Three gates. One proof chain.
Early accessYour AI agents are about to do work your people used to approve. SAR filings. OFAC clearance. Production deploys. ScrambleID Actions puts a gate over every consequential one: a human in the loop, a supervisory agent on it, or an independent agent outside the lineage entirely. One cryptographic chain runs from intent to execution under all three. What lands in the ledger is evidence, not narrative. Actions, the third product of ScrambleID Proof, is in early access at Equifax.
The signature says the agent did it, signed at the moment of action, bound to the policy that authorized it and the cosigner who approved it. The chain says the record hasn't moved since. The customer, the regulator, or the court runs scramble-audit-verify and gets the same answer ScrambleID gets.
Grant prod IAM role to deploy-bot
deploy-bot · AWS prod account · IAM
CEDAR POLICY PASSED · HITL THRESHOLD HIT
. Action: Grant prod IAM role to deploy-bot. deploy-bot · AWS prod account · IAM. CEDAR POLICY PASSED · HITL THRESHOLD HIT.deploy-bot@acme.com
non-human · CI/CD
0x9e21...c7b4
just now
. Hash 0x9e21...c7b4, just now.PENDING CO-SIGN
alex.chen@acme.com
platform lead
. Status: PENDING CO-SIGN. Cosigner: alex.chen@acme.com, platform lead.Cancel customer subscriptions
248 accounts · downgrade campaign
. Action: Cancel customer subscriptions. 248 accounts · downgrade campaign.retention-agent@acme.com
non-human · AI agent
0xc2e1...d4a8
14:32:18 UTC
. Hash 0xc2e1...d4a8, 14:32:18 UTC.SIGNED
supervisor-agent@acme.com
review agent
. Status: SIGNED. Cosigner: supervisor-agent@acme.com, review agent.Use profile for model training
opt-in consent flow · personalization
. Action: Use profile for model training. opt-in consent flow · personalization.personalization-agent@acme.com
non-human · AI agent
0x4d72...91fa
14:30:05 UTC
. Hash 0x4d72...91fa, 14:30:05 UTC.SIGNED
janet.harris@gmail.com
consumer
. Status: SIGNED. Cosigner: janet.harris@gmail.com, consumer.OFAC sanctions clearance
low-confidence SDN match · Acme Holdings
. Action: OFAC sanctions clearance. low-confidence SDN match · Acme Holdings.sanctions-agent@acme.com
non-human · AI agent
0x1c5b...e7d2
14:27:13 UTC
. Hash 0x1c5b...e7d2, 14:27:13 UTC.SIGNED
compliance@acme.com
compliance officer
. Status: SIGNED. Cosigner: compliance@acme.com, compliance officer.Wire transfer authorization
$4.2M outbound · CTR triggered
. Action: Wire transfer authorization. $4.2M outbound · CTR triggered.wire-agent@acme.com
non-human · AI agent
0x9b3f...4e2a
14:25:02 UTC
. Hash 0x9b3f...4e2a, 14:25:02 UTC.SIGNED
treasury@acme.com
treasury lead
. Status: SIGNED. Cosigner: treasury@acme.com, treasury lead.PENDING APPROVAL
Grant prod IAM role to deploy-bot
deploy-bot · AWS prod account
deploy-bot
non-human · CI/CD
Grant role
prod account
AWS
Actions
1 pending
deploy-bot
non-human · CI/CD
Grant role
prod account
AWS
deploy-bot is requesting your approval
Grant prod IAM role to deploy-bot
Gives deploy-bot write access to the production AWS account.
Privileged · Grants standing write access to production.
ScrambleIDTHE CHAIN IS THE EVIDENCE.
RBAC, Cedar, OPA, Splunk, Datadog, Jira: the modern enterprise stack is good at decision and observability. None of it produces evidence. The four threats below describe what fails when an AI agent executes a regulated action and the audit chain has to hold up to a regulator, a court, or a customer dispute.
THREAT . 01
Audit logs are mutable. They can be tampered with, redacted, or silently deleted between the action and the audit. SEC 17a-4 demands records be "non-rewritable, non-erasable" because the regulators already learned this lesson. A log line that says "approved" is a claim, not proof.
THREAT . 02
RBAC, Cedar, OPA, IAM policies evaluate at request time. They return a decision. They don't cryptographically bind that decision to the record of what the action actually did. The policy engine logged "allow." The audit log recorded "action happened." Nothing connects the two.
