Auditable Agents

TL;DR

This paper explores the concept of auditability in LLM agent systems, defining key dimensions and mechanisms to ensure accountability and trustworthy behavior post-deployment.

Contribution

It introduces a formal framework for agent auditability, identifies practical challenges, and proposes an Auditability Card to guide future research and implementation.

Findings

Basic security prerequisites for auditability are often unmet in open-source projects.

Pre-execution mediation with tamper-evident records incurs minimal overhead.

Responsibility-relevant information can be partially recovered even with missing logs.

Abstract

LLM agents call tools, query databases, delegate tasks, and trigger external side effects. Once an agent system can act in the world, the question is no longer only whether harmful actions can be prevented--it is whether those actions remain answerable after deployment. We distinguish accountability (the ability to determine compliance and assign responsibility), auditability (the system property that makes accountability possible), and auditing (the process of reconstructing behavior from trustworthy evidence). Our claim is direct: no agent system can be accountable without auditability. To make this operational, we define five dimensions of agent auditability, i.e., action recoverability, lifecycle coverage, policy checkability, responsibility attribution, and evidence integrity, and identify three mechanism classes (detect, enforce, recover) whose temporal information-and-intervention constraints explain why, in practice, no single approach suffices. We support the position with layered evidence rather than a single benchmark: lower-bound ecosystem measurements suggest that even basic security prerequisites for auditability are widely unmet (617 security findings across six prominent open-source projects); runtime feasibility results show that pre-execution mediation with tamper-evident records adds only 8.3 ms median overhead; and controlled recovery experiments show that responsibility-relevant information can be partially recovered even when conventional logs are missing. We propose an Auditability Card for agent systems and identify six open research problems organized by mechanism class.