system: OPERATIONAL
← back to all hacks
DEFENSE LOW NEW

Proving which agent produced a log, when the reseller owns the log

TRACE, published July 9, 2026, watermarks an agent's trajectory itself — surviving a reseller who can delete and rewrite the very log that provenance is judged from.

2026-07-16 // 6 min affects: llm-agents, tool-using-agents, agent-resellers, agent-provenance

What is this?

TRACE is a provenance watermark for the action log of an LLM agent, published on arXiv on July 9, 2026 by a team from the University of New South Wales, Griffith University, and CSIRO’s Data61. It targets a governance problem that is becoming urgent as agents reach end users through intermediaries: when an agent’s behavior is disputed after an incident, attribution rests on the trajectory log — the record of tool calls, observations, and executed actions. The awkward part is who holds that log. A reseller that licenses a developer’s agent, rebrands it, or quietly swaps in a cheaper model underneath is the same party that stores and edits the log for metering and billing. Any watermark read straight off that log can be stripped by the party being audited. TRACE is, per its authors, the first agent watermark designed to survive an adversary with full read and write access to the evidence itself.

How it works

The core idea is that a single watermark keyed one way always loses to one of the reseller’s two laundering moves, so TRACE carries two complementary signals on the same trajectory. A reseller that wants to shrink and sanitize a log deletes steps, which desynchronizes any key derived from position. A reseller that wants to rebrand a log rewrites observations and renames tools, which alters any key derived from content. No single keying resists both.

TRACE superposes two channels. The selection channel modulates which action the agent picks among the environment’s admissible options, using a distortion-free sampler keyed on preceding content; the authors prove the resulting action distribution equals the unwatermarked agent’s, and because the key is local content, a deletion only damages one neighboring key and detection resynchronizes at the next decision. The tally channel modulates how many records each decision group holds, keyed on the log’s structural skeleton alone — a quantity that rewriting cannot touch, giving that channel invariance under paraphrase or renaming of any strength. The paper shows the watermark’s detectable signal is bought with decision entropy (each decision pays at least half its entropy, deterministic decisions pay nothing), and that erasing both channels at once forces the reseller to edit the skeleton and corrupt a fraction of the trajectories it is being paid to deliver. We describe the mechanism at a conceptual level; the paper carries the formal proofs and detector statistics.

Why it matters

Provenance is the first step of accountability, and agents increasingly act rather than merely write — filing tickets, sending messages, executing code, running incident response. When one of those actions causes harm, an operator has to show which logged actions its agent did and did not take, and a platform auditing a partner’s traffic has to answer whether a given trajectory really came from the agent it claims. Governance proposals that call for agent identifiers and activity logs assume those logs can be attributed in the first place. TRACE addresses the case existing agent watermarks leave open: not an outside attacker who perturbs a log, but the intermediary who lawfully holds and edits it. Log signing proves integrity of a log you already trust, but a reseller relaying a rebranded trajectory simply drops the upstream signature; a behavioral watermark still speaks when the record-holder is the adversary.

Defenses

For teams building or buying agents, the practical takeaways are architectural rather than a single control.

  • Treat the trajectory log as the unit of attribution, not the token stream. Structured action logs discard the sampled tokens a text watermark would ride on; provenance for agents has to live in the decision and action sequence.
  • Assume the log-holder is in scope of your threat model. If a reseller, gateway, or downstream integrator can meter your agent, it can edit the evidence. Attribution schemes a partner can quietly strip provide no assurance in a contract dispute.
  • Layer provenance signals; do not rely on one. Behavioral watermarking sits alongside authenticated logging, attestation, and trusted execution environments. Signed logs prove tamper-evidence for logs you control; a distortion-free behavioral watermark adds a signal that survives deletion and rewriting by an untrusted holder.
  • Budget the watermark against task success. Because signal costs entropy, low-entropy agents with few branching decisions carry little; measure detectability on your own workloads before assuming a scheme attributes reliably on short trajectories.
  • Write attribution expectations into reseller agreements. Where an agent is resold or white-labeled, specify who may edit logs, what provenance must be preserved, and how model-substitution claims will be verified.

Status

ItemValue
TypeDefensive research — provenance watermark for agent trajectories
Threat modelReseller with full read/write access to the trajectory log (rebranding, model substitution)
MethodTwo channels: content-keyed distortion-free selection watermark + position-keyed tally watermark
Evaluated onToolBench and ALFWorld
Reported resultsMatches unwatermarked success rate; selection-channel detection near z≈100 on long trajectories; detectable under 70% step deletion; tally channel unchanged under LLM rewriting
PublishedJuly 9, 2026 (arXiv:2607.08400)
StatusAcademic preprint; not a product or vulnerability

Key dates: July 9, 2026 — TRACE preprint (arXiv:2607.08400) published. It builds on a 2026 line of agent-behavior watermarking (Agent Guide, AgentMark, AgentWM, ActHook) and related work on watermarking agent trajectories (arXiv:2602.18700). Author affiliations and results are those stated in the preprint.

Sources