| Internet-Draft | Agent Cross-Domain Audit | March 2026 |
| Nennemann | Expires 7 September 2026 | [Page] |
This document defines standardized formats and protocols for maintaining audit trails when autonomous agents operate across multiple administrative domains and organizations with divergent regulatory requirements. It additionally specifies mechanisms for tracking, recording, and settling agent resource consumption across domain boundaries.¶
The cross-domain audit trail format extends the Execution Audit Token (EAT) defined in [I-D.nennemann-exec-audit] with regulatory profile metadata, audit trail stitching identifiers, and selective disclosure controls. The resource accounting framework introduces metering points, consumption records, and a settlement protocol for multi-domain agent deployments.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Autonomous agent workflows increasingly span multiple administrative domains, each subject to distinct regulatory regimes. An agent operating in the European Union must satisfy GDPR data protection requirements; the same workflow may cross into a US domain governed by HIPAA for healthcare data or SOX for financial reporting. Each domain maintains its own audit infrastructure, retention policies, and disclosure obligations.¶
This document addresses two gaps identified in [I-D.nennemann-agent-gap-analysis]:¶
No standardized mechanism exists for maintaining coherent audit trails when agent workflows cross organizational boundaries with different regulatory requirements. Existing audit systems are domain-local and cannot correlate execution records across trust boundaries without leaking regulated information.¶
Agent workflows consume computational resources -- CPU cycles, network bandwidth, storage, API calls, and large language model token usage -- across multiple domains. No standard format exists for metering these resources, attributing consumption to specific agents or tasks, and settling costs across organizational boundaries.¶
This document builds on the Execution Audit Token (EAT) format defined in [I-D.nennemann-exec-audit] and the Execution Context Token (ECT) defined in [I-D.nennemann-wimse-ect]. It extends both with cross-domain audit claims and resource accounting fields while preserving backward compatibility.¶
This document defines:¶
Cross-domain audit record format extending EAT (Section 3.1)¶
Regulatory profile mapping for GDPR, SOX, and HIPAA (Section 3.3)¶
Audit trail stitching protocol for cross-domain correlation (Section 3.4)¶
Selective disclosure mechanisms for privacy-preserving audit (Section 3.5)¶
Resource metering model and consumption record format (Section 4.1)¶
Billing integration and settlement protocol (Section 4.3)¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are used in this document:¶
An administrative boundary within which a single set of audit policies, retention requirements, and regulatory obligations apply uniformly.¶
The point at which an agent workflow transitions from one audit domain to another, triggering boundary crossing records and potential selective disclosure.¶
A machine-readable identifier specifying the regulatory framework (e.g., GDPR, SOX, HIPAA) governing audit records within an audit domain.¶
A single entry in the cross-domain audit trail, extending the EAT format with domain-specific metadata and cross-reference identifiers.¶
The process of correlating audit records across domain boundaries to reconstruct end-to-end workflow execution history without requiring full data disclosure.¶
A mechanism allowing an audit record holder to reveal only specific claims to a verifier while proving the integrity of the complete record.¶
A component that measures agent resource consumption at defined metering points within the execution pipeline.¶
A signed attestation of resource usage by an agent or task, including resource type, quantity, and attribution metadata.¶
The process of reconciling consumption records across domain boundaries and resolving financial obligations between organizations.¶
Cross-domain audit trails follow a federated architecture where each domain maintains sovereign control over its audit records while enabling end-to-end trail reconstruction through cryptographic stitching.¶
+------------------+ +------------------+ +------------------+
| Domain A | | Domain B | | Domain C |
| (GDPR) | | (SOX) | | (HIPAA) |
| | | | | |
| +------+ +----+ | | +------+ +----+ | | +------+ +----+ |
| |Agent | |Audit| | | |Agent | |Audit| | | |Agent | |Audit| |
| | A1 |->| Log| | | | B1 |->| Log| | | | C1 |->| Log| |
| +------+ +--+-+ | | +------+ +--+-+ | | +------+ +--+-+ |
| | | | | | | | |
| +---------+ | | | +---------+ | | | +---------+ | |
| |Reg. | | | | |Reg. | | | | |Reg. | | |
| |Profile | | | | |Profile | | | | |Profile | | |
| +---------+ | | | +---------+ | | | +---------+ | |
+--------------+----+ +--------------+----+ +--------------+----+
| | |
v v v
+-----+-------------------------+-------------------------+----+
| Cross-Domain Audit Stitching Layer |
| |
| Boundary Crossing Records + Correlation Identifiers |
+--------------------------------------------------------------+
Each domain operates independently with its own audit log and regulatory profile. The stitching layer connects audit records across boundaries using cryptographic cross-references without requiring domains to share raw audit data.¶
The cross-domain audit record extends the EAT payload defined in [I-D.nennemann-exec-audit] with additional claims for domain identification, regulatory context, and cross-referencing.¶
The base audit record is a JSON object carried as the payload of a JWS [RFC7515] with the following claims:¶
{
"iss": "https://domain-a.example.com/audit",
"sub": "agent:a1:task:12345",
