Future Native · Worked example · Confidential
The path one agent action takes, from the harness a firm already runs to the regulatory box a licensed officer has to tick.
Scenario: a Hong Kong SFC-licensed asset manager (Type 9, discretionary mandates) runs an in-house portfolio-rebalancing copilot. The Responsible Officer who owns the mandate needs to deploy it without putting their license on the line.
Their own agent on a standard harness (e.g. the OpenAI Agents SDK) wrapping a frontier model, with tool access to the firm's OMS and market data.
Vendor-agnostic: OpenAI, Anthropic, or in-house. Future Native wraps whatever they run.
The copilot rebalances a discretionary mandate (the client pre-delegated and never approved this specific trade) and calls the OMS tool:
BUY 5,000 · 0700.HK
discretionary mandate · client #A-4192
Captured at the tool call. An agent's actions are its tool calls. Cartographer emits one record in the open Trust Manifest format, auto-signed under the officer's delegated authority.
It satisfies what the SFC Manager-in-Charge / RO accountability regime requires for an automated investment action:
// emitted the instant the OMS tool is called { "manifest": "trust-manifest/v0.2", "seq": 4192, "prev": "sha256:1d9e…", // chained per agent "agent": { "id": "did:fn:acme/agent/rebalance-copilot", "authority": "did:fn:acme/officer/j.chan" }, // RO · SFC CE-XXXXXX "action": "place_order", "data_scope": ["positions:read", "orders:write"], "counterparty": "HKEX:0700", "outcome": { "status": "executed", "reported": "BUY 5,000 @ 312.40" }, "ts": "2026-07-02T01:22:07Z", "salt": "b7f0…", "sig": "ed25519:…" // the officer's key, never ours }
One record = one action. The card is a single place_order. A busy agent emits thousands; they chain per agent (seq/prev) and batch for anchoring (see the rail below).
Who signs? Not a human per action. The officer delegates authority to the agent once (a signed credential bound to their corporate identity and SFC licence), and every action is then auto-signed under that delegation. It scales to thousands of actions while staying bound to a named, liable person. (Chain structure is settled; the signature and delegation format is an implementation choice.)
A neutral auditor you have to trust isn't neutral. Anchoring is the only way the operator can prove it didn't alter, withhold, or backdate a record, including against itself. Keep the record in our own database and you are back to trusting Future Native, which is the one thing the thesis can't allow. This is why the chain is load-bearing rather than decoration: it makes the record verifiable independently of us.
What it guarantees, and the one thing it doesn't
A signed record can't be altered after the fact without detection.
Once a hash sits in an anchored root, no one can deny it existed or remove it from the history.
Nothing cryptographic forces an action to be recorded in the first place. The denominator problem.
Cryptography can't prove a log is exhaustive from inside a runtime the auditee controls, so we bound it the way every audit regime does: runtime hooks that instrument the agent instead of hand-logging, a per-agent sequence chain where a dropped action leaves a visible gap, certified coverage, and an officer personally liable for attesting the log is complete. A deliberate omission then becomes a false statement by a named person, not an invisible act. Human financial audit works the same way.
A monitoring tool watches the agent for you, and you hold the data. A regulator still has to trust your word for it. Useful, but it doesn't make anyone answerable.
A named licensed officer signs their authority into a record no one in the loop can alter, and the regulator verifies it themselves. Answerability is the whole product.
Observability is what happened. Accountability is who is answerable for it, provably, to a regulator who never has to trust us.