Replay-first execution runtime for AI agents

Prove your AI's fix
actually works.

Capture every agent decision, replay the exact failure, and prove your fix resolves it — with evidence a regulator or court will trust.

agent.py
from notary import instrument

@instrument(secret_key=NOTARY_KEY)
def run_agent(application):
    # your existing agent — unchanged
    return agent.decide(application)

Five lines. Every run is recorded as a sealed, replayable commit.

Logs tell you what happened. They can't prove it.

When an AI agent makes a decision that harms someone, a regulator, auditor, or opposing counsel will eventually ask you to prove four things. Your logs answer none of them.

Prove the cause — not a coincidence.

A log shows an error next to a model call. It can't show your agent's logic caused the outcome rather than a flaky network call or stale data. Notary re-runs the exact decision and shows it recur.

Prove the fix — not the intention.

Shipping a patch shows you tried; it doesn't show it works. Notary runs your fix against the exact conditions that failed and proves the outcome changes — against the real API, not a mock.

Prove integrity — without asking for trust.

A log file can be edited. Every Notary decision is cryptographically sealed the moment it happens and verifiable by anyone with a public key — no trust required.

Prove it years later — after everything changed.

Audits arrive long after the incident, when the engineer has left and the model is deprecated. Observability keeps hours; defensibility needs years. Notary evidence is self-contained and reproducible.

These are four different problems. A tool built to monitor production solves none of them — monitoring asks "what's happening now," defensibility asks "prove what happened then, to someone who doesn't trust you."

Others can show what an agent decided. Only Notary proves the fix resolves it — replaying from a sealed recording, and validating against the live API when the fix changes external behavior. Proof of remediation, not just proof of record.

$5M–$500M potential fines
8–12 weeks typical investigation
EU AI Act · NIST · SEC · OCC

Git for AI agent execution.

1
Capture → commit
Every prompt, tool call, and decision recorded as a node in a sealed execution graph.
2
Replay → checkout
Deterministically re-run the exact incident from a sealed recording of its responses — in milliseconds, reproducible for years.
3
Branch → experiment
Fork the run and try a fix without touching the original.
4
Diff → compare
See exactly where and how the fixed run diverges.
5
Verify → certify
Prove the fix resolves the incident and issue a signed certificate.

Tamper-evident capture

HMAC-SHA256 + Merkle chain. Alter one byte and the proof breaks.

sha256(node) = HMAC(prev_hash, data)

Sealed, portable replay

Replay runs against a cryptographically sealed recording of the incident's real responses — deterministic, millisecond-fast, and reproducible years later even if a provider changes or retires its test mode.

replay(cassette) → identical output

Live validation when it matters

When a fix changes which external calls fire, Notary escalates to a real provider sandbox where available — so a fix is proven against live conditions, not just a recording.

fix changes calls → escalate to sandbox

Proof of Mitigation

A cryptographically signed certificate (ECDSA/RSA) regulators and courts verify independently.

verify(cert, pubkey) → true

A lending denial, proven in days — not months.

A lending agent denies a qualified applicant: credit score 650, threshold 700. The compliance team imports the run into Notary. Notary replays the recorded credit-check response from the sealed cassette — score 650, reproduced exactly, with no dependency on any live system. A developer branches an experiment lowering the threshold to 620. Because the fix changes only internal logic and issues no new external call, the same sealed responses drive the re-run: the agent now approves. Notary issues a signed Proof of Mitigation certificate — root cause, fix, test method, verified outcome.

1
Import run
Sealed execution graph loaded
2
Replay
Score 650 reproduced
3
Branch
Threshold 700 → 620
4
Diff
Deny → Approve
5
Certify
Signed certificate issued
Proof of Mitigation Certificate
Notary Run #a3f7b2c1 · Issued 2026-07-12
Root causeCredit threshold (700) exceeded applicant score (650)
Original runDENY · score=650, threshold=700
Fix appliedThreshold lowered from 700 to 620
Replay resultAPPROVE · score=650, threshold=620
Test methodDeterministic replay against sealed response cassette
Verified outcomeFix resolves incident · mutation test passed
Signature algoECDSA P-256
Signature: 3045022100a7b3c1d4e5f6789012345abcdef01234567890abcdef1234567890abcdef1234

Who It's For

Debug production AI in minutes.

For Developers

  • Open-source SDK
  • ~5 lines to instrument
  • Works offline
  • Deterministic replay of the real incident
  • Verify a fix before you ship

Regulatory defense, ready before the audit.

For Compliance & Legal — CISO · Compliance Officer · General Counsel

  • Cut investigation from 8 weeks to 2
  • Signed, court-admissible evidence
  • Immutable chain of custody
  • Push straight into your GRC system

Evidence you don't have to take on faith.

Bring your own key

Seal runs with your own key; Notary never has to hold it.

Publicly verifiable signatures

Certificates signed with asymmetric keys — verify with a public key, no secret required.

Immutable audit trail

Append-only, write-once evidence log. Nothing can be silently altered.

GRC-native

Evidence flows into ServiceNow, OneTrust, and AuditBoard, mapped to the right controls.

Reproducible for years

Evidence is a sealed, self-contained recording — replayable long after the incident, even if the underlying provider systems have changed or disappeared.

Built for the frameworks that matter.

EU AI Act (Article 10)NIST AI RMFSEC AI DisclosureOCC Model Risk

Pricing

FreeProfessionalRecommendedEnterprise
PriceFree foreverContact usCustom
ForDevelopers & small teamsCompliance + legal teamsLarge orgs, critical infra
SDK: capture + HMAC sealing + local verify
Framework supportRaw / basicAll frameworksAll + custom
Deterministic replayLimited (free quota)UnlimitedUnlimited
Sealed cassette replay
Live sandbox validation (escalation)Select providers (expanding)+ custom providers
Branching & experiments1 branch / incidentUnlimitedUnlimited
Mutation testingManualAutomatedAutomated
Proof of Mitigation certificates
Certificate signatureECDSAECDSA + RSACustom
Compliance reportsAll frameworksCustom
GRC connectionsIncludedUnlimited + custom
Audit logging / RBAC
SSO
SLANone99.5%99.9%
SupportCommunityPriorityDedicated
Data retention30 days1 yearCustom
Install the SDKContact usTalk to sales

Usage limits and pricing shown are indicative and subject to change.

The questions regulators ask

So you test against recordings, not the real system?

We replay from a cryptographically sealed recording of the real responses, replayed deterministically. When your fix changes which calls fire, we escalate to a real provider sandbox where one is available. The evidence is signed either way.

Why not always use live APIs?

Because provider test environments change or disappear. A sealed recording from 2026 is still replayable in 2031. We optimize for evidence that survives the audit timeline.

Send us a message

We will get back to you at the email you provide.