"iat": 1700000000,
"jti": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"eat_ref": "urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"aud_domain": "domain-a.example.com",
"reg_profile": "gdpr-v1",
"xref": {
"prev_domain": "domain-b.example.com",
"prev_jti": "urn:uuid:12345678-abcd-ef01-2345-678901234567",
"boundary_id": "urn:uuid:bnd-98765432-dcba-10fe-5432-109876543210"
},
"task_desc": "Process customer data enrichment",
"inputs_hash": "sha256:abc123...",
"outputs_hash": "sha256:def456...",
"assurance_level": "L2"
}
¶
The claims are defined as follows:¶
REQUIRED. A reference to the corresponding Execution Audit Token for this task, enabling correlation between the audit record and the execution context.¶
REQUIRED. The fully qualified domain name of the audit domain that produced this record.¶
REQUIRED. The regulatory profile identifier governing this audit record. See Section 3.3.¶
OPTIONAL. Cross-reference object for audit trail stitching. Present when this record follows a domain boundary crossing. See Section 3.4.¶
Each regulatory profile MAY define additional required claims. Domain-specific extensions are carried in a "domain_ext" object:¶
{
"domain_ext": {
"gdpr": {
"data_subject_category": "customer",
"processing_purpose": "enrichment",
"legal_basis": "legitimate_interest",
"retention_days": 730,
"dpo_contact": "dpo@domain-a.example.com"
}
}
}
¶
Cross-reference identifiers enable trail stitching without requiring access to the full audit records of other domains:¶
A globally unique identifier assigned at the domain boundary crossing point. Both the outgoing record in the source domain and the incoming record in the destination domain carry the same boundary_id.¶
The JTI of the last audit record in the preceding domain. This enables sequential chain verification.¶
The audit domain identifier of the preceding domain.¶
A regulatory profile is identified by a string of the form "{framework}-v{version}". This document defines the following initial profiles:¶
| Profile ID | Framework | Required Claims | Retention |
|---|---|---|---|
| gdpr-v1 | EU GDPR | data_subject_category, processing_purpose, legal_basis, retention_days | Per purpose |
| sox-v1 | US SOX | control_objective, control_id, evidence_class, attestor | 7 years |
| hipaa-v1 | US HIPAA | phi_category, access_purpose, minimum_necessary, covered_entity | 6 years |
Each profile maps to a set of required and optional claims in the "domain_ext" object. An audit record MUST include all required claims for its declared regulatory profile. A verifier MUST reject records missing required claims.¶
REQUIRED claims: data_subject_category, processing_purpose, legal_basis, retention_days. OPTIONAL claims: dpo_contact, cross_border_transfer, data_categories, recipients.¶
REQUIRED claims: control_objective, control_id, evidence_class, attestor. OPTIONAL claims: deficiency_flag, management_response, test_procedure.¶
REQUIRED claims: phi_category, access_purpose, minimum_necessary, covered_entity. OPTIONAL claims: business_associate, disclosure_authorization, breach_risk_assessment.¶
Regulatory metadata is carried as claims in the EAT payload under the "reg_meta" key:¶
{
"reg_meta": {
"profile": "gdpr-v1",
"jurisdiction": "EU",
"supervisory_authority": "de-bfdi",
"cross_border": true,
"adequacy_decision": "eu-us-dpf",
"retention_expiry": 1763078400
}
}
¶
When a workflow crosses a domain boundary, the following protocol ensures audit trail continuity:¶
The source domain creates a boundary crossing record containing the last audit record's JTI and a newly generated boundary_id.¶
The source domain signs the boundary crossing record and transmits it to the destination domain along with the agent handoff.¶
The destination domain creates its first audit record with an xref object referencing the boundary_id and the source domain's last JTI.¶
Both domains independently log the boundary crossing record in their respective audit ledgers.¶
A boundary crossing record is a JWS-signed JSON object:¶
{
"type": "boundary_crossing",
"boundary_id": "urn:uuid:bnd-98765432-dcba-10fe-5432-109876543210",
"source_domain": "domain-a.example.com",
"dest_domain": "domain-b.example.com",
"source_last_jti": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"crossing_time": 1700000100,
"workflow_id": "urn:uuid:wf-11111111-2222-3333-4444-555555555555",
"source_reg_profile": "gdpr-v1",
"dest_reg_profile": "sox-v1",
"disclosed_claims": ["task_desc", "inputs_hash", "outputs_hash"],
"redacted_claims": ["data_subject_category", "processing_purpose"]
}
¶
The "disclosed_claims" and "redacted_claims" arrays enumerate which claims from the source domain's audit record are visible to the destination domain and which are withheld for privacy.¶
An auditor with access to multiple domains can reconstruct the full workflow trail by following the chain of boundary_id references. When an auditor lacks access to a particular domain, the trail contains a gap that can be verified structurally (the boundary crossing records on either side reference the same boundary_id) without revealing the content of the missing domain's records.¶
This allows privacy-preserving end-to-end audit where each domain proves its segment of the trail without exposing regulated data to unauthorized parties.¶
Cross-domain audit records MAY use Selective Disclosure JWT (SD-JWT) [SD-JWT] mechanisms to enable fine-grained claim disclosure. When an audit record is issued, the issuer creates an SD-JWT where each claim can be independently disclosed or withheld.¶
An SD-JWT audit record replaces direct claims with hashed disclosures:¶
{
"iss": "https://domain-a.example.com/audit",
"aud_domain": "domain-a.example.com",
"reg_profile": "gdpr-v1",
"_sd": [
"WyJ...base64url-encoded disclosure hash..."
