AAS-1 defines an evidentiary record format and a set of standard assertions that allow an independent reviewer — human or agent — to form assurance opinions about the activity of autonomous AI agents.
The AAS-1 Audit Manual provides the engagement procedures practitioners follow when applying the standard — from pre-engagement scoping through to issuing the Class D Determination.
AAS-1 is an open standard for producing audit-grade evidence about agent activity. It defines a record format, five record classes, and twelve standard assertions that allow auditors to evaluate agent actions against the same rigor applied to human-controlled processes.
The standard addresses what we call the Unauditable Agent Problem: autonomous agents are now executing transactions, making decisions and producing outputs at scale, yet the records they leave behind are platform-specific, unstructured and not designed for assurance. AAS-1 defines a portable evidentiary format, anchored to AIS-1 identities, that any auditor can evaluate.
At its core AAS-1 is a relationship between two parties — the agent emits a Class A record per action; the auditor emits a Class D opinion in response. Class B and Class C aggregate Class A for sampling; Class E wraps the engagement. The diagram shows the actor-output pair at the heart of the standard.
The AAS-1 Audit Manual has been prepared to assist practitioners in applying the standard — see the Audit Manual section below for details.
A complete audit trail typically comprises many Class A records, organised by Class B or Class C aggregations, evaluated against a Class E engagement, and concluded with Class D determinations. Each class shares the core identity, evidence and signature primitives.
A single agent action with evidence. The atomic unit. Captures actor, principal, action type, hashed inputs and outputs, tools, model and signature.
Issuer: agent / operatorAggregation of Class A records over a defined period. Carries a Merkle root over the canonicalised members and the standard identity and signature primitives.
Issuer: operatorA single entry within a continuously attested stream. Bound to a separate stream-anchor record. Designed for high-frequency or always-on agents.
Issuer: operator · v0.2An auditor's finding, opinion or exception over a set of subject records. Records per-assertion results and an overall finding type.
Issuer: auditorAudit engagement metadata: scope, period, applicable framework, materiality threshold, the agent population in scope and engagement letter hash.
Issuer: auditorAAS-1 records support seven assertions adapted from established audit frameworks (ISA 315/330, AICPA AU-C, ISAE 3000), plus five assertions specific to autonomous agents. An auditor — human or agent — evaluates every assertion in a single pass before issuing a Class D determination.
// Auditor verification flow — evaluating an AAS-1 Class A record const record = await aas1.fetch(eventId); const identity = await ais1.resolve(record.agentRef); const findings = await auditor.evaluate(record, { identity, assertions: AAS1.ALL_ASSERTIONS, policies: record.policyRefs }); // Returns per-assertion findings: // existence 'satisfied' | 'modified' | 'exception' // completeness ... // accuracy ... // identity ... (AIS-1 binding) // provenance ... (model, tools, prompt context) // reproducibility ... if (findings.allSatisfied) { await auditor.issueClassD({ finding: 'unmodified', ... }); } else { await auditor.issueClassD({ finding: 'modified', exceptions: ... }); }
The Audit Manual is the operational companion to the specification. Where the spec defines what AAS-1 records are, the manual sets out how an auditor receives them, evaluates them, and issues an opinion. It is the practitioner's playbook for conducting an AAS-1 Class D Determination.
A specification on its own would leave every auditor inventing their own procedures from the spec text. The manual closes that gap. It walks through pre-engagement scoping, receiving and validating the record population, the per-record verification flow, detailed procedures for each of the twelve assertions, sampling methodology for large populations, and the form of the Class D Determination itself. A worked example over the PayAgent USDC transfer shows the procedures applied end-to-end.
This makes AAS-1 immediately deployable rather than aspirational. An auditor can pick up the manual, follow the procedures, and conduct an engagement without further interpretation. The first AAS-1 engagement — over PayAgent's Q2 2026 records — is being conducted to this manual; subsequent engagements use it as the standard reference.
Define the Class E engagement: scope, period, applicable framework, materiality threshold, agent population. The on-record equivalent of an engagement letter, signed by both parties.
Class E setupReceive the records (pull from registry, batch push, or continuous stream). Walk the prevHash chain, recompute Merkle roots, reconcile counts against external statements.
Receipt + verifyPer-record technical checks: resolve the AIS-1 identity, validate the signature, verify the independent timestamp, recompute hashes against source data where accessible.
4 phasesDetailed auditor procedures for each of the seven classical and five agent-specific assertions. Definitions, fields supporting evaluation, step-by-step procedures, common exceptions.
12 proceduresSampling methodology for batch and continuous populations. Findings catalogue mapping common issues to finding types. Issuing the Class D — fields, signature, publication.
Class D outputFull evaluation walkthrough on the PayAgent USDC transfer. Class D determination template, engagement letter template, working-paper checklist for the auditor.
PayAgent + formsSpecification, audit manual, JSON Schema for Class A and worked PayAgent example published under CC0. Open for public comment until 31 July 2026.
Class B/D/E schemas finalised. Class C continuous-stream semantics defined. Materiality methodology annex. Mapping table to ISA 315/330. First DABA Class M and SOC 2 profiles drafted.
PayAgent emits Class A records over a 90-day period. An independent reviewer issues a Class D determination. The full evidentiary chain — including the AIS-1 identity binding — is published as a reference engagement.
Submission to IFAC and ISO/IEC JTC 1. Conformance test suite. Reference adapters for major audit-tooling platforms. Integration with continuous-assurance pipelines and agent-commerce settlement (Clavus, x402).
The full technical working paper. Motivation, definitions, the audit record, five record classes, twelve assertions, schema specification, AIS-1 binding, security and regulatory considerations, and worked example.
The engagement guide for auditors conducting a Class D Determination. Pre-engagement scoping, per-record verification flow, procedures for the twelve assertions, sampling, findings catalogue, and the worked PayAgent example.
JSON Schema 2020-12 for Class A records. Required and optional fields, evidence types, signature object, action sub-schema with tools and model.
A worked Class A record: PayAgent executes a stablecoin transfer on behalf of its principal. Includes signature, attestation, hash anchor and log evidence.
The identity layer that AAS-1 binds to. Every AAS-1 record references an AIS-1 identity for the agent and, in Class D, the auditor.
Feedback is invited from auditors, agent developers, blockchain engineers, legal and regulatory professionals, enterprise AI deployers, standards organisations and government bodies. The comment period closes 31 July 2026. A revised v0.2 will incorporate substantive feedback.
Review of the assertion catalogue from practising auditors · feedback on the Class A schema and evidence types · proposed regulatory profile mappings (DABA, SOC 2, ISAE 3402, statutory audit) · input on Class C continuous-streaming semantics · proposals for authorised reference implementations · real-world engagement use cases.