Agentic Witnessing: Pragmatic and Scalable TEE-Enabled Privacy-Preserving Auditing

TL;DR

This paper introduces Agentic Witnessing, a TEE-enabled framework that allows privacy-preserving, qualitative verification of proprietary data through limited binary queries and cryptographic transcripts, enhancing auditing capabilities.

Contribution

It presents a novel architecture combining LLM-based auditors within TEEs to enable dynamic, privacy-preserving verification of unstructured data properties.

Findings

Automated artifact evaluation for 21 papers using the framework.

Verified five high-level properties of codebases without exposing raw data.

Demonstrated effective privacy-preserving oversight in qualitative verification.

Abstract

Auditing the semantic properties of proprietary data creates a fundamental tension: verification requires transparent access, while proprietary rights demand confidentiality. While Zero-Knowledge Proofs (ZKPs) ensure privacy, they are typically limited to precise algebraic constraints and are ill-suited for verifying qualitative, unstructured properties, such as the logic within a codebase. We propose {\em Agentic Witnessing}, a framework that moves verification from attested execution to {\em attested reasoning}. The system is composed of three agents: a Verifier (who wants to check properties of a dataset), a Prover (who owns the dataset) and an Auditor (that inspects the dataset). The Verifier is allowed to ask a limited number of simple binary true/false questions to the auditor. By isolating an LLM-based Auditor within a Trusted Execution Environment (TEE), the system enables the Verifier to query a Prover's private data via simple Boolean queries, without exposing the raw dataset. The Auditor uses the Model Context Protocol (MCP) to dynamically inspect the target dataset, producing a yes/no verdict accompanied by a cryptographic transcript: a signed hash chain binding the reasoning trace to both the original dataset and the TEE's hardware root of trust. We demonstrate this architecture by automating the artifact evaluation process for 21 peer-reviewed computer science papers with released codebases on GitHub (e.g. Does the codebase implement the system described in the paper?). We verified five high-level properties of these codebases described in the corresponding publications, treating the source code as private. Our results show that TEE-enabled agentic auditing provides a mechanism for privacy-preserving oversight, effectively decoupling qualitative verification from the need for data disclosure.