[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82943-en":3,"doc-seo-82943-105":29,"detail-sidebar-cat-0-en-105":90},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82943,1099514068035,"Ezra","https://ap-avatar.wpscdn.com/davatar_276721f389ce27ea32af1340a28f341c",8,"Research & Report","Proof of Execution: Runtime Verification for Governed AI Agent Actions","Agent systems increasingly perform actions rather than just advise, especially when querying regulated data, using effectful tools, and mutating persistent state. Correctness cannot rely on whether final outputs appear plausible; it must confirm step-by-step authorization, tamper-evident history integrity, and deterministic replay of the execution trajectory. The work formalizes execution as a contract, an Execution Causal Event Stream, and a replay context, then defines PoE validity via well-formedness and validator-checkable invariants. Soundness ties violations to signature forgery, hash collisions, or quantified deployment failures.","arXiv :2607 .05397v1 [ cs .CR] 26 Apr 2026  \nProof of Execution:  \nRuntime Verification for Governed AI Agent Actions  \nJames Rhodes George Kang  \nAlphaBitCore, Inc.  \n{james,[george](george}@alphabitcore.com)[}](george}@alphabitcore.com)[@alphabitcore.com](george}@alphabitcore.com)  \nApril 2026  \nAbstract  \nAgent systems increasingly execute rather than advise. When an AI agent queries regulated data, invokes effectful tools, and mutates persistent state, correctness is no longer captured by whether a terminal output looks plausible. The operative questions are whether each step was authorized under a contract, whether the recorded history is tamper-evident, and whether the trajectory can be reconstructed deterministically. We formalize this as runtime proof of execution. An execution is a triple 􀁸 = (􀁃,􀁔,􀁒): a contract 􀁃, an Execution Causal Event Stream (ECES) 􀁔, and a replay context 􀁒 . A well-formedness predicate and five validator-checkable invariants form the PoE validity predicate  \nPoE(􀁃,􀁔,􀁒) = 1 ⇐⇒ WF (􀁃,􀁔,􀁒) ∧ 􀁉1 ∧ 􀁉2 ∧ 􀁉3 ∧ 􀁉4 ∧ 􀁉5􀁡 .  \nFive semantic guarantees 􀁇 1 ,...,􀁇5 describe what we want of the deployed system: authorization, path compliance, null effect on deny, history integrity, and replayability. We state soundness under explicit assumptions—EUF-CMA signature unforgeability, hash collision resistance, single-logical-Gateway integrity, Recorder integrity, trace completeness, dependency-declaration completeness, and recorder-clock monotonicity—and prove that any probabilistic polynomial-time adversary that produces a PoE-valid execution violating a semantic guarantee yields either a signature forgery, a hash collision, or a quantified deployment-failure event. The Prime Execution Model (PEM) separates planning, enforcement, effect, and recordkeeping into distinct authority planes; a lemma reduces trace completeness to Effector-exclusive credentialing. An Execution Attestation Certificate (EAC) is issued only when PoE = 1 . In a preliminary single-node TypeScript prototype, PoE adds ≈ 2.7 ms on a minimal flow and 4.4% overhead on concurrent batch workloads. A standard eight-event trace compresses to ≈ 1. 1 KB, and injected Gateway-bypass and trace-mutation attacks are rejected by invariant checks in our test set. PoE does not replace consensus, TEEs, or zkVMs; it binds authorization, effect, history, and replay into a single runtime-checkable object so that governed execution becomes attestable under contract.  \nKeywords: runtime verification · causal provenance · tamper-evident logging · deterministic replay · authorization policy · execution attestation · runtime verification for agentic systems.  \n1 Introduction  \nAgent systems increasingly execute rather than advise. An AI agent can compose a plan, call external tools, apply policy filters, and produce persistent effects without a human intermediary at each step. When execution is compliance-sensitive, the binding question is not whether a terminal output looks correct; it is whether each step was authorized, whether the system stayed within enforced policy, whether durable mutations correspond to permitted actions, and whether the trajectory can be reconstructed. These are questions about the execution trajectory, not its terminal artifact.  \nMainstream architectures answer them only partially. APIs and microservices execute without proving authorization bounds. Distributed tracing systems such as OpenTelemetry [OpenTelemetry Authors, 2024] observe execution for debugging, not for authorization or replay. Consensus Castro and Liskov [1999] agreeson state transitions, not on the off-chain trajectories that produced them. TEEs Costan and Devadas [2016] attest to code integrity inside an enclave; an attested enclave can still take an unauthorized sequence of actions. Verifiable computation Gennaro et al. [2010] and zkVMs prove that a specified function was computed correctly but do not bind authorization, enforcement  \npath, durable effect, or replay cont","cbCaifLG7AfKv5JS","https://ap.wps.com/l/cbCaifLG7AfKv5JS","pdf",324951,1,12,"English","en",105,"# Introduction\n## Motivating domain\n## Why LLM planners specifically\n# Proof of Execution (PoE)\n## Execution model and PoE validity predicate\n## Semantic guarantees and soundness\n# Prime Execution Model (PEM)\n## Authority planes and credentialing\n# Execution Attestation Certificate (EAC)\n## Issuance condition\n# Prototype evaluation\n## Performance and security checks","[{\"question\":\"What problem does “Proof of Execution” address for governed AI agents?\",\"answer\":\"It targets correctness for agents that execute regulated actions, where plausibility of terminal outputs is insufficient. PoE ensures each step is authorized, enforces path compliance, protects history integrity, and enables deterministic replay.\"},{\"question\":\"How is an execution represented in the PoE framework?\",\"answer\":\"Execution is formalized as a triple consisting of a contract, an Execution Causal Event Stream (ECES), and a replay context. PoE validity is determined by well-formedness plus five validator-checkable invariants.\"},{\"question\":\"What does the soundness result guarantee?\",\"answer\":\"Under explicit cryptographic and integrity assumptions, any efficient adversary producing a PoE-valid execution that violates a semantic guarantee must cause a signature forgery, a hash collision, or a quantified deployment-failure event.\"}]",1784184204,30,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":85,"head_meta":87,"extra_data":89,"updated_unix":27},"proof-of-execution-runtime-verification-for-governed-ai-agent-actions","",{"@graph":35,"@context":84},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/proof-of-execution-runtime-verification-for-governed-ai-agent-actions/82943/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-16",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70,76,80],{"name":71,"@type":72,"acceptedAnswer":73},"What problem does “Proof of Execution” address for governed AI agents?","Question",{"text":74,"@type":75},"It targets correctness for agents that execute regulated actions, where plausibility of terminal outputs is insufficient. PoE ensures each step is authorized, enforces path compliance, protects history integrity, and enables deterministic replay.","Answer",{"name":77,"@type":72,"acceptedAnswer":78},"How is an execution represented in the PoE framework?",{"text":79,"@type":75},"Execution is formalized as a triple consisting of a contract, an Execution Causal Event Stream (ECES), and a replay context. PoE validity is determined by well-formedness plus five validator-checkable invariants.",{"name":81,"@type":72,"acceptedAnswer":82},"What does the soundness result guarantee?",{"text":83,"@type":75},"Under explicit cryptographic and integrity assumptions, any efficient adversary producing a PoE-valid execution that violates a semantic guarantee must cause a signature forgery, a hash collision, or a quantified deployment-failure event.","https://schema.org",{"og:url":51,"og:type":86,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":88,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":91},[92,96,100,104,109,114,119,121,126,129,133],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":97,"show_sort_weight":98,"slug":99},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":101,"show_sort_weight":102,"slug":103},"Exam",70,"exam",{"id":105,"doc_module":4,"doc_module_name":45,"category_name":106,"show_sort_weight":107,"slug":108},5,"Comic",60,"comic",{"id":110,"doc_module":4,"doc_module_name":45,"category_name":111,"show_sort_weight":112,"slug":113},6,"Technology",50,"technology",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":28,"slug":120},"research-report",{"id":122,"doc_module":4,"doc_module_name":45,"category_name":123,"show_sort_weight":124,"slug":125},9,"Religion & Spirituality",20,"religion-spirituality",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":127,"show_sort_weight":124,"slug":128},"World Cup","world-cup",{"id":130,"doc_module":4,"doc_module_name":45,"category_name":131,"show_sort_weight":130,"slug":132},10,"Lifestyle","lifestyle",{"id":134,"doc_module":4,"doc_module_name":45,"category_name":135,"show_sort_weight":105,"slug":136},19,"General","general"]