Bringing attestation, provenance, and tamper-evident execution history to workflows and AI agents
For years, the cloud native ecosystem has focused on making distributed systems resilient.
Applications recover from failures. Services retry requests. Workflows survive crashes and resume where they left off. Durable execution has become a foundational building block for long-running business processes and, increasingly, AI agent systems.
But as organizations move AI agents and autonomous workflows into production, a new challenge is emerging:
How do you verify what happened in a tamper-proof way?
When a workflow triggers an activity, invokes a service, delegates work to another workflow, or coordinates multiple AI agents, how can downstream systems determine whether that execution context can be trusted?
How can security teams verify that execution history has not been altered? How can compliance teams establish a chain of custody for critical decisions? How can organizations prove how work was executed, trace where it originated, and verify that its history has remained intact?
Dapr 1.18 introduces a new set of capabilities designed to address these challenges: Workflow History Signing, Workflow History Propagation, and Workflow Attestation.
Together, these capabilities establish a foundation for Verifiable Execution in Dapr.
Why Observability Is Not Enough
Modern cloud native systems already generate enormous amounts of telemetry.
Logs explain what happened.
Metrics show performance.
Traces reveal execution paths.
Audit records provide historical context.
These capabilities are essential, but they all share a common limitation:
They require trust.
A log can be modified.
An audit record can be altered.
Execution context can be lost as requests move between services.
As systems become more distributed and AI agents become more autonomous, organizations increasingly need cryptographic assurances about execution history and provenance.
Observability tells you what happened.
Verifiable Execution helps you prove it.
Introducing Workflow History Signing
The first capability introduced in Dapr 1.18 is Workflow History Signing.
As workflow execution progresses, Dapr can generate cryptographic signatures over workflow history records.
These signatures create tamper-evident execution histories that can later be independently verified.
This allows organizations to detect whether workflow history has been modified after execution and establish stronger integrity guarantees around workflow state transitions.
For organizations operating in regulated environments or handling sensitive business processes, signed workflow history provides a significantly stronger foundation than relying solely on logs or database records.
Introducing workflow history propagation
Distributed systems rarely operate in isolation.
A workflow may invoke activities.
Activities may call services.
Services may trigger additional workflows.
AI agents may invoke tools that ultimately execute across multiple systems.
Understanding how a request arrived at a given component often requires reconstructing information from multiple logs and traces.
Dapr 1.18 introduces Workflow History Propagation, allowing execution lineage to travel with requests as work moves through the system.
This enables downstream services, workflows, and agents to understand:
- Where execution originated
- Which workflows participated
- The sequence of execution events
- The provenance of incoming work
Rather than treating execution context as local information, Dapr enables provenance to become a first-class part of distributed execution.
Introducing workflow attestation
History propagation establishes lineage.
Attestation establishes trust.
With Workflow Attestation, Dapr allows workflows and activities to receive cryptographically verifiable execution context.
This enables applications to make decisions based on verified provenance rather than assumptions.
For example:
- A bank’s wire transfer system may only accept requests originating from approved payment workflows, preventing direct API calls from bypassing fraud checks, approvals, and compliance reviews.
- A healthcare claims processor may validate workflow execution history before issuing reimbursement, ensuring the claim passed eligibility verification, fraud screening, and medical coding review.
- A pharmaceutical manufacturing platform may enforce governance policies based on workflow lineage, requiring proof that every quality-control and regulatory signoff step occurred before a batch can be released.
- A hospital AI care coordination agent may verify the provenance of delegated work before acting on it, ensuring medication recommendations originated from authorized clinical workflows and were not generated by an untrusted agent or system.
Attestation transforms execution context from informational metadata into a verifiable trust signal.
Built on SPIFFE-based workload I=identity
Verifiable execution starts with verifiable identity.
Dapr has long embraced workload identity as a foundational security primitive through its use of SPIFFE identities. Every Dapr-enabled application receives a cryptographically verifiable identity that is used for mutual authentication and secure service-to-service communication.
The capabilities introduced in Dapr 1.18 build directly on this foundation.
Workflow attestation and execution provenance are tied to the identities of the participating workloads, allowing systems to establish not only what happened, but also who participated in the execution of a workflow.
This creates a chain of trust that spans:
- Workflow orchestrators
- Activities
- Services
- AI agents
- External systems
By combining SPIFFE-based workload identity with workflow history signing, provenance propagation, and attestation, Dapr extends cryptographic trust beyond communication and into execution itself.
Organizations can now verify not only the identity of a workload making a request, but also the execution lineage that led to that request.
Put another way:
SPIFFE answers “Who are you?”
Verifiable Execution answers “How did you get here?”
Together, they provide a stronger foundation for securing distributed systems and AI applications.
Why this matters for AI agents
The emergence of AI agents makes provenance and attestation increasingly important.
Unlike traditional applications, agents frequently:
- Invoke external tools
- Delegate work
- Interact with multiple services
- Trigger long-running workflows
- Coordinate with other agents
As these systems become responsible for business-critical decisions, organizations need stronger guarantees around how execution occurred.
Questions such as:
- Which agent initiated this action?
- Which workflow approved it?
- Which systems participated in the execution?
- Has execution history been modified?
- Can downstream systems trust this request?
become increasingly important.
Traditional agent systems often rely on trust assumptions between orchestrators, tools, and services. Dapr’s combination of SPIFFE-based workload identity and Verifiable Execution provides a stronger foundation, enabling systems to reason about both who is making a request and how that request came to exist.
The capabilities introduced in Dapr 1.18 provide a foundation for answering these questions through verifiable execution lineage and cryptographic attestation.
The result is a new building block for trustworthy AI systems.
From durable execution to verifiable execution
Dapr Workflows already provide durable execution, enabling long-running processes to survive failures, retries, restarts, and infrastructure disruptions. Dapr 1.18 extends this foundation.
Organizations can now not only recover execution, but also establish stronger guarantees about its integrity, provenance, and authenticity. This represents an important step toward building trustworthy distributed systems and trustworthy AI systems.
As cloud native architectures continue to evolve and AI agents become increasingly integrated into enterprise environments, the ability to verify execution history and provenance will become as important as the ability to recover from failure.
Looking ahead
The cloud native ecosystem has spent years making applications resilient. The next challenge is making them trustworthy.
Verifiable Execution represents an important step in that direction, bringing attestation, provenance, and tamper-evident execution history to workflows, services, and AI agents.
As organizations continue to adopt autonomous systems and agentic architectures, the ability to verify how work was performed may become just as important as the ability to perform the work itself.
Getting started
Workflow History Signing, Workflow History Propagation, and Workflow Attestation are available in Dapr 1.18.
We invite the community to experiment with these capabilities, provide feedback, and help shape the future of verifiable execution for cloud native applications, workflows, and AI agents.
The next generation of distributed systems needs more than resilience.
It needs trust.