Initial GAR Auditor Principal Types Registry Values 14.3. GAR Authority Lifecycle Event Types Registry This document establishes the "Governance Audit Record Authority Lifecycle Event Types" registry. Registration procedure: Specification Required. Initial values: +-------------------------------------+-------+-------------------+ | Event Type | Class | Reference | +-------------------------------------+-------+-------------------+ | ALE_SESSION_REVOKED | SA | Sec. 12.3 | | ALE_AUTHORITY_SUSPENDED | SA | Sec. 12.4 | | ALE_PARTIAL_STATE_RECORDED | SA | Sec. 12.5 | | ALE_RECOVERY_INITIATED | SA | Sec. 12.6 | | ALE_PARTIAL_STATE_DISPOSITION | SA | Sec. 12.7 | | ALE_CREDENTIAL_RESTORED | SA | Sec. 12.8 | | ALE_KIA_REATTESTATION_COMPLETED | SA | Sec. 12.9 | | ALE_AUTHORITY_RESTORED | SA | Sec. 12.10 | | ALE_DELEGATION_CHILD_REVOKED | MA | Sec. 12.11 | | ALE_CLUSTER_PARTIAL_REVOCATION | MA | Sec. 12.12 | | ALE_SIBLING_REVOCATION_NOTICE | MA | Sec. 12.13 | | ALE_DELEGATION_TREE_RECOVERY_INIT. | MA | Sec. 12.14 | | ALE_CLUSTER_BUDGET_TRANSFER | RG | Sec. 8.5 | | ALE_CLUSTER_BLOCK_START | RG | Sec. 8.5 | | ALE_CLUSTER_BLOCK_END | RG | Sec. 8.5 | +-------------------------------------+-------+-------------------+ Class values: SA = Single-Agent lifecycle event. MA = Multi-Agent topology event. RG = Resource Governance event (SA-15a, DR-DATA-ARCH-01). Table 5: Initial GAR Authority Lifecycle Event Types Registry Values 15. References 15.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. [RFC9672] Backman, A., Scurtescu, M., Zundel, B., Hunt, P., and Jones, M., "Shared Signals: A Secure Webhooks Framework", RFC 9672, November 2024. [RFC8936] Hunt, P., Ed., Brock, M., Backman, A., and M. Jones, "Poll-Based Security Event Token (SET) Delivery Using HTTP", RFC 8936, November 2020. [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", RFC 9052, August 2022. [RFC9562] Davis, B., Peabody, C., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, May 2024. [I-D.sato-soos-idp] Sato, T., "The Intent Declaration Primitive (IDP) for Agentic AI Systems", draft-sato-soos-idp-04, June 2026. [I-D.sato-soos-hem] Sato, T., "The Human Escalation Mechanism (HEM) for Agentic AI Systems", draft-sato-soos-hem-04, June 2026. [I-D.sato-soos-cap] Sato, T., "Constitutional AI Protocol (CAP) for Agentic AI Systems", draft-sato-soos-cap-03, June 2026. [I-D.sato-soos-sov] Sato, T., "The Sovereign Object (SOV) for Agentic AI Systems", draft-sato-soos-sov-01, June 2026. [I-D.sato-soos-mjwt] Sato, T., "The Mandate JWT (MJWT) for Agentic AI Systems", draft-sato-soos-mjwt-01, June 2026. [I-D.sato-soos-mad] Sato, T., "Multi-Agent Delegation (MAD) for Agentic AI Systems", draft-sato-soos-mad-02, June 2026. [I-D.sato-soos-kia] Sato, T., "Kernel Identity Attestation (KIA) for Agentic AI Systems", draft-sato-soos-kia-02, June 2026. [I-D.sato-soos-cap-rrs] Sato, T., "Constitutional AI Protocol -- Regulation Record Specification (CAP-RRS)", draft-sato-soos-cap-rrs-01, June 2026. [I-D.ietf-scitt-architecture] Birkholz, H., et al., "An Architecture for Trustworthy and Transparent Digital Supply Chains", draft-ietf-scitt-architecture-22, work in progress. [SCITT-SCRAPI] Birkholz, H., et al., "SCITT Reference API", draft-ietf-scitt-scrapi, work in progress. 15.2. Informative References [EU-AI-ACT] European Parliament and Council, "Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence", OJ L 2024/1689, July 2024. [GDPR] European Parliament and Council, "Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data", OJ L 2016/119, 2016. Appendix D. Changes from draft-sato-soos-gar-00 o Throughout: "governing kernel" and "kernel" renamed to "Governing Enforcement Component (GEC)" and "GEC". The JSON field name kernel_signature is preserved across all artifact types for wire- format compatibility with -00 implementations. The label field within kernel_signature MUST indicate the GEC conformance level (L1, L2, or L3) per [I-D.sato-soos-idp] Section 9. o Section 1: SCITT integration paragraph added. Reference to [I-D.sato-soos-sov] and [I-D.sato-soos-mjwt] added. o Section 2: GEC definition added. GEC-signed definition added. Sovereign Object definition added. o Section 3: Architecture diagram updated to reflect GEC rename. o Section 5.4: "Kernel Self-Auditor" renamed to "GEC Self-Auditor". o Section 6.2: so_id field added to SAR schema. mandate_id field clarified to reference [I-D.sato-soos-mjwt] jti claim. o Section 6.1: GEC signing key reference updated for conformance level model. o Section 10: SCITT Integration added (new section). Specifies SAR as SCITT Signed Statement, SCRAPI Audit Package submission, and per-conformance-level requirements. o Section 11 (was 10): EU AI Act section renumbered. o Section 12 (was 14a): Authority Lifecycle Events promoted to sequential section number. Security and IANA sections renumbered accordingly (Security: 13, IANA: 14, References: 15). o Section 15 (was 13): References updated. IDP updated to -04. HEM updated to -04. CAP promoted from informative to normative. SOV-01, MJWT-01, and SCITT architecture draft added. SCITT-SCRAPI moved to normative references. Appendix C. Vibe Coding Assets This appendix provides structured machine-readable references to support AI-assisted implementation of GAR. Informative. C.1. Protocol Summary Protocol: Governance Audit Record (GAR) Version: draft-sato-soos-gar-02 Family: SOOS protocol suite Role: Audit architecture — non-suppressible, causally-ordered, SCITT-anchored governance record New in -02: SCITT profile declaration (SA-02); ALE event category (SA-13, now Section 12); record_id MUST on DENY/ESCALATE/SUSPEND (SA-10); HEM_LAYER_DISCREPANCY in §8.2 (cross-ref: HEM §6.5) C.2. Key Identifiers SAR fields (new in -02): causal_parent_id, session_sequence_number, governance_decision (ALLOW|DENY|ESCALATE|SUSPEND), ale_events[] ALE event chain: ALE-001 -> ALE-003 -> ALE-004 -> ALE-005 -> ALE-006/007 -> ALE-008 (single agent) Multi-agent ALE: ALE-009, ALE-010, ALE-011, ALE-012 Resource governance ALE: ALE-018, ALE-019, ALE-020 New alert trigger: CAP_TRANSPARENCY_VIOLATION (CRITICAL) C.3. Canonical Reference Specification: https://soosproject.ai/drafts/gar Datatracker: https://datatracker.ietf.org/doc/draft-sato-soos-gar/ Stack overview: https://soosproject.ai/stack Author's Address Tom Sato MyAuberge K.K. Chino, Nagano, Japan Email: tomsato@myauberge.jp URI: https://soosproject.ai/