THREAT . 03
When an AI agent files a SAR or executes an OFAC clearance, the regulator wants a named human in the chain. BSA requires it. OFAC requires it. EU AI Act Article 14 requires qualified human oversight on high-risk AI systems. A database row that says "approved by aml-agent@acme.com" satisfies none of these.
THREAT . 04
GDPR and CCPA require consumer consent for high-impact AI uses like profile training and individualized decisioning. Today's pattern is a banner click stored as a row in a database. When the model trains on the consumer's profile six months later, nothing cryptographically binds the consent to that specific action. The legal cover is there. The evidence is not.
Over any consequential action an agent takes, you need to be able to stop it, and to prove what was intended versus what ran. ScrambleID gives you three gates and one cryptographic chain from intent to execution through every one.
IN THE LOOP
Shipping. Early access.A named person approves before the action proceeds, and can stop it. The approver signs exactly what will run, not text the agent supplied. Delivered through the human surfaces: a push to the ScrambleID app, biometric on web, a prompt at the workstation.
ON THE LOOP
Roadmap.An in-lineage supervisor agent approves or stops the consequential actions of the agents beneath it, within policy, at machine speed, without pulling a human into every step. This is how the gate scales when summoning a person each time would not.
OUT OF LINEAGE
Roadmap.An oversight agent with no delegation tie to the actor can stop a consequential action by a subordinate, or by an agent it does not control. Because it sits outside the actor's lineage, compromising the actor does not compromise the overseer. This is the part a customer cannot build for itself: independence has to come from outside its own walls. The proof survives total compromise, because you hold the key, not us. Independent where it must be, off your critical path where it should be, and yours.
On the auth path, no approval means no token and no action: the gate stops it. Off the path, the gate refuses and emits signed proof of the violation. Either way, nothing acts in your name without your intent, and the chain proves it from intent to execution.
Four regulated workflows where Actions makes per-action authority defensible end to end. The principal acts. The cosigner approves. The chain records. The regulator verifies.
SCENARIO . 01
An AML agent detects structured deposits flagged on account 4732. Cedar policy says any SAR submission requires a named BSA officer cosignature. The agent drafts the SAR. The agent signs the request. The BSA officer on call gets a push to their ScrambleID app and a prompt at their workstation, and cosigns with Touch ID. The verifier issues the record. FinCEN gets a SAR with cryptographic proof of human review, not a database claim.
SCENARIO . 02
A retention agent proposes downgrading 248 customer accounts as part of a campaign. Policy says any bulk customer-impact action above 100 accounts requires a supervisor-agent cosignature with an audit reason. The supervisor agent evaluates the campaign manifest, cosigns with a structured reason field, and the record lands in the chain. The autonomous swarm has accountability inside itself. A customer dispute resolves with the signed reason, not a postmortem reconstruction.
Supervisory-agent cosign is on the roadmap.
SCENARIO . 03
A personalization agent proposes using a customer's profile for model training in the opt-in personalization flow. Policy says consumer profile use for training requires a per-action consumer cosignature, not a stored banner click. The customer gets a push asking them to approve this specific action, and cosigns from their phone. The chain ties the consent to the model-training action with a cryptographic signature, not a row in a consent table. GDPR and CCPA defensibility is bound to the action, not to a checkbox from eight months ago.
SCENARIO . 04
A CI bot proposes deploying payment-service v2.4.1 to production. Policy says any production payment-service deploy requires the on-call platform lead's cosignature. The on-call platform lead cosigns from their workstation after reviewing the deploy diff. The record lands in the chain with the bot's signature, the platform lead's cosignature, and the verifier's acceptance. Change-management lineage is the cryptographic chain, not the Jira ticket.
ScrambleID Actions works as a layer that composes with your existing identity stack. Cedar evaluates. Cosigner signs. Verifier records. Anyone verifies. Five steps, every one cryptographic.
Same primitive your team already knows. The policy is committed, reviewable, and diff-able alongside the agent code.
Policy-bound, not workflow-bound. No external Jira ticket, no out-of-band approval queue. The cosign requirement is in the policy that evaluates the action.
Workstation Touch ID, mobile biometric, or hardware key. The cosignature is a real cryptographic signature using the same primitive as the agent's signature, not a button click in a workflow app.
Principal (the agent or human acting), cosigner (when policy required one), verifier (the ScrambleID service that accepted the request). Each signature is in the record, not in a separate audit table.
Anyone with the chain verifies it with scramble-audit-verify CLI. Every verifier becomes an independent arbiter, outside the lineage and outside ScrambleID. The chain holds even if ScrambleID is unavailable.