],
"_sd_alg": "sha-256"
}
¶
Individual claims are disclosed by providing the corresponding disclosure values alongside the SD-JWT.¶
Each audit domain declares a visibility policy specifying which claims are:¶
Public: Disclosed to all domains in the workflow trail.¶
Boundary: Disclosed only to the immediate upstream and downstream domains.¶
Private: Never disclosed outside the originating domain.¶
The visibility policy is declared in the regulatory profile and enforced at each domain boundary crossing.¶
When an audit record crosses a domain boundary, the following rules apply:¶
Claims classified as "private" MUST be redacted using SD-JWT disclosures. The destination domain receives proof that the claims exist but cannot read their values.¶
Claims classified as "boundary" MUST be disclosed to the immediate destination domain but redacted for subsequent domains in the chain.¶
Claims classified as "public" MUST be disclosed to all domains.¶
The minimum set of public claims required for trail stitching is: jti, boundary_id, aud_domain, and crossing_time.¶
This document defines the following resource types for agent metering:¶
| Resource Type | Unit | Description |
|---|---|---|
| compute | cpu-ms | CPU time in milliseconds |
| memory | byte-s | Memory usage in byte-seconds |
| network_egress | bytes | Outbound network transfer |
| network_ingress | bytes | Inbound network transfer |
| storage | byte-s | Persistent storage in byte-seconds |
| api_calls | count | External API invocations |
| llm_tokens | count | Large language model tokens consumed |
| gpu_compute | gpu-ms | GPU time in milliseconds |
Resource meters are placed at defined points in the agent execution pipeline:¶
Task Ingress: Resources consumed receiving and parsing task inputs.¶
Execution: Resources consumed during task execution proper.¶
Tool Invocation: Resources consumed by each tool call within a task.¶
Task Egress: Resources consumed producing and transmitting task outputs.¶
Audit Overhead: Resources consumed generating and transmitting audit records themselves.¶
Each metering point produces a meter reading that is included in the task's consumption record.¶
A meter reading is a JSON object:¶
{
"meter_point": "execution",
"resource_type": "llm_tokens",
"quantity": 4096,
"unit": "count",
"start_time": 1700000000,
"end_time": 1700000005,
"confidence": "measured"
}
¶
The "confidence" field indicates whether the reading is "measured" (exact instrumentation), "estimated" (statistical sampling), or "allocated" (apportioned from a shared pool).¶
Resource consumption is recorded as claims in the EAT payload under the "resource" key:¶
{
"resource": {
"agent_id": "spiffe://domain-a.example.com/agent/a1",
"task_id": "urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"domain": "domain-a.example.com",
"period": {
"start": 1700000000,
"end": 1700000010
},
"meters": [
{
"meter_point": "execution",
"resource_type": "compute",
"quantity": 2500,
"unit": "cpu-ms",
"confidence": "measured"
},
{
"meter_point": "execution",
"resource_type": "llm_tokens",
"quantity": 4096,
"unit": "count",
"confidence": "measured"
},
{
"meter_point": "tool_invocation",
"resource_type": "api_calls",
"quantity": 3,
"unit": "count",
"confidence": "measured"
}
]
}
}
¶
When a workflow DAG spans multiple tasks, consumption records can be aggregated to produce a workflow-level resource summary. The aggregation MUST:¶
In shared infrastructure deployments, resource meters MUST provide tenant isolation guarantees:¶
Settlement between domains follows a three-phase protocol:¶
Each domain produces a signed usage report summarizing consumption records for a billing period. The report is signed using the domain's audit signing key.¶
Participating domains exchange usage reports and verify that boundary crossing records match. Discrepancies are flagged for manual review.¶
Reconciled usage is converted to monetary amounts using pre-agreed rate cards. Settlement records are logged in each domain's audit ledger.¶
A usage report is a JWS-signed JSON object:¶
{
"type": "usage_report",
"reporter_domain": "domain-a.example.com",
"billing_period": {
"start": 1700000000,
"end": 1702592000
},
"counterparty_domain": "domain-b.example.com",
"summary": [
{
"resource_type": "compute",
"total_quantity": 15000000,
"unit": "cpu-ms",
"task_count": 1250
},
{
"resource_type": "llm_tokens",
"total_quantity": 5242880,
