Version 2.5 update. v2.5 extends v2.4 in two specific ways. First, §4 closes with a new short subsection (§4.9 Documented co-emergence) that describes OVERT 1.0 and EATF's Agent Evidence Package (AEP) v1 as a documented case of independent, royalty-free category-emergence rather than vendor-driven category invention; the two artifacts are stewarded by separable organisations in different jurisdictions (Glacis Technologies in the US; Tyche Institute MTÜ in Estonia), released under royalty-free terms, with AEP v1 carrying an OVERT 1.0 receipt in every evidence package. A new Table 10 summarises the timeline. Second, §6 gains a new subsection (§6.3 Standards-body engagement and observer posture) that names the four bodies through which this category will be ratified — CEN-CENELEC JTC 21, ETSI TC ESI, ISO/IEC JTC 1/SC 42, and IETF SCITT — and states honestly the author's and Tyche Institute's current observer posture toward each, including what has and has not been submitted at the time of writing. The competing-interest disclosure (front and back) is tightened to reflect both additions: AEP is named alongside EATF; the observer-only posture toward the four standards bodies is disclosed at the front so any future submission through those channels can be weighed accordingly; the author's unpaid status as technical advisor is restated. The argument structure and the §5 taxonomy are unchanged from v2.4. The PQC-roadmap content added in v2.4 (Recommendation (EU) 2024/1101 and Estonia ROAD2PQ in §2.9 and Table 1) remains. The American-English orthography conversion from v2.1 and the nine numbered tables introduced in v2.1 are unchanged; Table 10 is added in §4.9. Prepared as a Zenodo new-version under concept DOI 10.5281/zenodo.20185410. Version 2.3 (17 May 2026) is a typography-fix revision of v2.2 (DOI 10.5281/zenodo.20255075). Argument structure and analytical claims are unchanged from v2.1 / v2.2. v2.3 fixes residual hanging-text issues reported on v2.2: Table captions glued to tables. A Table N — Title. caption no longer floats alone at the bottom of a page while the table itself opens the next page — both are wrapped in KeepTogether at the build stage. Stronger heading orphan control. Each section / subsection heading is now bound to its next two content blocks (intro paragraph + first table or list) rather than just the first one — more aggressive page-flow keeps headings with the content they introduce. Version 2.1 (17 May 2026) is a revision of v1.0 (14 May 2026, archived under the same concept DOI). v2.1 preserves the analytical claims and argument structure of v1.0 while applying the following revisions: Switches conventional spelling to American English; quoted passages from the AI Act, eIDAS, GDPR and NIS2 remain in their verbatim British form. Reorders §7 to lead with the methodological caveat. Splits AI-gateway and AI-guard layers in §5.6 (Lakera Guard reclassified as a guard layer with policy verdicts output, distinct from the gateway layer's flow controls). Restores §2.10 (W3C Verifiable Credentials and selective disclosure), missing from the v1.0 PDF rendering. Disambiguates the Linux Foundation AAIF artifact stack in §6.1 into protocol (MCP), framework (goose) and convention (AGENTS.md) layers. Adds nine numbered tables (regulatory baseline, adversary classes, requirements, defensive primitives, OVERT design principles, GIPAMR domains, AAL ladder, taxonomy overview, open research problems). Adds clickable cross-references, bracket-numbered citations, a two-level Table of Contents and a PDF outline sidebar tree. Tightens twelve specific passages for precision and brevity. The competing-interest disclosure remains as in v1.0; see §7 and the front-matter disclosure on p. 1. Version 2.2 (17 May 2026) is a typography-only revision of v2.1 (DOI 10.5281/zenodo.20254535, also 17 May 2026). The argument structure and analytical claims are unchanged from v2.1. v2.2 applies the following presentation changes: Switches the body font to a Palatino-class serif (URW P052, .otf converted to .ttf for reportlab compatibility) for a more academic feel than the v2.1 Liberation Serif. Centred page footer with title and page number (was left-aligned title + right-aligned number); date and version removed from the footer (live on the title page only). Tables wrapped in KeepTogether: long tables no longer split across pages awkwardly (header repeats on continuation per reportlab convention). Heading orphan protection: every section / subsection heading is bound to its first following content block, so a title never appears alone at the bottom of a page. Multi-line bullet and numbered-list continuation parses correctly (continuation lines no longer fragment the list into a stray paragraph). Adds reference-site URLs in §7: