Agent governance is having its moment, and rightly so. Policy engines, zero-trust identity, execution sandboxing, the OWASP Agentic Top 10, toolkits like Microsoft's Agent Governance Toolkit — they intercept an agent's action and decide, before it runs, whether to allow it, deny it, or escalate for approval. A denied action becomes structurally impossible, not merely unlikely. That is real, and you should want it.
But prevention has a blind spot, and it's the one that shows up in the room with a regulator, a customer, or opposing counsel.
Prevention is one job. Proof is another.
Governance answers a question asked in the moment: should this action be allowed? Afterwards — an incident, an audit, a dispute — the question flips entirely: what did we actually do, and can you prove it? A system built to gate actions going in has nothing to say about proving, months later, what came out.
A governance tool's records are its own.
The good ones do keep an audit trail — which policy was active, what the agent requested, whether it was allowed or denied. Useful. But those records live inside the governance system, attested (if at all) with its own keys, in its own ecosystem. To check them, a verifier has to trust that system.
And a signature only proves who held a key. It does not prove, to an outsider who trusts no one, what happened and when — that the record is the original, unaltered, and not back-dated. That is a different guarantee, and prevention layers don't provide it.
Governance is the lock on the door. A verifiable record is the receipt you can hand a court. They are not the same product, and you need both.
Proof is an orthogonal layer.
A Verifiable Decision Record doesn't decide whether to allow an action. It does the other half: it turns the action that did happen into a portable, canonical record with a cryptographic receipt anyone can recompute, and an anchor anyone can check against public infrastructure. No trust in the producer, in the governance vendor, or in us. Only the digest is ever published — the decision payload never leaves your environment.
You need both — and they compose.
Keep your guardrails; they stop the bad call. Emit a verifiable record for the decisions that carry consequences; it settles the dispute that happens anyway. Because the format is an open standard, a governance layer could emit VDRs directly — prevention and proof in one pipeline, neither asking anyone to take a vendor's word.
It's open, with a reference implementation you can use today. Wrap your client, capture a record, verify one yourself. If your governance stack can stop an action but couldn't prove, later, what it let through, that's the half this fills.