Key insight

A chain of custody is an unbroken, tamper-evident record of who handled something and what they did — one missing link makes the whole record questionable, even if nothing actually went wrong. AI agents make this both more important (they act fast and consequentially) and harder (shared identities and unlogged actions leave gaps exactly where you need proof).

When police collect an item of evidence, every single person who touches it afterward signs for it, notes the date and time, and records what they did with it. That signed, unbroken record is a chain of custody, and its entire purpose is to let someone later prove that the item shown today is genuinely the same item collected at the start, unchanged along the way. This article builds that idea up and applies it to digital things, including the actions of AI agents.

1 · Where the idea comes from: physical evidence

The power of a chain of custody is subtle: it does not prevent tampering directly. What it does is make tampering provable or disprovable. If every hand that touched an item is recorded, then either the record is complete and the item is trustworthy, or there is a gap, and everyone knows exactly where trust breaks down. A single missing signature is enough for a court to doubt the whole thing — not because anything necessarily went wrong, but because nobody can prove nothing did.

2 · The two properties that make it trustworthy

An unbroken chain of custody with each handler signed, compared to one with a missing link On top, four green boxes each labelled with a handler and a signature connect in an unbroken chain marked trustworthy. Below, the same chain has one link greyed out and marked unsigned, and the whole chain is marked questionable, illustrating that one missing link undermines the entire record. Collectedsigned Analystsigned Storagesigned Courtsigned unbroken → trustworthy Collectedsigned ?unsigned Storagesigned Courtsigned one gap → the whole chain is questionable
Figure 1. The value is not in preventing tampering directly — it is in making any gap in the record impossible to hide.

3 · Chain of custody for digital things

Computer systems borrow this exact idea for digital artifacts. A piece of software before it ships, a sensitive document, a financial or legal record — each benefits from a complete history of who created it, who changed it, and who approved it, recorded in a tamper-evident way. In software specifically, this shows up as signed commits, signed build artifacts, and approval records, so that the code that reaches a customer can be traced, link by link, back to a specific author and a specific review, with any later tampering detectable.

4 · A worked example: one file, five hands

A sensitive report is created by an analyst, reviewed by a manager, edited by a compliance officer, exported by an automated system, and finally sent to an outside partner. With a chain of custody, each of those five steps is recorded and attributed: who did it, when, and what changed. If the partner later claims the figures were altered, the record settles it immediately — every change is attributed and tamper-evident, so either the alteration is right there in the record, or it demonstrably never happened. Without such a record, the same dispute becomes an unwinnable argument, because nobody can prove which of the five hands, if any, changed anything.

5 · Why AI agents make attribution harder

An AI agent, software that decides on its own which tools to call and which actions to take, can take many consequential actions very quickly. When something goes wrong, the first question is always the same: which agent, running which task, took which action? An unbroken custody record is the only fast answer. The trouble is that two common shortcuts destroy attribution exactly where you need it most: running many unrelated agents under one shared identity, so the log cannot tell them apart, and letting an agent act without recording what it did and why. Both leave a gap in the chain precisely at the moment of the consequential action, so you are left unable to prove what happened even when nothing was hidden on purpose.

An attributed agent action with a complete record compared to a shared-identity action with a broken chain On the left, a green agent box with a distinct identity connects to a signed, timestamped record. On the right, three agents share one identity connecting to a record marked which one? illustrating that a shared identity breaks attribution. Agent Aown identity Signed recordwho, when, what 3 agents,one identity which one?
Figure 2. A shared identity is a broken link before anything even goes wrong — it removes the “who” from every record it touches.

6 · Building a chain of custody on purpose

7 · A simple test you can run this week

Try this before an incident forces the question

1. Pick one important artifact, or one AI agent action, that matters to you.
2. Try to reconstruct, from records alone, exactly who created or triggered it, when, and what changed.
3. Note the first point where the trail goes cold or the “who” becomes ambiguous.
4. That point is your broken link — close it before you need it in a dispute.

8 · Glossary — every short-form term, spelled out

Chain of custody
An unbroken, tamper-evident record of everyone who handled something and exactly what they did to it.
Attribution
Tying every recorded action to a specific, identified person or system, never an anonymous change.
Tamper-evidence
Keeping a record so that a later secret change would leave visible traces, rather than being undetectable.
Artifact
A specific thing being tracked — a file, a piece of software, a record, or the output of an action.
AI agent
Software that decides, on its own, which tools to call and which actions to take in order to complete a task.
Key takeaways

A chain of custody is an unbroken, tamper-evident record of who handled something and what they did.
Its power is making tampering provable or disprovable — one missing link makes the whole record questionable.
Two properties make it trustworthy: attribution and tamper-evidence.
AI agents make it harder: shared identities and unlogged actions break the chain exactly where you need proof.

References

  1. NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response — chain of custody, National Institute of Standards and Technology. csrc.nist.gov
  2. This guide’s Release Engineering field guide — signed commits, signed artifacts, and the chain of custody for shipping software.