/ Discovery Field Notes

The reality of running autonomous agents in production.

Verbatim quotes, incident details, and structural problems compiled from CISO reviews, Head of AI security reports, and compliance audits. Autonomous, non-deterministic agents break traditional syslog and APM aggregates.

/ 22 records matching filter/ 100% Cryptographic Ledger Required
MUTABILITY EXPLOIT/ database tampering

A database admin compromised by phishing altered the audit logs in postgres to hide unauthorized agent actions. Because the logs were mutable, we couldn't prove the breach sequence to the regulator.

Technical Impact

Standard databases are mutable by design. If a root database admin or compromised agent can delete or back-date its own execution history, your compliance audit trails are legally useless.

Director of Security, Regulated Asset Management
MUTABILITY EXPLOIT/ rogue mutations

If your agent has write access to the database containing its own audit logs, it will eventually hallucinate a query that wipes or modifies its history. We learned this the hard way.

Technical Impact

Allowing an autonomous agent to execute dynamic SQL against its own log repository creates a fatal loop. Audit stores must be cryptographically immutable and append-only.

Head of Infrastructure, Enterprise Service Desk
PROMPT INJECTION/ state manipulation

An indirect injection via a customer profile description instructed our support agent to execute refunds. Because the agent operated inside our private subnet, our network firewalls had no idea it was a malicious command.

Technical Impact

WAFs and network firewalls look for traditional payloads, not semantic instructions. When an LLM translates an injected system command into a valid internal API request, traditional boundaries fail.

Chief Information Security Officer, FinTech Gateway
PROMPT INJECTION/ system prompt override

A user injected a prompt via an uploaded resume. The resume parser agent bypassed its instructions and dumped the system prompt, containing private API keys, to the chat. It was logged as a successful 200 OK.

Technical Impact

Unstructured document parsing is the primary vector for indirect prompt injection. Without real-time verification of execution integrity, data leakage goes unnoticed under standard HTTP telemetry.

Staff Security Engineer, HRTech Unicorn
EU AI ACT COMPLIANCE/ un-auditable LLMs

We operate high-risk AI models under the new EU AI Act. Article 12 requires logging of all outputs. If our logs aren't cryptographically verifiable and timestamped by a third-party ledger, we face fines of up to 7% of global turnover.

Technical Impact

Regulatory frameworks require deterministic proof of what an agent did. Simply storing logs in Elasticsearch or Datadog doesn't satisfy compliance, as there is no proof of integrity.

VP of Regulatory Compliance, InsurTech Global
EU AI ACT COMPLIANCE/ traceability failure

A regulator asked us for the exact prompt, temperature, system instructions, and response chain that led to an agent rejecting a loan application. We had the response in Datadog, but we couldn't prove the prompt hadn't been modified in transit.

Technical Impact

To defend automated decisions, you must link user input, prompt templates, system config, and model outputs into a single tamper-evident hash chain.

General Counsel, Digital Lending Platform
ATTRIBUTION CHAOS/ multi-agent blaming

Our orchestration pipeline has 5 agents. Agent A called B, B called C, and C executed a bad API payload. A blamed B, B blamed C's context, and C claimed A's original parameters were corrupted. Without cryptographic receipts, debugging was impossible.

Technical Impact

As agent graphs grow in depth, tracing origin intent becomes a distributed tracing challenge. You need cryptographic signatures at each handoff to establish a reliable chain of custody.

VP Engineering, DevTools SaaS
ATTRIBUTION CHAOS/ signature gap

We had a customer claim an agent acted without their consent. But we couldn't prove that the trigger came from the user's browser session or our agent's autonomous planning. We need signature chains at every step.

Technical Impact

Proving user-initiated intent vs. agent hallucination requires binding the initial client authentication signature to downstream autonomous steps.

Lead Architect, AI Sales Platform
AUDITABILITY GAP/ useless telemetry

OpenTelemetry is for performance, not accountability. When a customer disputes a transaction executed by an AI agent, a trace in Jaeger or Honeycomb isn't a legally defensible proof of intent.

Technical Impact

Jaeger traces show latency and call ordering, but they lack cryptographic seals, signatures, or permanent write protection. Telemetry is easily wiped or spoofed.

CTO, Digital Wealth Platform
AUDITABILITY GAP/ datadog limitations

We dump LLM spans to Datadog. But Datadog has a 30-day retention policy. When an auditor asks for evidence of an agent decision made 6 months ago, we're left empty-handed.

Technical Impact

Compliance audits frequently require multi-year retention of system decision logs. Standard observability tools charge prohibitively for long-term hot storage.

Head of AI Observability, Neobank
ROGUE EXECUTION/ destructive actions

The dev agent hallucinated a branch name, generated a script, and pushed code to our main branch. The CI/CD pipeline built it because the agent had github commit access. The commit was signed by a general service account. We didn't know who or what initiated it.

