Runtime Governance Series

AI Governance Needs Proof, Not Logs

AI Governance Needs Proof, Not Logs

Published on

Subscribe to our newsletter

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Google Was Just Held Liable for Its AI’s False Claims. Here Is What Your AI Agent Audit Trail Must Prove.
A German court has held Google directly responsible for false statements its AI generated. For any enterprise running AI agents, the lesson is blunt: you own what your agents do, and you need to be able to prove it.

Two Munich publishers typed their own names into Google and found themselves accused of fraud. Google’s AI Overview had tied them to scams, subscription traps, and dubious business practices, connections that appeared in none of the sources it cited. The publishers had not been accused of anything. The AI made the connections up, and the ruling it triggered should reshape how every enterprise thinks about its AI agent audit trail.

On 28 May 2026, the Regional Court of Munich I (Landgericht München I) granted a preliminary injunction against Google over those statements (case 26 O 869/26). The court held Google directly responsible for what its AI Overviews say, not a neutral host of third-party results. Google’s defense, that users can verify the sources themselves, failed.

The decision is not yet final. It is a preliminary injunction that can be appealed, and a full ruling on the merits is still pending. The reasoning is what matters for anyone deploying AI, because it answers a question every enterprise running agents will eventually face: when your AI generates something false, who is responsible? The court’s answer was the company that deployed it.

What the Munich ruling means for every enterprise deploying AI agents

The ruling removes a comfortable assumption: that the company running an AI can treat its output as someone else’s problem. The court drew a sharp line between two things. Classic search results point to third-party pages, which have long given search engines a limited, indirect liability role. An AI Overview, the court found, writes new statements of its own, so the court classified Google as a direct interferer (unmittelbarer Störer) for them. The old search-engine shield did not apply.

The court also rejected the idea that responsibility shifts to the user. Knowing that AI output can be wrong does not relieve the deployer of the duty not to publish false claims about identifiable companies. Google was ordered to bear 80 percent of the costs, with fines of up to 250,000 euros for each future violation of the order.

Now read it as an enterprise running agents, where the implication (not the court’s holding) becomes clear. Most enterprise agents go further than an Overview. They do not only summarize, they act: they send the email, move the money, update the record, file the ticket. If a generated sentence can create liability, an action taken on a false premise is a larger exposure, not a smaller one.

One caveat keeps this honest. This is a single regional court, a preliminary decision, under German law, on a search product rather than an enterprise agent. It is not binding precedent and the facts are not yours. The transferable part is the principle: the deployer owns the output. Once you accept that, the question stops being legal and becomes evidentiary. When something goes wrong, you have to show exactly what your agent did, when, and under which policy.

Why logging alone fails: the proof gap in your AI agent audit trail

Most teams already log agent activity. The problem is that logs prove what happened to you, not to a skeptical outsider. Observability tools, traces, dashboards, and session replay are built to debug. They answer one question well: what happened. In a dispute, the other side asks a different one: whether the record could have been quietly edited after the incident.

Standard logs are mutable, self-attested, and easy to challenge. You vouch for them, which is exactly the weakness a regulator or opposing counsel will press. Call this the proof gap: the distance between a record you can read and a record you can prove was never altered. Observability narrows the first gap. It does nothing for the second.

The table below sets the two apart on the dimensions that decide a dispute.


Observability / logging

Cryptographic attestation

Question it answers

What happened, for debugging

What happened, provably unaltered, for defending

Editability after the fact

Yes, often without a trace

None; any change breaks the cryptographic root

Source of trust

You do, self-attested

Math does, a signature anyone can verify

Strength under legal challenge

Weak; the record could have been changed

Strong; tampering is detectable

Built for

Engineers diagnosing issues

Auditors, regulators, and courts

How cryptographic attestation turns an audit trail into evidence you can defend

Cryptographic attestation closes the proof gap by making every recorded decision tamper-evident. OpenBox (docs.openbox.ai) records each governance decision in an immutable audit trail with full context: a timestamp, the agent, the verdict applied, the reason, and the workflow run that produced it. Records cannot be changed after they are written.

When a session ends, OpenBox hashes each event with SHA-256 and combines those hashes into a Merkle tree, then digitally signs the single root of that tree. The output is a proof certificate holding the Merkle root, the signature, and the event count, one per session.

