DAV: DEOS Agent Verification
Verifiable execution for autonomous AI agents
Version 1.0, January 2026
Summary
AI agents now make decisions in healthcare, finance, and other regulated settings where "the agent said so" is not an acceptable explanation. DAV is a runtime that captures every operation an agent performs at the OS level, into a tamper-evident execution trace that anyone can replay and verify. The agent cannot bypass the capture because it happens below the application layer. The trace is deterministic, so replay is exact, not approximate.
DAV is the answer to one specific question: prove the agent did what you say it did, in a way that does not require the auditor to trust the operator.
1. The accountability gap
1.1 What AI agents do now
An AI agent receives a goal or task, makes decisions independently, takes actions through API calls and tool use, and operates with minimal human oversight. By 2027, projections put agents in about 30% of customer service interactions, 20% of financial transactions, and 15% of healthcare administrative tasks. Billions of dollars in autonomous operations.
1.2 What you cannot ask today
When an AI agent makes a decision, the answers to these questions are all "trust us":
- What data did the agent see?
- What logic did it follow?
- Did it follow safety protocols?
- Why did it make that decision?
- Can we prove it was not tampered with?
That is fine for low-stakes use. It is not fine for medical decisions, financial transactions, legal determinations, safety-critical operations, or anything regulated.
1.3 The logging problem
The usual response is "we have logs." Logs do not solve this problem. Application-controlled logging can omit inconvenient events, can be edited after the fact, has no proof of completeness, cannot be independently verified, and the developer decides the granularity. Logs are claims, not proof.
1.4 Regulatory pressure
| Regulation | Requirement | Effective |
|---|---|---|
| EU AI Act | Explainability for high-risk AI | 2025 |
| FDA AI/ML Guidelines | Audit trails for medical AI | 2024 |
| SEC AI Disclosure | Transparency in AI-driven trading | 2025 |
| State Medical Board Rules | Accountability for AI prescribing | 2026 |
Enterprises need verifiable AI execution. The driver is legal compliance, not competitive positioning.
2. What DAV does
2.1 OS-level capture
DAV is a runtime where AI agents execute with operating-system-level capture of every operation.
+--------------------------------------------------------+
| DAV Runtime |
| |
| +--------------------------------------------------+ |
| | AI Agent (Python, etc.) | |
| | | |
| | decision = model.predict(data) | |
| | result = tool.execute(action) | |
| | response = api.call(request) | |
| +--------------------------------------------------+ |
| | |
| v |
| +--------------------------------------------------+ |
| | DEOS Capture Layer | |
| | | |
| | Every syscall logged: | |
| | - File reads and writes | |
| | - Network requests | |
| | - Memory operations | |
| | - Time and random access | |
| | | |
| | Agent CANNOT bypass this layer | |
| +--------------------------------------------------+ |
| | |
| v |
| Execution Hash: 0x8f3a2b... |
| Replay: Deterministic verification |
+--------------------------------------------------------+
2.2 What you get
| Property | Description |
|---|---|
| OS-level capture | Logging happens below the application. The agent cannot skip or rewrite it. |
| Tamper evidence | Events form a hash chain. Any modification breaks the chain. |
| Deterministic replay | Same inputs produce the same outputs, verifiable by anyone. |
| Complete coverage | Every syscall, every operation, nothing omitted. |
| Independent verification | Third parties can verify without trusting the operator. |
2.3 What DAV proves
| Claim | DAV proof |
|---|---|
| Agent checked patient allergies | Replay shows allergy database query at event #47 |
| Agent followed risk parameters | Replay shows parameter check at event #12 |
| Agent called the correct API | Replay shows exact request and response |
| Agent decision was based on data X | Replay shows data access before decision |
| Logs were not tampered with | Hash chain plus deterministic replay |
2.4 What DAV does not prove
| Limitation | Reason |
|---|---|
| What happened inside an external LLM (GPT-4, Claude) | External black box |
| That the external LLM was the model claimed | API does not prove model identity |
| Model weights were not modified | If the model runs externally |
DAV proves agent logic, not external model internals. For full model verification the model has to run inside DAV, which is feasible for smaller models. For external models, DAV proves what was sent and what came back, which covers most of the audit surface anyway.