Technical Impact

Giving write access to LLMs without signing individual agent actions makes it impossible to trace automated pipeline pollution back to the root prompt.

Director of Platform Engineering, Cloud Infrastructure SaaS
ROGUE EXECUTION/ looping APIs

An email agent got stuck in a recursive loop and sent 45,000 automated emails to a single customer, costing us thousands in API fees. The logs were just a massive wall of JSON; we had no way to auto-verify the chain height.

Technical Impact

Autonomous agent execution requires circuit breakers based on audit trail verification. Fact0 provides real-time verification to detect infinite state loops instantly.

Engineering Manager, Customer Engagement Platform
MUTABILITY EXPLOIT/ root admin access

A disgruntled developer with root access to our AWS account modified the audit log table to frame a colleague. Because the audit records weren't hash-linked, there was no way to detect the back-dated insertions.

Technical Impact

To build a legally compliant system, even your own administrators must be incapable of modifying past logs without breaking a cryptographically sealed chain.

Chief Security Officer, Defense Tech Vendor
PROMPT INJECTION/ data exfiltration

An attacker used prompt injection to force the research agent to query internal confluence docs, pack the results into a base64 string, and send it as a webhook payload to a public server. To our firewalls, it looked like a normal outbound API call.

Technical Impact

Agents require strict validation of outbound telemetry and system actions. Fact0 signs outbound outbox events to ensure they match signed intent profiles.

Head of Product Security, Biotech Research Suite
EU AI ACT COMPLIANCE/ verifiability standard

SOC2 Type II requires audit log integrity. Traditional syslog or database tables can be modified. We spent 3 weeks explaining our database write-permissions to auditors when we should have just handed them a cryptographic proof.

Technical Impact

Cryptographic ledgers turn compliance audits from qualitative reviews (interviews and IAM policies) to mathematical checks (proving hashes match block headers).

VP of Compliance & Security, Cyber Security Startup
ATTRIBUTION CHAOS/ un-signed parameters

Our router agent altered the price parameter of an order by 10% during planning. The payment gateway accepted it because the payload came from our server. We couldn't verify if the router did it autonomously or if it was modified in transit by a middleman.

Technical Impact

Every mutation along a multi-step agent flow must carry a signature block matching the exact context and tool execution schema.

Principal Engineer, E-Commerce Platform
AUDITABILITY GAP/ missing context

We have telemetry for the final LLM call, but we lost the intermediate state. The auditor asked: 'Why did the agent decide to search that database in the first place?' We had no record of the agent's thought process, only the SQL query.

Technical Impact

Debugging non-deterministic systems requires capturing the internal scratchpad and execution steps, not just the inputs and outputs.

Lead Compliance Auditor, Healthcare AI
ROGUE EXECUTION/ accidental deletions

Our agent had access to a slack webhook. A prompt injection made it send malicious download links to 3,000 public users. Standard slack logs showed the message source, but not the prompt execution chain that triggered it.

Technical Impact

Action execution without signed origin tracking makes triage and containment of prompt injection attacks incredibly slow.

Security Director, Slack App Publisher
MUTABILITY EXPLOIT/ ledger mutation

We had a customer claim they didn't order a server upgrade. They said we tampered with the logs to cover ourselves. Without an independent public/private key-pair signing every ledger event, it was their word against our database backups.

Technical Impact

Cryptographic receipts enable mathematical proof of non-repudiation. Neither the customer nor the vendor can modify the log retroactively.

Head of Infrastructure, Cloud Provider
PROMPT INJECTION/ jailbreak propagation

A customer jailbroke our booking agent to book a room for $0. The agent then updated the reservation system. The booking system accepted it because the API call came from a trusted server. The downstream system had no concept of 'untrusted origin'.

Technical Impact

Autonomous agent requests carry the highest system privilege. If the origin query is tainted, the downstream mutation is invalid, but legacy backends cannot differentiate.

Lead Architect, Hospitality Platform
EU AI ACT COMPLIANCE/ data provenance

Under the upcoming regulation, we need to prove that the training data and inference logs haven't been tampered with. Standard storage layers don't provide this out of the box.

Technical Impact

The EU AI Act classifies regulated domains (hiring, finance, health) under high-risk tiers, forcing systems to log with provable, tamper-evident chains.

Compliance Director, Autonomous Vehicle Platform
AUDITABILITY GAP/ legal defense

In a medical liability suit, the plaintiff claimed the diagnostic agent gave wrong advice. We had the advice, but we couldn't prove the user had altered the inputs to trick the model. We needed a cryptographically signed receipt of the exact inputs signed by the user's session.

Technical Impact

Without binding client session credentials to the agent prompt chain, you cannot establish user non-repudiation for safety overrides.

Chief Medical Officer & VP Engineering, HealthTech Inc

Stop logging. Start proving.

Fact0 builds a cryptographically signed, immutable, append-only ledger for all agent inputs, prompts, templates, and actions. Protect your systems against liability and leaks today.