Replay-first execution runtime for AI agents

Cryptographic proof for
every AI decision.

Capture, replay, and verify your AI agents' production runs — with regulatory-grade evidence that stands up in court.

agent.py
from notary import instrument

@instrument(secret_key=NOTARY_KEY)
def run_agent(application):
    # your existing agent — unchanged
    return agent.decide(application)

Five lines. Every run is recorded as a sealed, replayable commit.

Logs tell you what happened. They can't prove it.

When an AI agent makes a decision that harms someone, a regulator, auditor, or opposing counsel will eventually ask you to prove four things. Your logs answer none of them.

Prove the cause — not a coincidence.

A log shows an error next to a model call. It can't show your agent's logic caused the outcome rather than a flaky network call or stale data. Notary re-runs the exact decision and shows it recur.

Prove the fix — not the intention.

Shipping a patch shows you tried; it doesn't show it works. Notary runs your fix against the exact conditions that failed and proves the outcome changes — against the real API, not a mock.

Prove integrity — without asking for trust.

A log file can be edited. Every Notary decision is cryptographically sealed the moment it happens and verifiable by anyone with a public key — no trust required.

Prove it years later — after everything changed.

Audits arrive long after the incident, when the engineer has left and the model is deprecated. Observability keeps hours; defensibility needs years. Notary evidence is self-contained and reproducible.

These are four different problems. A tool built to monitor production solves none of them — monitoring asks "what's happening now," defensibility asks "prove what happened then, to someone who doesn't trust you."

Others can show what an agent decided. Only Notary re-runs the corrected agent against the real failing conditions and proves the fix resolves it. Proof of remediation, not just proof of record.

$5M–$500M potential fines
8–12 weeks typical investigation
EU AI Act · NIST · SEC · OCC

Git for AI agent execution.

1
Capture → commit
Every prompt, tool call, and decision recorded as a node in a sealed execution graph.
2
Replay → checkout
Deterministically re-run the exact incident against real sandbox APIs.
3
Branch → experiment
Fork the run and try a fix without touching the original.
4
Diff → compare
See exactly where and how the fixed run diverges.
5
Verify → certify
Prove the fix resolves the incident and issue a signed certificate.

Tamper-evident capture

HMAC-SHA256 + Merkle chain. Alter one byte and the proof breaks.

sha256(node) = HMAC(prev_hash, data)

Deterministic replay

Real provider sandboxes (Stripe test mode, GitHub, Salesforce) — not mocks that drift.

replay(run_id) → identical output

Proof of Mitigation

A cryptographically signed certificate (ECDSA/RSA) regulators and courts verify independently.

verify(cert, pubkey) → true

A lending denial, proven in days — not months.

A lending agent denies a qualified applicant: credit score 650, threshold 700. The compliance team imports the run into Notary. Notary provisions a Stripe test environment, restores the applicant data, and replays the credit check — score 650, reproduced exactly. A developer branches an experiment lowering the threshold to 620. Notary re-runs the branch, diffs it against the original: the agent now approves. Notary issues a signed Proof of Mitigation certificate — root cause, fix, test method, verified outcome — ready for the regulator.

1
Import run
Sealed execution graph loaded
2
Replay
Score 650 reproduced
3
Branch
Threshold 700 → 620
4
Diff
Deny → Approve
5
Certify
Signed certificate issued
Proof of Mitigation Certificate
Notary Run #a3f7b2c1 · Issued 2026-07-12
Root causeCredit threshold (700) exceeded applicant score (650)
Original runDENY · score=650, threshold=700
Fix appliedThreshold lowered from 700 to 620
Replay resultAPPROVE · score=650, threshold=620
Test methodDeterministic replay against Stripe test sandbox
Verified outcomeFix resolves incident · mutation test passed
Signature algoECDSA P-256
Signature: 3045022100a7b3c1d4e5f6789012345abcdef01234567890abcdef1234567890abcdef1234

Who It's For

Debug production AI in minutes.

For Developers

  • Open-source SDK
  • ~5 lines to instrument
  • Works offline
  • Deterministic replay of the real incident
  • Verify a fix before you ship

Regulatory defense, ready before the audit.

For Compliance & Legal — CISO · Compliance Officer · General Counsel

  • Cut investigation from 8 weeks to 2
  • Signed, court-admissible evidence
  • Immutable chain of custody
  • Push straight into your GRC system

Evidence you don't have to take on faith.

Bring your own key

Seal runs with your own key; Notary never has to hold it.

Publicly verifiable signatures

Certificates signed with asymmetric keys — verify with a public key, no secret required.

Immutable audit trail

Append-only, write-once evidence log. Nothing can be silently altered.

GRC-native

Evidence flows into ServiceNow, OneTrust, and AuditBoard, mapped to the right controls.

Built for the frameworks that matter.

EU AI Act (Article 10)NIST AI RMFSEC AI DisclosureOCC Model Risk

Pricing

FreeProfessionalRecommendedEnterprise
PriceFree foreverContact usCustom
ForDevelopers & small teamsCompliance + legal teamsLarge orgs, critical infra
SDK: capture + HMAC sealing + local verify
Framework supportRaw / basicAll frameworksAll + custom
Deterministic replayLimited (free quota)UnlimitedUnlimited
Real sandboxesStripe onlyStripe, GitHub, Salesforce+ custom providers
Branching & experiments1 branch / incidentUnlimitedUnlimited
Mutation testingManualAutomatedAutomated
Proof of Mitigation certificates
Certificate signatureECDSAECDSA + RSACustom
Compliance reportsAll frameworksCustom
GRC connectionsIncludedUnlimited + custom
Audit logging / RBAC
SSO
SLANone99.5%99.9%
SupportCommunityPriorityDedicated
Data retention30 days1 yearCustom
Install the SDKContact usTalk to sales

Usage limits and pricing shown are indicative and subject to change.