"unit": "count",
"task_count": 1250
}
],
"detail_hash": "sha256:fedcba987654...",
"rate_card_ref": "urn:uuid:rc-aabbccdd-1122-3344-5566-778899001122"
}
¶
The "detail_hash" is a hash of the full set of per-task consumption records, enabling the counterparty to request and verify individual records during dispute resolution.¶
Domains MAY enforce fair-use policies on agent resource consumption:¶
Rate Limiting: Domains MAY impose per-agent or per-workflow rate limits on resource types. Rate limit policies SHOULD be communicated in the boundary crossing record.¶
Budget Caps: Workflows MAY carry a resource budget in the ECT that specifies maximum consumption per resource type. Agents MUST NOT exceed the declared budget without obtaining a revised ECT.¶
Anomaly Detection: Domains SHOULD monitor consumption patterns and flag anomalous usage (e.g., token consumption 10x above the workflow's declared budget).¶
The cross-domain audit and resource accounting claims defined in this document extend the existing token formats as follows:¶
The ECT payload is extended with a "resource_budget" claim specifying per-resource-type consumption limits for the workflow. The ECT MAY also carry a "reg_profiles" array listing the regulatory profiles that the workflow is expected to traverse.¶
The EAT payload is extended with the "aud_domain", "reg_profile", "reg_meta", "xref", "domain_ext", and "resource" claims defined in this document. These claims are OPTIONAL for single-domain deployments and REQUIRED for cross-domain workflows.¶
Existing ECT and EAT processors that do not recognize the new claims MUST ignore them per standard JWT processing rules [RFC7519]. Cross-domain audit functionality degrades gracefully: single-domain deployments continue to function without modification.¶
Because each domain signs its own audit records independently, a compromised domain can fabricate or alter its segment of the audit trail. Mitigations include:¶
Requiring Level 3 assurance (ledger-anchored EATs) for cross-domain workflows in regulated environments.¶
Cross-domain ledger anchoring as defined in [I-D.nennemann-exec-audit] to detect tampering after the fact.¶
Independent third-party audit of boundary crossing records.¶
A malicious domain could under-report resource consumption to reduce settlement obligations or over-report to inflate charges. Mitigations include:¶
Bilateral verification of boundary crossing records, which constrain the plausible range of resource consumption.¶
Statistical sampling and spot-checking of consumption records against actual infrastructure metrics.¶
Requiring "measured" confidence level for high-value resource types and rejecting "estimated" readings above a threshold.¶
Even with selective disclosure, the structure of the audit trail (timing, frequency, and pattern of boundary crossings) can leak information about the nature of the workflow. Mitigations include:¶
An adversary with access to multiple boundary crossing records could attempt to correlate redacted claims across domains. SD-JWT provides unlinkability guarantees when fresh salts are used for each disclosure. Implementations MUST use cryptographically random salts of at least 128 bits for each SD-JWT disclosure.¶
This document requests registration of the following claims in the JSON Web Token Claims registry established by [RFC7519]:¶
| Claim Name | Description | Reference |
|---|---|---|
| aud_domain | Audit domain identifier | This document |
| reg_profile | Regulatory profile identifier | This document |
| reg_meta | Regulatory metadata object | This document |
| xref | Cross-domain reference object | This document |
| domain_ext | Domain-specific extension claims | This document |
| resource | Resource consumption record | This document |
| resource_budget | Resource budget limits | This document |
This document establishes a new "Agent Audit Regulatory Profiles" registry. The registration policy is Specification Required [RFC8126].¶
Initial registrations:¶
| Profile ID | Framework | Reference |
|---|---|---|
| gdpr-v1 | EU General Data Protection Regulation | This document |
| sox-v1 | US Sarbanes-Oxley Act | This document |
| hipaa-v1 | US Health Insurance Portability and Accountability Act | This document |
The author thanks the participants of the NMOP working group for their feedback on agent management and operational challenges.¶