Aegon: Auditable AI Content Access with Ledger-Bound Tokens and Hardware-Attested Mobile Receipts

TL;DR

Aegon introduces a tamper-evident, auditable licensing system for AI content using ledger-bound tokens, hardware attestation, and verifiable transaction records to enhance transparency and compliance.

Contribution

It extends JWT tokens with licensing claims, implements a Merkle tree ledger for auditability, and applies hardware-attested receipts for AI content compliance verification.

Findings

Enables independent verification of content licensing transactions.

Implements hardware-attested compliance receipts for AI agents.

Runs over standard HTTPS, integrating with existing standards.

Abstract

Recent standards such as RSL address AI content policy declaration -- telling AI systems what the licensing terms are. However, no existing system provides audit infrastructure -- tamper-evident licensing transaction records with independently verifiable proofs that those records have not been retroactively modified. We describe Aegon, a protocol that extends standard JWT tokens with content-specific licensing claims and maintains a Certificate Transparency-style Merkle tree over an append-only transaction ledger, enabling third-party auditors to independently verify that specific content licensing transactions were recorded and have not been retroactively modified. Publishers validate tokens at the edge using standard JWKS with no broker dependency in the content delivery path. A signed provenance event log tracks content through AI transformation stages (chunking, embedding, retrieval, citation), bound to ledger entries by transaction ID. We further describe hardware-attested compliance receipts for on-device Android AI agents using StrongBox secure element attestation -- to our knowledge, the first application of hardware-attested compliance receipts to AI content licensing. Existing DRM systems use hardware-backed keys for content decryption but do not produce verifiable compliance receipts for audit trails. We describe a reference architecture and an evaluation methodology for measuring protocol overhead. The protocol runs entirely over standard HTTPS and is designed to complement existing licensing standards rather than replace them.