Signed Multi-Layer Event Tokens for AI Governance
Abstract
We introduce Multi-Layer Event Tokens, a signed runtime artifact for AI systems that produces tamper-evident records of an event's composition across modalities. An Event Token carries up to nine layer reports (text, audio, video, physics, tempo, voice, qrf, vad, governance), each signed under its own per-layer HMAC namespace; a Coordinator signs the activation manifest plus the per-layer signatures, capturing composition integrity; and an outer signature covers the canonical token bundle. Tampering with any layer, the activation set, or the coordinator binding breaks one of the three signatures and is detectable in verification. We show that this construction (i) admits selective activation — agents that do not run for an event leave verifiably-null slots, satisfying the patent-claim "Coordinator runs ONLY what was asked"; (ii) supports per-event federated binding via a Coordinator Token that links separately-signed events without re-signing them; and (iii) integrates with existing OpenAI-compatible LLM backends without modifying the model. We release a reference implementation, a ledger of ~1,400 production-signed events, and a constitutional governance overlay that demonstrably blocks invented track-record claims, PHI leakage, and Tier-5 medical patterns at sign-time.
1. Why event tokens?
Existing observability for AI systems treats events as unstructured logs: a request, a response, maybe a trace ID. That's fine for debugging and useless for governance. When a regulator or auditor asks "what did this AI agent decide, on what evidence, signed by whom, at what time?", a request log cannot answer because it was never designed to.
The Event Token re-frames the artifact: an event is a signed object with explicitly enumerated layers, each independently verifiable, bound together by a coordinator that proves they describe the same event. Verification is cryptographic, not procedural. The signature either matches or it doesn't.
2. Three-layer signature construction
The construction has three signature layers in a strict order:
-
Per-layer signature — for each non-null
layer L,
sig_L = HMAC(K_layer, canonical(payload_L)). Tampering with the payload of one layer breaks only that layer's signature. -
Coordinator signature —
sig_coord = HMAC(K_coord, canonical({activated_layers, per_layer_sigs})). Tampering with the activation manifest, swapping one signed layer for another, or rebuilding with a different layer set breaks the coordinator signature. -
Outer signature —
sig_outer = HMAC(K_token, canonical(token_with_coord_sig)). Covers everything, including the coordinator signature, providing the final tamper-evident envelope.
Each K_* is derived from a master key via
HKDF-equivalent namespacing
(axiom-event-token-layer-v1,
axiom-event-token-coord-v1,
axiom-event-token-v1), so the verifier needs only
the master key to validate every signature.
EventToken.verify():
for layer in activated_layers:
if not HMAC.verify(K_layer, canonical(layer.payload), layer.sig):
return False
if not HMAC.verify(K_coord, canonical_coord(token), token.coord_sig):
return False
return HMAC.verify(K_token, canonical_outer(token), token.outer_sig)3. Selective activation as a first-class property
A central design claim is that not every layer fires on every
event. A medical-research query activates source / claim / data
/ bio / physics / governance. A sales-outreach delegate
activates only the text layer plus governance. The
activated_agents tuple is signed into the
coordinator manifest, so the layers that didn't run
are verifiably absent — a downstream consumer cannot pretend
a layer was activated when it wasn't.
4. Federated events via Coordinator Tokens
Building larger findings out of small signed events is done by
a Coordinator Token: a separate signed object
whose payload is a map {layer_name → event_token_id}
plus a cross_layer_consistency score, a
contradictions list, and a fusion signature under
a fresh namespace. The Coordinator Token does not embed the
underlying events — it points at them. This means a single
signed event can be re-used across multiple coordinators
(e.g., the same source citation supporting both a medical
finding and a competitive-analysis report).
5. Reproducibility
The reference implementation lives at
github.com/Orivael-Dev/axiom
under axiom_event_token/. The 282-test regression
suite covers signature roundtrip, tamper detection on every
layer slot, coordinator-signature integrity under permutation
of layer order (commutative canonical form), and the
Coordinator Token binding semantics. To reproduce the eval:
git clone https://github.com/Orivael-Dev/axiom
cd axiom
AXIOM_MASTER_KEY=$(python3 -c 'import secrets; print(secrets.token_hex(32))') \
python3 -m pytest tests/test_event_token.py \
tests/test_event_token_delegate_runtime.py -v6. Limitations
- The current Probability Band telemetry is a placeholder (mean of per-layer confidence scores). Independent embedding calibration is in progress and will land as v0.2.
- The HMAC construction proves tamper-evidence, not correctness of the underlying claim. A signed event with fabricated content is still fabricated; the signature only proves it has not been edited since signing.
- The 9-slot wire format is fixed at v1.0 per the project's format-stability commitment. Future modalities (proprioceptive, olfactory, etc.) require a v2.0 format bump.
Cite this paper
@misc{roberts2026signed,
title = {Signed Multi-Layer Event Tokens for AI Governance},
author = {Roberts, Antonio},
year = {2026},
month = may,
howpublished = {Working paper, Governance Under Question},
url = {https://governance.orivael.dev/papers/2026-event-tokens.html},
note = {v0.1 — reference implementation at github.com/Orivael-Dev/axiom}
}