3. Architecture
3.1 Components
+----------------------------------------------------------+
| Customer Infrastructure |
| +----------------------------------------------------+ |
| | DAV Container or VM | |
| | +----------------------------------------------+ | |
| | | Application Layer | | |
| | | - Python runtime | | |
| | | - Agent framework (LangChain, etc.) | | |
| | | - Customer agent code | | |
| | +----------------------------------------------+ | |
| | +----------------------------------------------+ | |
| | | DEOS Kernel | | |
| | | - Syscall interception | | |
| | | - Event logging | | |
| | | - Determinism enforcement | | |
| | | - Hash chain generation | | |
| | +----------------------------------------------+ | |
| +----------------------------------------------------+ |
| | |
| v |
| +----------------------------------------------------+ |
| | Proof Storage | |
| | - Execution traces | |
| | - Hash chain | |
| | - Replay artifacts | |
| +----------------------------------------------------+ |
+----------------------------------------------------------+
3.2 Execution flow
Step 1: Agent initialization
----------------------------
Customer deploys agent to DAV container
DAV initializes execution context
Execution ID assigned: exec_8f3a2b...
Step 2: Agent execution
-----------------------
Agent runs normally (Python, LangChain, etc.)
Every operation captured at OS level:
Event 0: [SYSCALL] read("/data/patient.json") -> 2,847 bytes
Event 1: [SYSCALL] connect("api.openai.com:443")
Event 2: [NETWORK] send(POST /v1/chat/completions, 1,203 bytes)
Event 3: [NETWORK] recv(response, 892 bytes)
Event 4: [SYSCALL] read("/data/drug_interactions.db")
Event 5: [DECISION] prescription_result = "approve"
Event 6: [SYSCALL] write("/output/decision.json")
Step 3: Hash chain generation
-----------------------------
hash_0 = hash(event_0)
hash_1 = hash(hash_0 + event_1)
hash_2 = hash(hash_1 + event_2)
...
execution_hash = hash_N
Step 4: Proof generation
------------------------
{
"execution_id": "exec_8f3a2b",
"execution_hash": "0x8f3a2b7c...",
"event_count": 247,
"timestamp": "2026-01-15T10:30:00Z",
"agent": "prescription-agent-v2",
"result": { ... }
}
Step 5: Verification (on demand)
--------------------------------
Any party can:
1. Obtain execution trace
2. Replay in DAV verifier
3. Compare execution_hash
4. If match, execution verified
3.3 Event types captured
| Category | Events |
|---|---|
| File I/O | open, read, write, close, stat |
| Network | connect, send, recv, DNS lookup |
| Process | fork, exec, exit, signals |
| Memory | mmap, brk, allocation |
| Time | clock_gettime, gettimeofday |
| Random | getrandom, /dev/urandom |
| IPC | pipes, shared memory, sockets |
3.4 How determinism is enforced
| Source of nondeterminism | DAV approach |
|---|---|
| Timestamps | Captured and replayed from log |
| Random numbers | Captured and replayed from log |
| Thread scheduling | Deterministic scheduler |
| Network timing | Responses captured and replayed |
| External API responses | Captured and replayed |
3.5 Language support
Phase 1 (launch): Python via embedded interpreter, Rust native, WASM (any language compiled to WASM).
Phase 2: Node.js, Go, Java via GraalVM.
Framework compatibility: LangChain, LlamaIndex, AutoGPT, CrewAI, and custom frameworks. The OS-level capture means framework choice does not affect verifiability.
4. Trust model
4.1 What is in and out of the trust boundary
DAV verifies the agent's logic, decision paths, data accesses, API calls made, tool usage, and safety checks executed. DAV does not verify external LLM internals (what happens inside GPT-4, model weights, training data).
4.2 Why partial verification is still useful
Most agent liability comes from agent logic, not from model internals. Did the agent check allergies? Did it apply the business rules? Did it escalate high-risk cases? Did it use the correct data? DAV proves all of these. The model itself is the small remainder.
