Can I prove what the agent did?
The clearinghouse is becoming the buying question — and it's already shipping. But for a brand, “prove what the agent did” doesn't stay one question. It fractures into four, and the control plane answers none of them.
Jamin Ball made the cleanest version of an argument I’ve been circling for months. In the SaaS era, the durable moat was the system of record: own the data, own the workflows that touch it, and switching costs do the rest. In the agent era, he argues, the prize is the clearinghouse — the seat that decides which agent is cleared to act, on what data, with what limits, and keeps the receipt. The lock-in moves from your data to your permissions. We are, in his phrase, leaving the source-of-truth era and entering the source-of-permission one.
He’s right. And you can watch it ship. Microsoft spent Build 2026 turning that thesis into product. Agent 365, generally available since May, is explicitly a control plane for context, identity, permissions, memory, runtime, and audit trails across any agent framework. Alongside it, Microsoft open-sourced the Agent Control Specification, which gives any agent runtime a deterministic allow-or-deny decision at five checkpoints: the input, the model call, the state, the tool execution, and the output. That is the clearinghouse, in code. KPMG just rolled Agent 365 out to more than 276,000 people across 138 countries. The race Ball describes isn’t a forecast. It’s a procurement cycle that has already started.
So here is the question every enterprise is learning to ask: can I prove what the agent did?
For a brand, that question doesn’t stay whole. It fractures. A CIO asking “prove what the agent did” wants an audit log, and the control plane gives them one. A CMO, a brand owner, an agency holding company asking the same words wants something the audit log structurally cannot give them. They want to know whether the thing the agent made is theirs. Whether it sounds like them. Whether it’s safe to put in front of the world. And whether a human actually stood behind it. None of those are permission questions.
What the clearinghouse clears
Which agent acted, on what data, within which limits — logged, timestamped, replayable. Every checkpoint green, every action accounted for. A governance problem with a clean, deterministic shape.
What it has no opinion on
Whether the output is yours, sounds like you, is safe and lawful to publish, and whether a human genuinely stood behind it. The clearinghouse clears the action. It has no view on the work.
This is the distinction I keep coming back to, and the one I made in A Safe Agent Isn’t a Trusted One: clearance is not trust. An agent can be perfectly governed — every checkpoint green, every action logged, fully compliant — and still produce something you would never publish. Safety is a property of the system. Trust is a property of the output, and of the person willing to put their name on it. The control plane earns you the first. The second sits on top of the governance layer, not inside it. It’s the layer I call AUX.
Three eras, three moats
Source of truth, source of permission — and the layer above both.
Ball’s framing has a natural third floor, and it’s the one he stops just short of naming. Stack the eras and the gap is obvious: each era’s moat sits on top of the last one’s, and for a brand the top floor is the only one that decides whether the work ships under their name.
the unbuilt floor
Source of trust
Is the work ours, on-brand, safe and lawful to publish — and did a person genuinely stand behind it? The experience & authorship layer. This is AUX.
shipping now
Source of permission
Which agent is cleared to act, on what data, with what limits — and the receipt. The clearinghouse / control plane: Agent 365, the Agent Control Specification.
the won war
Source of truth
Own the data and the workflows that touch it; switching costs do the rest. The system of record.
↑ each moat sits on top of the one below — and for a brand, the top floor is the one almost nobody is building
The fracture
Four questions a permission log was never built to answer.
Here is what the fracture actually looks like in practice. The clearinghouse answers the first question — did the agent have permission? — and answers it well. Each of these four is what the brand owner means instead, and on every one of them the control plane is structurally silent.
Can I prove who authored this?
Provenance certifies a file’s history, not its truth. Authorship is the gap between “it came from us” and “we own this” — and it’s designed, not signed.
Is it on-brand?
Brand is a judgment living in a thousand small decisions across 71 touchpoints. A deterministic allow/deny can’t reach any of them.
Is it brand-safe?
Exposure scales with autonomy — and from August 2026, disclosure of AI-generated content is law, not preference.
Did a human sign off?
A rubber-stamp on unread output is automation bias with a paper trail. Genuine oversight has to be designed into the moment of approval.
Can I prove who authored this?
Provenance is the closest the market has come to answering this, and it’s further along than most people realise. C2PA — Content Credentials, backed by Adobe, Microsoft, the BBC, OpenAI, Google, and, tellingly, Publicis Groupe — attaches a cryptographically signed record to a file: who made it, when, what tools were involved, whether AI was in the loop, and every meaningful edit since. It has been described as a nutrition label for media. Note who is already at that table. The holding companies aren’t watching this one from the sidelines.
But provenance has a ceiling, and it is the same ceiling clearance has. C2PA certifies a file’s history, not its truth. A credential proves a claim was made, not that the claim reflects reality. It can tell you a file passed through a given pipeline. It cannot tell you the work is good, or right, or yours in any sense beyond the metadata.
Which is why authorship, for a brand, is bigger than a manifest. It is the gap between the file says it came from us and we actually own this. The Authorship Layer I’ve been building rests on behavioural science rather than cryptography — the IKEA Effect, Self-Determination Theory, the human need for genuine agency over the work. You can prove provenance. You have to design authorship: the felt sense that a person made a decision here, not merely waved an output through. The first is a signature. The second is the reason anyone should trust the signature.