The point of the Merkle structure is simple: change any single event and the root no longer matches, so tampering is detectable without re-reading the whole log. Think of it as one wax seal stretched across every page at once. Alter a page and the seal no longer fits.

Signing happens through AWS KMS with ECDSA P-256 by default, or through external attestation against your own endpoint, including a Trusted Execution Environment for hardware-backed proof. Attestation is also decoupled from enforcement. A blocked or halted action is still recorded and signed, so the signature proves what the agent did and what decision was made, not that the action was permitted. The fact that an agent was stopped becomes provable too.

OpenBox lists legal disputes as an explicit use case for this: demonstrating with cryptographic certainty that an agent’s actions were governed at a specific time. One honest limit applies. Cryptographic proof does not by itself guarantee that any given court will admit it, since admissibility and weight are decisions for the court and vary by jurisdiction.

What it removes is the easiest attack on your record: the claim that it could have been altered after the fact. That maps onto exactly what the Munich court cared about, whether a specific statement can be tied to a specific actor at a specific time.

The burden of proof is moving to the deployer

The Munich injunction is one preliminary decision in one country, and it may yet be narrowed or overturned on appeal. The direction is the part worth watching, and it is not really about Google. As enterprises hand more decisions to AI agents, the burden of proof moves to whoever deployed them. An AI agent audit trail that anyone could have quietly edited will not carry that burden. One that is cryptographically signed can.

OpenBox (docs.openbox.ai) builds a tamper-proof, signed proof certificate for every governed agent session, designed to be shown to an auditor rather than just read internally. See how OpenBox creates tamper-proof evidence of every agent decision, and book a demo when you want to put it against your own workflows.

Frequently asked questions

Did a German court really hold Google liable for its AI’s answers?

In a preliminary injunction dated 28 May 2026, the Regional Court of Munich I held Google directly responsible for false statements in its AI Overviews about two publishers. The decision is not final and can be appealed, but it treated the AI’s output as Google’s own content rather than third-party results.

What is an AI agent audit trail?

It is the recorded history of what an agent did: each action, the decision applied to it such as allowed, blocked, or halted, the reason, and the time. It is the record you rely on to investigate incidents and to answer auditors or regulators when they ask what happened and why.

Why is normal logging not enough for compliance?

Standard logs show what happened but are usually mutable and self-attested, so a skeptical reviewer can argue they were edited after the fact. Compliance and legal disputes often turn on whether a record can be proven unaltered, which ordinary application logs cannot demonstrate on their own.

What is cryptographic attestation, and how does a Merkle tree help?

Attestation hashes each event and combines the hashes into a Merkle tree, then signs the single root. Change any event and the root no longer matches, so tampering is detectable. The signed proof certificate lets anyone verify the record was not altered after it was written.

Does cryptographic proof make my audit trail admissible in court?

Not automatically. Admissibility and evidentiary weight are decided by the court and vary by jurisdiction. What attestation removes is the easiest challenge, that the log could have been altered after the fact. It strengthens the record rather than guaranteeing any particular legal outcome.

How does OpenBox attest agent activity?

OpenBox (docs.openbox.ai) records every governance decision in an immutable audit trail, then hashes each session’s events into a Merkle tree and signs the root, by default with AWS KMS using ECDSA P-256 or your own external attestation service. Each session yields a proof certificate with the Merkle root, signature, and event count.

Sources

Landgericht München I, Endurteil of 28 May 2026, case 26 O 869/26 (einstweilige Verfügung / preliminary injunction; not legally final). Certified copy of the judgment (full text): https://the-decoder.de/wp-content/uploads/2026/06/26_O_869_26_begl_Abschrift_Urteil_v_28_05_2026_Geschwaerzt_Geschwaerzt_Geschwaerzt.pdf. Accessed 16 June 2026.

OpenBox (docs.openbox.ai), Attestation and Cryptographic Proof: https://docs.openbox.ai/administration/attestation-and-cryptographic-proof. Accessed 16 June 2026.

OpenBox (docs.openbox.ai), Compliance and Audit: https://docs.openbox.ai/administration/compliance-and-audit. Accessed 16 June 2026.



Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

OpenBox AI and Temporal Introduce Runtime Governance for Long-Running Agents. Read More

OpenBox AI and Temporal Introduce Runtime Governance for Long-Running Agents. Read More

  • OpenBox AI and Temporal Introduce Runtime Governance for Long-Running Agents. Read More