For settings where model internals matter (regulated medical AI, for example), the model has to run inside DAV. For settings where the question is "did the agent do its job correctly," DAV is sufficient.
4.3 Verification levels
| Level | What is verified | Trust required |
|---|---|---|
| Execution hash | Execution happened, hash matches | Trust DAV operator |
| Third-party replay | Independent party replays, confirms hash | Trust verifier |
| Self-verification | You replay yourself | Trust only DEOS code |
4.4 Dispute resolution example
Dispute: "Agent did not check drug interactions"
Resolution:
1. Plaintiff requests execution trace
2. Defendant provides trace and hash
3. Independent verifier replays
4. Verifier reports: "Event #47: query to drug_interactions.db"
5. Dispute resolved with cryptographic proof
5. Integration patterns
5.1 Full agent in DAV
Maximum verification. The whole agent runs inside the container. All logic, all tools, all API calls captured. Best for compliance-critical use cases.
5.2 Decision-point wrapper
Existing infrastructure remains. Only the critical decision runs in DAV. The web app calls into a DAV container at the point that matters, gets back a result plus proof, and continues normally. Best when full migration is too disruptive.
5.3 Verification sidecar
Existing agent runs unchanged. A sidecar mirrors events into a separate hash chain and provides verification. Best for legacy systems where touching the main code path is risky.
5.4 Integration
Before:
def prescribe(patient_data):
agent = MedicalAgent()
recommendation = agent.analyze(patient_data)
return recommendation
After:
from dav import verified
@verified
def prescribe(patient_data):
agent = MedicalAgent()
recommendation = agent.analyze(patient_data)
return recommendation
# Returns: (recommendation, execution_proof)
One decorator. The agent code does not change. The wrapper returns the same value plus a verifiable proof of how it was produced.
6. Use cases
The pattern is the same in every case: the agent runs in DAV, every operation is captured, the output is a result plus a replay-verifiable execution proof. Three representative examples.
6.1 Healthcare: AI-assisted prescribing
An agent recommends medications based on patient data. If something goes wrong, the question is whether the agent checked allergies, current medications, drug interactions, and dosage rules. DAV's trace answers each question by name. The replay shows the database queries, the safety checks, the LLM calls, and the rule applications. Malpractice defense becomes a mechanical check.
6.2 Finance: algorithmic trading agent
A trading agent executes orders based on client parameters. If a client disputes a trade, the question is whether the agent followed the risk parameters and constraints the client agreed to. DAV's trace shows the parameter loads, the market data fetches, the strategy model run, the position checks, and the execution call. Arbitration becomes a hash comparison.
6.3 Insurance: claims processing
An agent evaluates claims, applies policy terms, and produces decisions. If a claimant appeals or sues, the question is whether the evaluation was fair and the policy was applied correctly. DAV's trace shows the policy lookup, the document analysis, the rule application, and the decision derivation. Regulatory complaints become resolvable in minutes.
Other domains follow the same shape: legal contract review, customer service, autonomous booking, anywhere an agent makes a decision a third party may later need to question.
