Every AI-agent action drops a crumb. The trail leads back to the human who directed it, across MCP and OpenAI function-calling. A tamper-evident record an auditor can verify without trusting the operator.
| # | Time | Human | Agent | Action | Transport | Outcome | Entry hash |
|---|
Before any crumb is written, the gateway proves who's behind the call. It doesn't sign its own authority — it runs a real RFC 8693 exchange against an identity provider, which returns a provider-signed token carrying the human and the agent. The resource trusts the provider's public key, not a secret it shares with the minter. Live exchange, decoded below.
A poisoned tool drives an agent into a call the human never authorized. In a controlled lab this hijacked 5 of 7 models into an unauthorized data export. Crumb can’t block it — it’s a flight recorder, not enforcement — but it proves, per call, the human didn’t direct it.