Evidence Bundles
Why this page exists. Agentic remediation does not become enterprise-ready when the agent opens a PR. It becomes enterprise-ready when a security leader can prove what the agent saw, what it did, who reviewed it, and why the workflow was allowed to run.
This is the operational export companion to Agentic Run Receipts. Receipts define the per-run proof contract; bundles normalize and package those receipts for an audit period or workflow cohort.
The product idea
SecurityRecipes should be more than a cookbook. The durable enterprise value is the evidence layer around agentic security: structured proof that every remediation run was scoped, policy checked, verified, and reviewed. That is the piece a buyer, auditor, model provider, or GRC platform cannot reconstruct from prompts alone.
An evidence bundle is the portable record for one audit period or one workflow cohort. It gives teams a single artifact they can attach to SOC 2, ISO 27001, PCI DSS, NIST SSDF, FedRAMP, or internal AI governance reviews.
What belongs in a bundle
The minimum viable bundle includes:
- Normalized event stream. One ordered record per intake, dispatch, tool call, verification, PR, review, stop, or close event.
- Run manifest. One row per agent run with workflow, finding IDs, repositories, outcome, reviewer, PR links, tools called, and chain hash.
- Control gap report. Runs missing terminal, verification, or review events are called out explicitly.
- Hashes. Source and normalized event hashes so the bundle can be archived and later checked for tampering.
- Human-readable report. A Markdown summary that GRC and security leadership can read without querying a warehouse.
Event schema
Start boring. Every event should carry these required fields after normalization:
| Field | Purpose |
|---|---|
run_id |
Correlates the full chain of custody for one agent attempt. |
timestamp |
UTC timestamp, ISO 8601 preferred. |
event_class |
Canonical receipt class such as human_approval, verifier_result, or run_closed. Legacy event_type is accepted as an alias. |
Use workflow_id as the canonical workflow identifier; legacy workflow is
accepted as an alias. If timestamp is omitted, the generator derives it from
an event-specific field such as issued_at, approved_at, completed_at,
closed_at, or revoked_at and normalizes it to UTC.
Strongly recommended fields:
| Field | Purpose |
|---|---|
workflow_id |
Workflow name, for example vulnerable-dependencies. |
finding_id |
Scanner, ticket, advisory, or case identifier. |
repository |
Repository affected by the run. |
actor |
Human, agent, gateway, or system principal that emitted the event. |
tool |
MCP or local tool name for tool-call events. |
pr_url |
Pull request opened or reviewed by the workflow. |
decision |
Reviewer or policy decision when applicable. |
The schema intentionally accepts additional keys. Enterprise teams will add tenant ID, environment, data classification, model, prompt version, MCP gateway policy version, ticket URL, and cost fields as their program matures.
The current Agentic Run Receipt vocabulary includes identity_issued,
context_retrieval_decision, context_poisoning_scan, mcp_tool_decision,
context_egress_decision, human_approval, verifier_result,
evidence_attached, run_closed, and identity_revoked.
Generate a starter bundle
This repository includes a local generator:
python scripts/generate_agent_evidence_bundle.py \
--events audit-events.jsonl \
--output-dir evidence/2026-05 \
--program agentic-security-remediation \
--period 2026-05
The input may be JSON Lines or a JSON array. The output directory contains:
events.normalized.jsonmanifest.jsonevidence-report.md
The generator is intentionally not tied to one vendor. Feed it GitHub webhooks, orchestrator events, MCP gateway logs, CI status events, and scanner lifecycle events after normalizing them into the schema above.
Enterprise control mapping
Evidence bundles turn the abstract controls in Compliance & Audit into a repeatable operating artifact.
| Control need | Bundle evidence |
|---|---|
| Change management | Finding ID, PR URL, diff link, reviewer decision, timestamps. |
| Separation of duties | Agent actor vs. reviewer actor, plus branch protection evidence. |
| Logged access | Tool-call events from the MCP gateway with run ID attribution. |
| Verification | Test, scanner rerun, and policy-check events before review. |
| AI governance | Model, prompt version, tool policy version, and data classification fields. |
Acquisition-grade direction
The forward-looking product surface is a premium MCP feature:
evidence.generate_bundle. An agent, GRC system, or security
orchestrator requests a bundle for a workflow and period; the MCP
server returns a signed manifest, summary report, and deep links
to retained logs.
That feature is valuable because it makes AI adoption easy for enterprises without hiding the control surface:
- Security teams get a clean chain of custody per finding.
- GRC teams get exportable evidence without learning the agent stack.
- Platform teams get a stable schema for gateway, CI, and ticket events.
- Model and agent vendors get a credible enterprise control story for autonomous remediation.
Operating rules
- Generate bundles on a schedule. Monthly for active workflows; quarterly for audit archive.
- Fail closed on missing events. A merged PR with no verification event is a control gap, not a reporting nuance.
- Keep raw logs elsewhere. The bundle is an index and summary; retention systems still hold full gateway, CI, and repository logs.
- Version the schema. Add fields freely, but never silently change the meaning of an existing field.
- Treat the bundle as evidence. Store it with write-once or immutable-retention settings where your compliance program requires it.
See also
- Agentic Run Receipts - the per-run evidence contract that bundles package
- Compliance & Audit - control mapping and auditor questions
- Program Metrics & KPIs - operational measurements that complement evidence bundles
- MCP Server Access - where tool-call logs and policy events originate