matx.ee, h2oatlas.ee, eaudit.ee (now clickable links in the PDF, previously named only in section headings). Version 2.1 (17 May 2026) is a revision of v1.0 (14 May 2026, archived under the same concept DOI). v2.1 preserves the analytical claims and argument structure of v1.0 while applying the following revisions: Switches conventional spelling to American English; quoted passages from the AI Act, eIDAS, GDPR and NIS2 remain in their verbatim British form. Reorders §7 to lead with the methodological caveat. Splits AI-gateway and AI-guard layers in §5.6 (Lakera Guard reclassified as a guard layer with policy verdicts output, distinct from the gateway layer's flow controls). Restores §2.10 (W3C Verifiable Credentials and selective disclosure), missing from the v1.0 PDF rendering. Disambiguates the Linux Foundation AAIF artifact stack in §6.1 into protocol (MCP), framework (goose) and convention (AGENTS.md) layers. Adds nine numbered tables (regulatory baseline, adversary classes, requirements, defensive primitives, OVERT design principles, GIPAMR domains, AAL ladder, taxonomy overview, open research problems). Adds clickable cross-references, bracket-numbered citations, a two-level Table of Contents and a PDF outline sidebar tree. Tightens twelve specific passages for precision and brevity. The competing-interest disclosure remains as in v1.0; see §7 and the front-matter disclosure on p. 1. Version 2.1 (17 May 2026) is a revision of v1.0 (14 May 2026, archived under the same concept DOI). v2.1 preserves the analytical claims and argument structure of v1.0 while applying the following revisions: Switches conventional spelling to American English; quoted passages from the AI Act, eIDAS, GDPR and NIS2 remain in their verbatim British form. Reorders §7 to lead with the methodological caveat. Splits AI-gateway and AI-guard layers in §5.6 (Lakera Guard reclassified as a guard layer with policy verdicts output, distinct from the gateway layer's flow controls). Restores §2.10 (W3C Verifiable Credentials and selective disclosure), missing from the v1.0 PDF rendering. Disambiguates the Linux Foundation AAIF artifact stack in §6.1 into protocol (MCP), framework (goose) and convention (AGENTS.md) layers. Adds nine numbered tables (regulatory baseline, adversary classes, requirements, defensive primitives, OVERT design principles, GIPAMR domains, AAL ladder, taxonomy overview, open research problems). Adds clickable cross-references, bracket-numbered citations, a two-level Table of Contents and a PDF outline sidebar tree. Tightens twelve specific passages for precision and brevity. The competing-interest disclosure remains as in v1.0; see §7 and the front-matter disclosure on p. 1. The European Union Artificial Intelligence Act (Regulation (EU) 2024/1689) imposes obligations on providers and deployers of high-risk AI systems that, on close reading of Articles 12, 14, 50 and 72 together with Annex IV and the Article 43 conformity assessment regime, presume the existence of independently verifiable evidence about agent behaviour. Conventional governance, risk and compliance (GRC) tooling, AI observability platforms, and policy documentation regimes do not, as a matter of architecture, produce such evidence: they aggregate operator-side assertions rather than cryptographically attested claims that a third party can validate without operator cooperation. A new category of systems has emerged in 2025–2026 that aims to close this gap by binding AI agent actions to signed, time-stamped, often hardware-rooted attestations. This paper presents the first comprehensive survey of cryptographic attestation approaches for AI agent governance. We motivate the problem by analysing the AI Act's record-keeping and conformity-assessment requirements alongside adjacent regulation (eIDAS 2.0, NIS2, GDPR) and horizontal management-system standards (ISO/IEC 42001:2023, the NIST AI RMF). We derive a threat model and operational requirements, survey the recently published OVERT 1.0 open standard as the first horizontal specification targeting this category, and propose a six-axis taxonomy covering hardware-rooted (TEE-based) attestation, software-only cryptographic attestation, identity-focused attestation, payment- and commerce-specific attestation, and two adjacent (non-attestation) categories: compliance automation platforms and AI gateway / runtime layers. We map each category to representative systems, identify standards bodies relevant to the trajectory (ETSI, CEN-CENELEC JTC 21, FIDO, Linux Foundation AAIF), articulate seven open research problems including reproducibility of non-deterministic outputs in conformity assessment and statistical safety attestation, and observe a structural geographic
Anton Sokolov (Sat,) studied this question.