7. Regulatory alignment
7.1 EU AI Act
| Requirement | DAV solution |
|---|---|
| Transparency | Full execution trace available |
| Explainability | Replay shows decision path |
| Human oversight | Proof of escalation when required |
| Record keeping | Immutable execution logs |
| Risk management | Verifiable safety checks |
7.2 FDA AI/ML Guidelines
| Requirement | DAV solution |
|---|---|
| Audit trails | Complete execution history |
| Validation | Replay-based verification |
| Change control | Version tracking in execution |
| Quality assurance | Deterministic testing |
7.3 SEC
| Requirement | DAV solution |
|---|---|
| Books and records | Execution traces as records |
| Audit trail | Hash-chained event log |
| Supervision | Verifiable compliance checks |
| Best execution | Provable decision process |
7.4 HIPAA
| Requirement | DAV solution |
|---|---|
| Access logging | All data access logged |
| Audit controls | Complete audit trail |
| Integrity | Tamper-evident hash chain |
| Transmission security | Logged network operations |
8. Comparison to alternatives
8.1 DAV vs application logging
| Aspect | Application logging | DAV |
|---|---|---|
| Who controls | Developer | OS (untouchable) |
| Can skip events | Yes | No |
| Tamper-proof | No | Yes (hash chain) |
| Completeness proof | None | Replay verification |
| Independent verification | No | Yes |
8.2 DAV vs observability tools (Datadog, etc.)
| Aspect | Observability | DAV |
|---|---|---|
| Purpose | Monitoring and debugging | Legal verification |
| Tamper evidence | No | Yes |
| Replay capability | No | Yes |
| Regulatory grade | No | Yes |
| Cryptographic proof | No | Yes |
8.3 DAV vs blockchain logging
| Aspect | Blockchain logging | DAV |
|---|---|---|
| What is logged | Hashes or summaries | Full execution |
| Verification | Hash exists | Full replay |
| Cost | Gas fees per log | Fixed per execution |
| Detail level | Low (gas constraints) | Complete |
| Latency | Block time | Immediate |
8.4 Summary
| Solution | Tamper-proof | Complete | Replay | Cost |
|---|---|---|---|---|
| Application logging | No | No | No | Low |
| Observability | No | Partial | No | Medium |
| Blockchain | Yes | No | No | High |
| DAV | Yes | Yes | Yes | Medium |
9. Roadmap
Phase 1: Foundation (Q1 2026)
- Python runtime in DEOS (RustPython integration)
- Basic LangChain compatibility
- Execution trace format specification
- Replay verification tool
- Docker container packaging
Phase 2: Launch (Q2 2026)
- Production-ready container
- SDK for Python developers
- Proof export formats (JSON, PDF reports)
- Integration documentation
- First healthcare pilot customer
Phase 3: Enterprise (Q3 and Q4 2026)
- SOC 2 compliance
- HIPAA-ready deployment option
- On-premise installation support
- Advanced analytics dashboard
- Multi-agent support
Phase 4: Ecosystem (2027)
- Additional language support (Node.js, Go)
- Third-party verifier network
- Industry-specific compliance packages
- API marketplace for verified agents
- Certification program
10. Conclusion
AI agents will make decisions affecting health, wealth, and safety. The current approach of asking auditors to take operator word for what the agent did is not going to survive contact with the regulators who are already writing the rules.
DAV is one specific answer: capture every operation at the OS level, hash-chain the events so tampering is detectable, run the agent under a deterministic kernel so the trace can be replayed exactly. The cost is real (you run on a custom kernel, you pay for the trace storage). The benefit is that the audit trail is mechanical rather than narrative.
For settings where regulators or counterparties may later need to verify what the agent actually did, DAV is the substrate to build on.
Appendix A: Execution trace format
{
"version": "1.0",
"execution_id": "exec_8f3a2b7c",
"timestamp_start": "2026-01-15T10:30:00.000Z",
"timestamp_end": "2026-01-15T10:30:02.847Z",
"agent": {
"name": "prescription-agent",
"version": "2.1.0",
"hash": "0x1a2b3c..."
},
"events": [
{
"seq": 0,
"type": "SYSCALL",
"name": "read",
"args": {"path": "/data/patient.json"},
"result": {"bytes": 2847},
"hash": "0x..."
}
],
"execution_hash": "0x8f3a2b7c...",
"signature": "0x..."
}
Appendix B: Verification API
POST /verify
{
"execution_id": "exec_8f3a2b7c",
"claimed_hash": "0x8f3a2b7c..."
}
Response:
{
"verified": true,
"replayed_hash": "0x8f3a2b7c...",
"event_count": 247,
"verification_time_ms": 1823
}
Appendix C: Glossary
| Term | Definition |
|---|---|
| Execution trace | Complete log of all operations during agent execution |
| Execution hash | Cryptographic hash uniquely identifying an execution |
| Deterministic replay | Re-running execution with guaranteed identical results |
| Hash chain | Linked sequence of hashes providing tamper evidence |
| DAV container | Isolated environment running DEOS for agent execution |
Related papers
- DEOS Determinism Model:
/whitepapers/determinism-model - Verifiable AI Inference on DEOS:
/whitepapers/verifiable-inference - DCO: DEOS Computing Oracle:
/whitepapers/dco