Decision Trace™

A log records an event.
A Decision Trace records a judgment.

The policy evaluated. The identity asserted. The authority delegated. The inputs scanned. The result — generated inline, deterministically, by a control plane the agent cannot reach.

01 — ANATOMY

Inside a signed record.

VERIFIED · sha256:0a91e2b4…7c
DENY
SUBJECT
agenteng-doc-generator@v3.2 identitydid:behavry:agent:7af2… delegated_byuser:rachel.k (read-only) actionfilesystem.write target/etc/payment-config.yaml riskCRITICAL · destructive · prod
EVALUATION
policydeny_write_prod_fs evaluatorbehavry.opa.v1 inputshashed (sha256) resultDENY reasonauthority ⊄ action.required
ATTESTATION
signerbehavry.control-plane.us-east-1 signed_at2026-05-06T14:22:17Z parentsha256:8b14… (depth: 3) chainverified
02 — WHY IT HOLDS UP

Four properties a log can't claim.

01

Independent

Signed by the control plane, not the agent.

02

Deterministic

Same inputs, same decision, every time.

03

Hash-chained

Linked to causal parents. Tamper-evident.

04

Inline-only

Out-of-band tools cannot generate it.

03 — RESOLUTIONS

Every decision resolves three ways.

Allow, Deny, Intercept — each structurally distinct, each recorded as evidence. Enforcement is earned over time; the record is produced from day one.

ALLOW
Permit and proceed.

Admissible under current policy. A Decision Trace is recorded as evidence.

DENY
Block before execution.

The request never reaches the target. The agent receives a structured refusal it can reason about.

INTERCEPT
Pause for human authority.

Held for delegated authority the agent does not hold. An approver decides.

THE DOCTRINE

“The entity that acts cannot attest to its own behavior.”

Agents cannot credibly attest to themselves. Neither can their vendors, nor the SIEM. Only an inline, structurally-independent record is admissible — and Behavry produces it.

See a Decision Trace from your own traffic.

We'll reconstruct a real cross-platform sequence and hand you the signed record.

Talk to Us →