Is it on-brand?
A cleared agent will happily produce something perfectly permitted and completely off-brand. Brand is not a permission. It is a judgment — tone, restraint, the things you would never say, the joke that lands for someone else and is radioactive for you. The clearinghouse holds no view on any of it, because brand does not live in the policy engine. It lives in a thousand small decisions sitting nowhere a deterministic allow/deny can reach.
And the surface area is the real problem. When I mapped where agents actually touch a brand, I counted 71 distinct touchpoints across six surfaces — and brand expresses itself, or fails to, at every single one. A governed agent that goes subtly off-brand at sixty of those touchpoints is a compliance success and a brand failure at the same time. Someone has to govern the consistency, not just the permission. That work is design — the discipline of agent-first design — and it is nowhere in the control plane.
Is it brand-safe?
People collapse this into “on-brand,” and the two are not the same. On-brand is does it sound like us. Brand-safe is will it stand us next to something that burns us — the adjacency, the context, the claim we can’t substantiate, the disclosure we forgot to make. And the exposure scales with autonomy: the more you let an agent do unsupervised, the more disciplined the control around it has to be. That principle isn’t mine; it’s the one every governance team is relearning right now — capability and control move together. It’s exactly why the action heat ladder I built scores agent actions across five consequence dimensions instead of treating them as a flat list. A drafted caption and an autonomously published post are not the same risk, even when they come from the same agent.
The EU AI Act’s Article 50 transparency obligations — enforceable from 2 August 2026 — require AI-generated content to be marked and disclosed as artificially generated. Marketing copy and AI-generated text published to inform the public are squarely in scope. Disclosure is no longer a brand preference; for a large share of agentic output it’s a compliance requirement with a deadline. The EU’s machine-readable marking direction and C2PA’s provenance work are converging on the same plumbing — so a brand-safe agent is now also a lawfully disclosed one, and the clearinghouse will not make that call for you.
Did a human sign off?
The clearinghouse loves this question, because a sign-off is auditable: a name, a timestamp, a green check. But Article 14 of the EU AI Act — human oversight for high-risk systems — is unusually precise about what oversight actually means. A person has to be able to understand the system, monitor it, intervene, and halt it. And the regulation names the failure mode out loud: automation bias, the tendency to over-rely on a machine’s output simply because a machine produced it.
That is the trap, and it is behavioural before it is regulatory. A human clicking “approve” on output they didn’t read, or didn’t understand, is not oversight. It is automation bias with a paper trail — arguably worse than no sign-off at all, because now there is a signature attesting to a decision nobody really made. And the law has already noticed the difference. Under Article 50, AI-generated public-interest text must be disclosed as AI-generated unless it has undergone genuine human editorial review and editorial responsibility. Read that carefully: a real sign-off literally changes your legal disclosure posture, and a rubber-stamp does not qualify.
So real sign-off requires that the moment of approval be designed — so the human in the loop can see what changed, understand why, and actually own the call. That is Self-Determination Theory again: competence and autonomy, not a checkbox. The clearinghouse can record that a human signed off. Whether that sign-off meant anything is an AUX problem.
The layer one step short of permission
The clearinghouse is a floor, not a finish line.
Put the four together and the pattern is hard to miss. Can I prove what the agent did is a permission question, and the clearinghouse answers it well. Is this ours, does it sound like us, is it safe and lawful to publish, did a person genuinely stand behind it — those are trust questions, and the clearinghouse answers none of them. They live one layer up. Ball’s vocabulary almost reaches it: source of truth, then source of permission. The layer he stops just short of is the source of trust — the experience and authorship layer that turns a cleared agent into one whose work you’ll actually ship under your own name. It’s the same gap the AGT / AUX two-layer stack formalises: governance underneath, trust on top.
I am not arguing against the clearinghouse. Buy it. Microsoft — or whoever wins the seat — will sell you a very good one, and you will need it. But a control plane clears the agent to act. It does not make the work yours, keep it on-brand, keep it safe, or make a human’s approval mean something. That is the layer a brand has to own on purpose, and it is the one almost nobody is building yet. Ball gives founders eighteen months before there’s no room left to be undecided. I’d give brands less. The control plane is being poured right now, in this buying cycle.
“The agent was cleared to do it” is about to become a very thin defence.
The brands that win the agent era won’t be the ones who waited for governance to arrive. They’ll be the ones who decided early how they answer four questions a permission log was never going to answer for them — authorship, brand, safety, and genuine human ownership.
Because in eighteen months, “the agent was cleared to do it” is a very thin defence for work that was off-brand, unsafe, unauthored, and approved by a human who never really looked.
Permission is the floor. Trust is the layer you have to build.
Buying the control plane is the easy half. The source of trust is the work.
auxfirst designs the layer that sits on top of your governance stack — authorship, brand consistency, brand-safety, and sign-off that actually means something. If your agents are cleared to act but you can’t yet prove the work is yours, that gap has a name now.
Start a conversation →