Regulators no longer ask whether an agent action happened. They ask the deploying organization to reconstruct who or what authorized it, scoped to what, valid until when, and how the boundary was held across the delegation chain. Application logs answer the first question. Only architecture-produced evidence answers the second.NIS2 Article 21, DORA Articles 6 / 8 / 17-19, and EU AI Act Annex IV name different obligations under different enforcement regimes but demand the same artifact: a cryptographically chained receipt of authority that survives partial-chain compromise. The capability-token + ZKP + attenuation-discipline architecture from Papers #1-4 of the Non-Human Identity Series produces that artifact by construction.Paper #5 of the Non-Human Identity Series. Series I closure. Bridges to Series II (PQC for AI Agent Systems), opening late June 2026.
Mohamad Amin Hasbini (Tue,) studied this question.