The bar is moving from "was it protected" to "can you prove what happened in it."
In early June, two documents landed within five days of each other that, read together, tell you where the bar for a defensible system is moving. The first is OMB Memorandum M-26-14, the federal government's new logging mandate. It replaces M-21-31, the rule written in the wake of the 2020 SolarWinds compromise, and changes the posture from "retain everything uniformly" to a risk-based one: classify assets by criticality, log accordingly, keep what you would actually need to reconstruct an incident. It names two jobs. Continuous event monitoring, so you can see activity as it happens. And threat hunting, investigation, response, and forensics, so you can answer, after the fact, what actually occurred.
The second is a Microsoft Security engineering post, "Reconstructing AI activity in investigations." Its opening line is the part worth sitting with: the signals an AI system produces "are observable. Without structure, they do not form a coherent account of what occurred." The piece lays out a method for answering a question most security teams cannot answer today: when an AI system took an action, who initiated it, when, against which resources, and was it allowed to. For agents specifically, it adds three things you have to be able to say: which agents are deployed, how they are configured, and what data they are authorized to touch.
One memo is about federal logging. One is about AI forensics. They are the same memo. The standard for "a system you can defend" is shifting from "it was protected" to "you can prove what happened in it," and the arrival of software that acts on its own makes that shift sharper, not softer.
Audit logs are not new. What is new is a non-human actor taking consequential actions inside your environment, on its own initiative, at machine speed.
When a person changes an IAM policy, there is a chain you can follow: a login, a session, a ticket, a human you can ask. When an agent changes an IAM policy, the chain only exists if the agent was built to leave one. The default is silence. The action happens, the state changes, and unless the system was designed to witness itself, the only record is the downstream effect, which is exactly the "observable but incoherent" gap Microsoft names.
This is the part teams underestimate. You can bolt monitoring onto a human workflow after the fact, because humans are slow and leave fingerprints. You cannot bolt it onto an agent after the fact, because by the time you are reconstructing, the agent has already done the thing, and if it did not record its own reasoning and its own action at the moment it acted, that information is gone. The forensic account has to be a design property of the agent, not a logging layer downstream of it.
The two memos, taken together, describe a posture in three parts. This is how we build agents that take real actions, and it is the bar we think any production agent should clear.
Every action the agent takes gets written down by the agent, as it takes it: what it did, to what, and the evidence it acted on. Not a log scraped from the cloud provider afterward, which tells you the state changed but not why the agent believed it should. A witnessed record is the agent's own account, captured at the moment of action, which is the only point where the reasoning still exists.
A record that says "the agent tightened this policy" is weak. A record that says "the agent tightened this policy because these three principals had unused admin grants, here are the API calls that prove it" is something you can stand behind in an investigation or an audit. Grounding is what turns a log line into evidence. It is also what keeps the agent honest in the first place: an action that cannot cite its basis is an action that should not happen.
The record has to live where the customer controls it, not in a vendor's account the customer cannot subpoena or retain on its own schedule. M-26-14's whole premise is that the organization owns its forensic posture. An agent whose audit trail is locked inside a SaaS vendor's tenant fails that premise on day one. The agent should run in the customer's environment and write its witnessed record to logs the customer owns.
When software starts taking actions on its own, the question that defines a defensible system stops being "was it protected" and becomes "can you prove what it did," and that account has to be designed into the agent, grounded in evidence, and owned by you.
If you are deploying agents that touch real infrastructure and the question "could we reconstruct what this thing did" does not have a clean answer, that is the conversation to have. We do not need a spec. We need to know what your agents are allowed to do, where they run, and what you would have to produce if an auditor or an incident asked you to account for an automated action. We will tell you on the call whether your current posture holds up and what we would change if it were ours.
We do not take every engagement, and we will tell you whether we are the right partner.