Comparison against the categories enterprises already deploy: log aggregators, policy engines, approval workflows, and per-document e-signature. Each does some of the work. None of them produce evidence at the action layer.
Swipe sideways to compare. ScrambleID is the highlighted column.
| Dimension | Splunk / Datadog | Cedar / OPA alone | Jira / ServiceNow | DocuSign | ScrambleID Actions |
|---|---|---|---|---|---|
| Per-action cryptographic signature on the record | Nolog line only | Nodecision only | Noworkflow status | Per-document only | Yesevery action |
| Cosign trigger bound to policy, not workflow | Noworkflow-bound | Nopolicy without cosign | Noworkflow-bound | Notemplate-bound | Yespolicy-bound |
| Immutable hash chain (records can't be backdated or deleted) | Nomutable | Non/a | Nomutable | Doc-level immutability | Yeschain-level |
| Customer-verifiable independent of vendor | Novendor-trust | Non/a | Novendor-trust | Vendor-verifiable | Yesopen chain |
| Regulatory defensibility for BSA, OFAC, EU AI Act Article 14 | Partiallogs only | Nodecision only | Partialworkflow record | Partialper-doc | Yessignature + chain |
| Works for AI agents and humans on the same primitive | n/a | Partialhumans via UI | Partialhumans only | Nohumans only | Yesboth |
| Chain holds if vendor goes away | No | Novendor-bound | Novendor-bound | Novendor-bound | Yeschain holds |
Cedar and OPA return policy decisions. They don't cryptographically bind those decisions to the records of what got executed. ScrambleID Actions uses Cedar (or OPA) as the policy primitive and adds a cryptographic signature, a cosignature when policy requires one, and an immutable hash chain on the record. You keep your policy engine. You add the proof layer it can't deliver.
DocuSign signs documents. Actions signs actions. A SAR filing, a bulk customer cancel, a production deploy, a model-training run on consumer data: these are actions, not documents. There's no PDF to print and sign. The signature has to bind to the action's manifest and to the policy that authorized it, at the moment the action runs.
Yes. The `scramble-audit-verify` CLI is open. The customer (or a regulator, or a court) takes the chain, runs the CLI, and gets a cryptographic verification independent of ScrambleID's services. The chain holds even if ScrambleID is unavailable, sold, or sued.
Both. The cryptographic primitive doesn't care whether the principal is a human, an AI agent, or a machine. A workforce action that requires a cosign (a wire transfer, a privileged data export, a production change) goes through the same signature-policy-cosign-chain path. The same chain holds the human-only records and the agent-cosigned records.
The record carries three signatures: the principal who acted, the cosigner that policy required, and the verifier that accepted the request. The hash chain proves the record hasn't moved since write. The CLI verifies the chain independently. Courts and regulators don't need to trust ScrambleID; they trust the cryptography. A signed, hash-chained, customer-verifiable record meets the standard SEC 17a-4 was written to enforce.
Agent adoption is outrunning the controls for it. Gartner expects 40% of enterprise applications to include task-specific AI agents by 2026, up from under 5% in 2025, and the governance frameworks are converging on what Actions does. The OWASP Top 10 for Agentic Applications (2026) names agent identity and privilege abuse (ASI03) and human-agent trust exploitation (ASI09); Actions binds an agent's identity to what policy authorizes and keeps a named human accountable. A February 2026 NIST NCCoE concept paper on AI agent identity and authorization calls for linking user identities to agents for accountability and tying each action back to its identity for auditability and non-repudiation, the model Actions is built on. The Cloud Security Alliance's AI Controls Matrix, 243 control objectives across 18 domains, targets the same oversight and accountability gaps. Actions answers all three with a signature on every action, a cosigner wherever policy demands one, and a hash chain anyone can verify.
This is the rung the others roll up into. Every proven action carries the proven identity of who acted: the person, the machine, the agent.
See the whole railNON-HUMANS
The agents your Actions chain signs.
Per-agent identity. Per-action proof. Zero static secrets. The runtime layer that Actions sits on top of.
HUMANS
The cosigners your Actions chain names.
Workforce, contact center, frontline, and people verification. The human side of the cosign relationship.
ARCHITECTURE
How Actions fits the cryptographic spine.
The 3-band stack. The trust roots. The verifier topology. The ledger model. End-to-end.
Per-action authority. In early access at Equifax. Ready for yours.
One identity primitive across every principal in your stack: humans, agents, and the actions both take.
Request early access →