EVIDENCE TRAIL
Output provenance tracking
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The W3C PROV Recommendation provides the authoritative vocabulary; OWASP ASI09 names the control as "Content provenance and policy enforcement" verbatim. One MDX misattribution is flagged: the claim that NIST AI 100-1 MAP-3.1 "names lineage tracking" is incorrect — the relevant provenance passage is in §3.4, not MAP-3.1.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
W3C PROV Overview
Abstract
"Provenance is information about entities, activities, and people involved in producing a piece of data or thing, which can be used to form assessments about its quality, reliability or trustworthiness."
Supports: Authoritative W3C definition of provenance as the mechanism for assessing quality, reliability and trustworthiness of data — the exact rationale for per-claim source tagging in agentic outputs.
Does not prove: Defines a vocabulary for data on the web; does not address LLM outputs, RAG pipelines, or agentic systems specifically.
OWASP Agentic AI — Threats & Mitigations v1.1
§T8 Repudiation & Untraceability — Mitigation (table row)
"Implement comprehensive logging, cryptographic verification, enriched metadata, and real-time monitoring to ensure accountability and traceability. Require AI-generated logs to be cryptographically signed and immutable for regulatory compliance."
Supports: Names "enriched metadata" and cryptographically signed logs as the two technical mechanisms for defeating T8 Repudiation — the same combination this control operationalises as provenance tagging plus tamper-evident audit records.
Does not prove: Does not specify per-claim source attribution within a response; framing is at the log level (whole-agent accountability) rather than the claim level (per-sentence citation).
OWASP Top 10 for Agentic Applications 2026
§ASI09 Human-Agent Trust Exploitation — Prevention and Mitigation Guideline 6
"Content provenance and policy enforcement: Attach verifiable metadata-source identifiers, timestamps, and integrity hashes-to all recommendations and external data. Enforce digital signature validation and runtime policy checks that block actions lacking trusted provenance or exceeding the agent's declared scope."
Supports: Verbatim use of "Content provenance" as a named mitigation in an agentic context. Prescribes the same artefacts (source identifiers, timestamps, integrity hashes, digital signatures) that this control specifies for its three provenance layers.
Does not prove: Situated in the context of preventing trust exploitation by agents, not specifically RAG retrieval provenance or generation-side citation propagation. The control generalises the principle beyond the trust-exploitation threat.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MEASURE 2.7 — "AI system security and resilience … are evaluated and documented" — Action MS-2.7-002
"Benchmark GAI system security and resilience related to content provenance against industry standards and best practices. Compare GAI system security features and content provenance methods against industry state-of-the-art."
Supports: Names content provenance as a security and resilience dimension to be evaluated against industry standards — the closest NIST analogue to a mandatory provenance review requirement. MS-2.7-004 further names "data provenance" as a metric for security measure effectiveness.
Does not prove: MEASURE 2.7 is a security-and-resilience evaluation subcategory, not an information-integrity subcategory. The MDX's shorthand "MEASURE-2.7 names data provenance for information integrity" conflates the evaluation action (MS-2.7-002) with the risk category label. Provenance is present in the sub-actions, not the subcategory header.
NIST AI 100-1 — AI Risk Management Framework
§3.4 Accountable and Transparent — body text
"Maintaining the provenance of training data and supporting attribution of the AI system's decisions to subsets of training data can assist with both transparency and accountability."
Supports: Directly links data provenance to transparency and accountability as Trustworthy AI characteristics. Establishes the upstream RMF principle that this control operationalises at the claim level.
Does not prove: The MDX attributes this principle to MAP-3.1 ("names lineage tracking"). MAP-3.1 is "Potential benefits of intended AI system functionality and performance are examined and documented" — it does not mention lineage or provenance. The provenance passage lives in §3.4, not MAP-3.1. This is a misattribution in the MDX that should be corrected.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
AML.M0024 description field (ATLAS-latest.yaml)
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts."
Supports: Names intermediate-step logging — including data access and identity — as a deployment-stage control. The "data access" log item is the ATLAS-level expression of retrieval provenance; the "identity of the agent" item anchors accountability to the provenance record.
Does not prove: Frames logging as a security-monitoring tool; does not specify that logs must be per-claim, tamper-evident, or surfaced in user-facing UIs. Helmwart extends the log scope to claim-level citations.
MITRE ATLAS AML.M0025 — Maintain AI Dataset Provenance
AML.M0025 description field (ATLAS-latest.yaml)
"Maintain a detailed history of datasets used for AI applications. The history should include information about the dataset's source as well as a complete record of any modifications."
Supports: Defines dataset provenance as source + full modification history — the retrieval-side provenance layer this control requires. Applies at the Business and Data Understanding and Data Preparation lifecycle phases, grounding provenance in the corpus before retrieval occurs.
Does not prove: Scoped to dataset-level provenance (corpus history), not generation-side citation propagation or tamper-evident signing of individual agent outputs. The control extends provenance forward from corpus to claim.