· 6 min read

The Agent Should Not Be the Only Witness

AI agent verification gets stronger when proof comes from independent tools instead of the same model that created the work. The witness layer is what makes agent output reviewable.

The Agent Should Not Be the Only Witness

The uncomfortable thing about a lot of agent workflows is that the agent is both the worker and the witness.

It writes the code.

Then it tells you the code is good.

Then it summarizes the test results.

Then it explains the risk.

That can be useful, but it is not enough. If the only evidence for an agent’s work is another paragraph from the same agent, the system is still running on trust instead of proof.

The next layer I care about is the witness layer.

Not a smarter agent. Not a longer prompt. Not a more confident summary.

A separate layer that can observe the work, check the claims, preserve the evidence, and hand the human a decision packet that did not depend on the model grading its own homework.

The agent can create the work. The witness layer should verify the work.

That split is the difference between agent output that feels impressive and agent output that can survive review.

The self-reporting problem

Self-reporting is convenient.

An agent can say it ran the build. It can say tests passed. It can say it changed three files. It can say no secrets were touched. It can say the branch is clean. It can say the new behavior is covered.

Some of those claims may be true.

The issue is not that models always lie. The issue is that the claim is weaker than the artifact.

If a workflow depends on the agent remembering exactly what happened, representing it cleanly, and not losing context across tool calls, the workflow has an avoidable weak point.

I want fewer important facts living inside the agent’s memory.

I want more of them living in deterministic outputs:

  • the exact command that ran
  • the exit code
  • the changed files
  • the generated artifacts
  • the diff stats
  • the failed check before the fix
  • the environment details that matter
  • the human decision still required

That is why I keep coming back to receipts over autonomy and the agent handoff layer. The work is not done when the agent says it is done. The work is done when the next reviewer can make a faster, safer decision.

Witnesses are boring by design

A good witness tool should not be theatrical.

It should be boring in the way a checksum is boring. It should answer a narrow question without needing to be clever.

Did this command run?

Did the dependency lockfile change?

Did the PR body include the required sections?

Did a workflow gain broad permissions?

Did a prompt contract drift?

Did the generated files match the expected shape?

Did the tool catalog add a destructive action?

Those are not philosophical questions. They are inspectable facts.

Agent as witness

  • Claims are narrated
  • Proof is scattered in chat
  • Risk depends on model memory
  • Reviewer verifies from scratch
  • Failures are easy to smooth over

Independent witness layer

  • Claims are backed by artifacts
  • Proof travels with the work
  • Risk is flagged deterministically
  • Reviewer starts from evidence
  • Failures stay visible

The boringness is the point. Every fact the witness layer can produce is one less fact the model has to hold.

This is where tools beat prompts

There is a pattern in agentic engineering that keeps repeating:

When the failure mode is ambiguity, prompts help.

When the failure mode is verification, tools win.

A prompt can ask an agent to be careful with filesystem writes. A tool can show which files changed.

A prompt can ask an agent to check for risky GitHub Actions permissions. A tool like ActionPin can scan the workflow.

A prompt can ask for a strong handoff. A tool like Agent-QC can reject a weak PR body.

A prompt can ask an agent to explain a command run. A tool like RunReceipt can capture the command, output, and exit code.

A prompt can ask a reviewer to consider context. A tool like ReviewCue can build the local review packet before any model sees it.

The model still matters. It is good at interpretation, synthesis, and tradeoff reasoning. But the witness layer should handle the parts that should not depend on interpretation.

That boundary is where quality starts to compound.

Faster agents make this more important

Slow agents hide some of this pain because the human stays close to the work.

If an agent takes twenty minutes and needs constant steering, the reviewer often has a rough memory of what happened. The process is inefficient, but the context is still warm.

Fast agents change the problem.

If five agents can open five branches while I am away from the keyboard, the bottleneck is no longer creation. It is re-entry. I need to come back and decide what deserves attention.

That is when witness artifacts matter.

The faster the agent, the more independent the evidence needs to be.

Otherwise speed creates a review queue full of claims. The human has to reopen every case, rerun every command, inspect every assumption, and reconstruct every skipped detail. That is not leverage. That is deferred labor.

The better version is simple:

  1. The task is scoped before execution.
  2. The agent works in an isolated branch or worktree.
  3. The witness layer captures facts while the work happens.
  4. Deterministic checks mark what passed, failed, or stayed unverified.
  5. The human reviews a packet, not a transcript.

This is less magical than “the agent did everything.”

It is also much closer to how real teams will trust agents with more responsibility.

The witness layer is product surface

I do not think this is just internal plumbing.

The witness layer is product surface.

For a developer tool, it might show up as a local report, a PR body, a Markdown handoff, a proof bundle, or a dashboard queue. For an operator tool, it might show up as a dry-run plan before an external action. For a security tool, it might show up as a policy failure before a risky capability gets enabled.

The exact UI can vary. The contract should not.

The product should make it obvious:

  • what the agent was asked to do
  • what it actually changed
  • what evidence exists
  • what failed
  • what was not checked
  • what decision the human is being asked to make

That is the shape of a reviewable system.

This is also why I am skeptical of agent products that treat chat as the main artifact. Chat is useful for steering. It is a weak container for evidence. The review queue matters because it turns scattered activity into decisions.

The witness layer is what makes the queue worth trusting.

The deeper operating model

The operating model I keep landing on is:

  1. Agents produce candidate work.
  2. Witness tools produce independent evidence.
  3. Humans make accountable decisions.

That is not anti-agent. It is the path to more serious agents.

If I want an agent to do more, I need stronger boundaries around what it can claim. I need proof that survives the chat window. I need artifacts that another agent, another human, or future me can inspect without relying on the original run’s confidence.

Autonomy without a witness layer asks the human to trust the narrator.

Autonomy with a witness layer gives the human something to review.

That is the bar I want for the tools around agents now. Not just faster generation. Not just better summaries. Not just nicer orchestration.

Independent witnesses.

Because the agent should not be the only witness to its own work.

Roger Chappel

Roger Chappel

CTO and founder building AI-native SaaS at Axislabs.dev. Writing about shipping products, working with AI agents, and the solo founder grind.

New posts, shipping stories, and nerdy links straight to your inbox.

2× per month, pure signal, zero fluff.

#ai-agents #verification #developer-tools #engineering

Share this post on:

Back to Top
Steal this post → CC BY 4.0 · Code MIT