In short
If you build software with AI agents, those agents take actions on your behalf: they call APIs, run code, fetch documents, hand work off to other agents. Today, when something goes wrong or an auditor asks what happened, you look at logs. The problem is that logs are just text someone wrote down. A bug, a misconfigured service, or a malicious actor could record one thing while doing another, and you would have no way to tell.
Dapr is an open-source runtime that sits underneath your services and handles plumbing like state management, service-to-service calls, and workflow orchestration. The new 1.18 release adds cryptographic signatures to that plumbing. Every step a workflow takes gets signed by whichever component executed it, and each signature is chained to the previous step, similar to how a blockchain links blocks. If anyone modifies the history later, the chain breaks and you can detect it.
Why it matters: regulators in the EU and the US are starting to require tamper-evident records of how automated systems made decisions. More practically, if you let an agent move money or write to a production database, you want mathematical evidence of what it did, not a log file someone could edit.
The catch: this proves the orchestrator's view of events. It does not prove what happened inside the language model itself. That is a harder, still-open problem.
Diagrid Inc. shipped Dapr 1.18 today, adding what it calls verifiable execution: a set of primitives that produce cryptographic evidence of how an agent or workflow ran, who held custody of intermediate state, and whether the recorded history was tampered with after the fact. The release is built on new capabilities in the open-source runtime: Workflow History Signing, which signs execution records so they become tamper-evident and independently verifiable, backed by application identities tied to the open SPIFFE standard; and Workflow History Propagation, which lets execution lineage travel across workflow, service, and application boundaries.
For ML practitioners running agentic systems in production, this closes a gap that observability tools have not addressed. With agents now invoking tools that move money, write to production databases, or trigger physical processes, the audit surface is wider than the average LLMOps stack was designed for.
The concrete change for teams building on Dapr is that workflow steps emit signed records keyed to the identity of the executing component. Replays and post-incident reviews can verify the chain end-to-end without trusting the application layer that produced it. Diagrid is leaning on Dapr's existing identity model (SPIFFE-based workload identity) to anchor signatures, which means the verification layer builds on the Dapr workflow engine Diagrid already maintains.
Second-order implications are worth thinking through. First, regulated industries that have been hesitant to put agents on critical paths get a defensible audit story. Second, this raises the floor for what enterprise buyers will demand from agent frameworks. Expect procurement checklists to start asking. Third, the existence of signed workflow histories opens the door to cross-organization agent workflows where multiple parties need to verify each other's execution without sharing raw logs. That is the prerequisite for any serious multi-tenant agent marketplace.
Caveats: signed logs prove what a component reported, not what it actually computed inside an opaque model call. Verifying that the LLM produced a given output for given inputs still requires either deterministic decoding plus reproducible serving, or trusted execution environments. Diagrid is solving the orchestration-layer integrity problem, which is the tractable half. The model-layer attestation problem remains open, and teams that conflate the two will overstate their guarantees in audit conversations.
Worth evaluating if you are running Dapr, planning a migration to it, or building anything where an auditor will eventually ask "how do you know that's what happened?"
Source: siliconangle_ai