Whenever an AI agent does something that matters, Provedit checks the call against your policy, blocks or pauses what is not allowed, and signs the rest into a tamper-evident, quantum-resistant chain. One identity model, one evidence trail, every agent vendor.
Not a log you have to trust. A record anyone can verify.
Cursor, Claude Code, Copilot agent mode, OpenAI Assistants, LangChain workers, your own MCP services. They open files, run shells, call tools, change data, and deploy to production, using credentials originally issued to a human developer or a service account. So the trail points at whoever owned the token, not the agent that actually used it.
Every vendor logs its own slice. None of them follow the action into another vendor's pipeline. None of them bind the policy decision or the human approval to the action it authorised. The result is a pile of partial logs nobody can stitch back together when an auditor, a regulator, or an incident lands on your desk.
So the three questions that matter most when something goes wrong are the three you cannot answer:
Provedit answers those three, and five more like them, on every action your agents take. Same eight answers, every time.
Every action that lands in Provedit shows up with the same eight questions already answered, each with a status badge and the evidence behind it. Whoever owns the review (a platform engineer, an IT generalist, an AppSec lead, or a SOC analyst) stops writing queries and starts reading verdicts.
Every action is tied to a specific agent, the person it was acting for, and the session it ran in.
Your policy ran first and the answer (allow, ask a human, or block) is locked into the record.
You see what was read or changed and how much, without us copying the data itself.
A dozen plain-English action types, like "read file", "run shell", "fetch URL", "edit code", instead of raw API calls.
If approval was needed, the approver, the time, and their signature are attached to that exact action.
We track each agent's usual patterns (rate, hours, action types, destinations) and flag anything out of profile.
We watch for secrets, customer data, and traffic to places you have not approved.
Records are chained and signed so nothing can be edited or removed without it being obvious.
Same eight answers, every action. Here is how the platform produces them.
A peek at the operator view. Identity-first, policy-aware, signed end to end. Everything below is mock data, animated for effect.
One schema feeds one recorder, which writes to one verifiable ledger. Three steps for every action.
Signed events arrive from the Provedit MCP proxy in front of your agent's tools, or from the Provedit SDK wrapped around your service's tool dispatcher. Both speak the same schema, so adding a new agent vendor is a config change, not a rewrite.
The recorder classifies the action, evaluates policy (allow, deny, or require approval), scores it against the agent's normal behaviour, hash-chains the entry, persists it, and returns the outcome, all in one atomic step.
Periodic Merkle anchors and signed roots turn the chain into evidence. Auditors and incident responders can verify, weeks or years later, that nothing was edited after the fact.
You don't open Provedit on a stream of raw events. You open it on the agent: its sessions, its normal behaviour, the sensitive things it has touched recently, the approvals waiting on it. The page reads like a profile, not a query result, so a platform engineer or IT generalist can answer "what did this agent do, and was it allowed" without learning a query language.
A normal log says "X happened". Provedit says "X happened, this rule evaluated it, this person approved it, and the approval is cryptographically bound to that exact action." That binding is what survives an audit, a lawsuit, or a regulator.
Each agent platform will keep improving its own logs inside its own walls. Provedit sits one layer above them all. Anything that speaks MCP (Cursor, Claude Code, Copilot agent mode, OpenAI Assistants with MCP, self-hosted MCP servers) goes through the proxy. Anything that doesn't (your own services, CI jobs, internal agents) wraps the SDK around its tool dispatcher. One timeline, one identity model, one chain of evidence, regardless of which vendor produced the action.
That ledger does not try to govern every token an agent emits. It focuses on the actions where being wrong actually costs you.
A policy is an ordered list of rules: tool pattern in, decision out. First match wins. It can be three lines or three hundred, whatever the system needs. Below is a sample CRM agent policy.
crm.issue_refund) →
require approval
Provedit is not just for coding agents. Any place an AI agent makes a decision, calls a tool, or talks to a customer can be put on the same chain. Your policy picks one of three outcomes per tool, and the chain remembers all of them.
The support agent issues a refund. Your policy routes that tool to require approval, so every refund waits for a manager signature. Refund, agent, and approver land on one signed entry.
A shell.exec whose args contain the literal string rm -rf, DROP TABLE, or terraform destroy never runs. Your policy denies the call outright, and the blocked attempt is signed onto the chain so it is just as visible as a successful one.
The support agent calls customer.lookup hundreds of times a day. Your policy allows it without friction, but every lookup is signed onto the chain with the agent and the user behind it. When someone asks "who pulled this customer's file last Tuesday", you have an answer.
Same shape every time. Your policy decides, per tool, whether the call is allowed, sent for approval, or denied, and the outcome gets signed onto the chain. Works the same whether the agent goes through the MCP proxy, the SDK, or one of your own MCP servers.
Not every team using AI, and not on day one. Provedit is built first for teams that have agents calling tools their business actually depends on, whether that is a coding agent in the IDE, a support assistant on the website, or a workflow service running headless in the background:
Inside those teams: platform engineering, AI platform, or AppSec as the champion; CISO, head of engineering, or GRC as the sponsor; whoever triages incidents and approves changes as the day-to-day operator. If that sounds like you, sign up free below, or read the honest answers below first.
Each vendor is improving observability inside its own surface, and that work is welcome. None of them is incentivised, or positioned, to be the neutral system of record across every other vendor's agents. Provedit is the layer above them all: one identity model, one policy engine, one tamper-evident chain that spans Cursor, Claude Code, Copilot, OpenAI Assistants, LangChain, self-hosted MCP tools, and CI agents, and that survives outside any single vendor's retention window.
A SIEM stores events. Provedit treats the agent as a long-lived identity, evaluates policy in line, cryptographically binds human approvals to the actions they authorise, and produces a tamper-evident chain that an auditor can verify on their own. Your SIEM is a downstream consumer of that chain, not the source of truth for it.
Both, at the same gate. Whether the call comes through the MCP proxy, the SDK, or one of your own MCP servers, the gateway is the synchronous enforcement point: it checks policy, blocks the call or holds it for approval where the policy says so, then signs the action and the decision into the chain in one atomic step. That co-location is what makes the evidence credible. It was the actual control point, not a side-channel log that could have been bypassed. You can roll out enforcement per tool (observe-only, require approval, or deny), so you decide where the friction lives.
Not an AI governance dashboard for the model layer. Not a generic LLM trace viewer for debugging prompts and tokens. Not an NHI lifecycle or secret-rotation tool: we model each agent as an identity for the purpose of attributing and signing its actions, but we do not vault its credentials or rotate keys on its behalf. Not a SIEM, though we feed one. Not an inline prompt-injection filter: we intercept the agent's tool calls, not its prompt or token stream. Provedit is the signed, cross-vendor evidence chain for the privileged actions agents actually take. If your problem is model risk scoring, prompt debugging, credential vaulting, log aggregation, or input filtering, a different category of tool will fit better.
Article 12 (record-keeping, in force 2 August 2026), Article 14 (human oversight), and Article 19 (log retention) require traceability, oversight, and evidence outcomes. They do not mandate a specific control. Provedit is one defensible implementation path for those outcomes, alongside ISO/IEC 42001, NIST AI RMF, and the GenAI profile.
No. The footprint is the MCP proxy in front of your agent's tools, or the SDK wrapped around your service's tool dispatcher. Nothing is installed on developer machines and nothing runs on production hosts.
Three steps to your first signed action:
Free for up to 5 agents per tenant. No card, no time limit.
Need something bigger, on-prem, or a hands-on pilot? Email hello@provedit.ai.