EVIDENCE TRAIL
Separation of actor and recorder
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The title "separation of actor and recorder" is Helmwart's normalised label for the classical separation-of-duties principle applied to AI agent audit logging. The closest upstream precedent is NIST SP 800-53 AC-5, which names "security personnel who administer access control functions do not also administer audit functions" as the canonical formulation. No upstream source uses the phrase "actor/recorder split" verbatim.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T8 Repudiation & Untraceability — Threat table mitigation summary
"Implement comprehensive logging, cryptographic verification, enriched metadata, and real-time monitoring to ensure accountability and traceability. Require AI-generated logs to be cryptographically signed and immutable for regulatory compliance."
Supports: Directly names T8 Repudiation & Untraceability as the threat this control addresses. The immutability and cryptographic signing requirements are the storage-layer properties that actor/recorder separation enforces at the identity level.
Does not prove: Does not name actor/recorder separation explicitly or require that the logging identity be distinct from the acting identity. The mitigation is stated as a property of the log, not as a structural constraint on who may write it.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 1: Preventing AI Agent Reasoning Manipulation — Step 3: Strengthen AI Decision Traceability & Logging (Detective)
"Enforce cryptographic logging and immutable audit trails to prevent log tampering."
Supports: Playbook 1 explicitly covers T8 Repudiation & Untraceability. Immutable audit trails are the storage guarantee that actor/recorder separation is designed to protect — without identity separation the immutability claim is undermined if the actor can reach the log.
Does not prove: Playbook 1 does not require the recorder to be a distinct principal from the actor. The control is stated as a log-property requirement, not an identity-separation requirement.
NIST SP 800-53 Rev 5 — Security and Privacy Controls
AC-5 SEPARATION OF DUTIES — Control discussion
"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles … ensuring that security personnel who administer access control functions do not also administer audit functions."
Supports: Canonical definition of the separation-of-duties principle this control inherits. The specific sentence "security personnel who administer access control functions do not also administer audit functions" directly maps to the actor/recorder constraint: the agent performing actions (access control role) must not also administer its own audit log (audit function).
Does not prove: Applies to human personnel and organisational roles, not to software agent identities or AI workloads. Does not name agentic AI, LLMs, or automated agents. Helmwart extends this principle to agent identities.
NIST SP 800-53 Rev 5 — Security and Privacy Controls
AU-9 PROTECTION OF AUDIT INFORMATION — Control text and AU-9(4) enhancement discussion
"Protect audit information and audit logging tools from unauthorized access, modification, and deletion … Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."
Supports: AU-9(4) states the exact structural risk this control fixes: if an audited principal also holds audit-write access, it can corrupt its own record. Restricting audit-write to a separate role (the recorder identity) is the direct implementation of AU-9(4). Also supports the WORM/separate-storage layers: AU-9(1) requires hardware write-once media; AU-9(2) requires a repository on a physically different system than the one being audited.
Does not prove: Controls are written for human users and system accounts, not for AI agent workload identities. The AU-9(2) separate-system requirement is not specific to the actor/recorder pattern — it covers any audit-log separation. Does not address autonomous or AI agent scenarios.
NIST AI 600-1 — Generative AI Profile
MEASURE 2.8 — Risks associated with transparency and accountability, Action MS-2.8-003
"Use digital content transparency solutions to enable the documentation of each instance where content is generated, modified, or shared to provide a tamper-proof history of the content, promote transparency, and enable traceability."
Supports: Names tamper-proof provenance documentation as the transparency and accountability mechanism. The "each instance where content is generated, modified, or shared" scope maps to action-level audit capture, which is what the recorder identity must produce. Supports the tamper-proof storage layer of this control.
Does not prove: Frames the requirement around content provenance for GAI outputs, not around agent action audit trails or identity separation. Does not require the recorder to be a distinct identity from the generator. The action is about documentation practice, not about structural separation of principals.
OWASP Top 10 for Agentic Applications 2026
§ASI03 Identity and Privilege Abuse — Prevention and Mitigation Guidelines, items 2 and 6
"Isolate Agent Identities and Contexts: Run per-session sandboxes with separated permissions and memory, wiping state between tasks … Evaluate Agentic Identity Management Platforms. Major platforms integrate agents into their identity and access management systems, treating them as managed non-human identities with scoped credentials, audit trails, and lifecycle controls."
Supports: Establishes per-agent identity as the required architectural primitive. Scoped credentials + audit trails per agent identity is the prerequisite for actor/recorder separation — you cannot enforce different write-permissions for actor and recorder unless each is a distinct, managed identity. Mitigation 6 names CloudTrail/audit trails explicitly in the context of agent identity management.
Does not prove: The isolation guidance targets privilege escalation (ASI03), not audit integrity (T8). Does not require the recorder to be a separate identity from the actor — the mitigations concern preventing privilege abuse, not ensuring audit immutability from the actor's perspective.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
AML.M0024 AI Telemetry Logging — full mitigation description
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts. Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources."
Supports: Establishes the scope of what the recorder identity must capture: intermediate agentic steps, data access, tool use, installation commands, and agent identity. The explicit inclusion of "identity of the agent" confirms that the recorder must bind each logged entry to the acting agent's identity — the key semantic of this control. The discouragement of undetected adversary use maps to the repudiation threat T8.
Does not prove: Does not require a separate recorder identity with distinct permissions — it describes what to log, not the principal that performs the logging. AML.M0024 does not reference AU-9 separation, WORM storage, or append-only access constraints. The full techniques list (AML.T0024 exfiltration variants, AML.T0040, AML.T0047, AML.T0051) focuses on data theft detection, not repudiation or log tampering.