Key insight
A chain of custody is an unbroken, tamper-evident record of who handled something and what they did — one missing link makes the whole record questionable, even if nothing actually went wrong. AI agents make this both more important (they act fast and consequentially) and harder (shared identities and unlogged actions leave gaps exactly where you need proof).
When police collect an item of evidence, every single person who touches it afterward signs for it, notes the date and time, and records what they did with it. That signed, unbroken record is a chain of custody, and its entire purpose is to let someone later prove that the item shown today is genuinely the same item collected at the start, unchanged along the way. This article builds that idea up and applies it to digital things, including the actions of AI agents.
1 · Where the idea comes from: physical evidence
The power of a chain of custody is subtle: it does not prevent tampering directly. What it does is make tampering provable or disprovable. If every hand that touched an item is recorded, then either the record is complete and the item is trustworthy, or there is a gap, and everyone knows exactly where trust breaks down. A single missing signature is enough for a court to doubt the whole thing — not because anything necessarily went wrong, but because nobody can prove nothing did.
2 · The two properties that make it trustworthy
- Attribution. Every action in the record is tied to a specific, identified person or system, never an anonymous “someone changed this.” If you cannot say who did a thing, that link is effectively broken.
- Tamper-evidence. The record is kept in a way where a later secret change would leave visible traces, so nobody can quietly rewrite history after the fact without it showing.
3 · Chain of custody for digital things
Computer systems borrow this exact idea for digital artifacts. A piece of software before it ships, a sensitive document, a financial or legal record — each benefits from a complete history of who created it, who changed it, and who approved it, recorded in a tamper-evident way. In software specifically, this shows up as signed commits, signed build artifacts, and approval records, so that the code that reaches a customer can be traced, link by link, back to a specific author and a specific review, with any later tampering detectable.
4 · A worked example: one file, five hands
A sensitive report is created by an analyst, reviewed by a manager, edited by a compliance officer, exported by an automated system, and finally sent to an outside partner. With a chain of custody, each of those five steps is recorded and attributed: who did it, when, and what changed. If the partner later claims the figures were altered, the record settles it immediately — every change is attributed and tamper-evident, so either the alteration is right there in the record, or it demonstrably never happened. Without such a record, the same dispute becomes an unwinnable argument, because nobody can prove which of the five hands, if any, changed anything.
5 · Why AI agents make attribution harder
An AI agent, software that decides on its own which tools to call and which actions to take, can take many consequential actions very quickly. When something goes wrong, the first question is always the same: which agent, running which task, took which action? An unbroken custody record is the only fast answer. The trouble is that two common shortcuts destroy attribution exactly where you need it most: running many unrelated agents under one shared identity, so the log cannot tell them apart, and letting an agent act without recording what it did and why. Both leave a gap in the chain precisely at the moment of the consequential action, so you are left unable to prove what happened even when nothing was hidden on purpose.
6 · Building a chain of custody on purpose
- Give every actor a distinct identity. People and agents alike; a shared identity is a broken link by design.
- Record every consequential action. Who, when, what, and ideally why — at the moment it happens, not reconstructed later.
- Make the record tamper-evident. Use signing or append-only logs so a later secret change would show.
- Test the chain before you need it. An untested custody record is often discovered to have gaps only during the incident that needed it.
7 · A simple test you can run this week
1. Pick one important artifact, or one AI agent action, that matters to you.
2. Try to reconstruct, from records alone, exactly who created or triggered it, when, and what changed.
3. Note the first point where the trail goes cold or the “who” becomes ambiguous.
4. That point is your broken link — close it before you need it in a dispute.
8 · Glossary — every short-form term, spelled out
- Chain of custody
- An unbroken, tamper-evident record of everyone who handled something and exactly what they did to it.
- Attribution
- Tying every recorded action to a specific, identified person or system, never an anonymous change.
- Tamper-evidence
- Keeping a record so that a later secret change would leave visible traces, rather than being undetectable.
- Artifact
- A specific thing being tracked — a file, a piece of software, a record, or the output of an action.
- AI agent
- Software that decides, on its own, which tools to call and which actions to take in order to complete a task.
A chain of custody is an unbroken, tamper-evident record of who handled something and what they did.
Its power is making tampering provable or disprovable — one missing link makes the whole record questionable.
Two properties make it trustworthy: attribution and tamper-evidence.
AI agents make it harder: shared identities and unlogged actions break the chain exactly where you need proof.
References
- NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response — chain of custody, National Institute of Standards and Technology. csrc.nist.gov
- This guide’s Release Engineering field guide — signed commits, signed artifacts, and the chain of custody for shipping software.