How Australia’s critical-infrastructure obligations become a continuous, cryptographically assured, always-audit-ready capability, for the AI agents now running inside regulated estates.
General information, not legal advice. This paper describes an operating model and Tovel’s current, shipped capability. It does not assert coverage of any framework Tovel has not shipped, and it references no customer Tovel has not been cleared to name. Where a claim would need a record to back it, that record is described rather than asserted.
Australia’s critical-infrastructure regime asks operators to run a living risk-management program, not to pass a point-in-time inspection. Yet the evidence most teams produce for it, screenshots, exports and quarterly attestations, is stale the day it is collected.
AI agents widen that gap. An agent that reads private data, ingests untrusted content and can reach external systems is exactly the combination the regime is designed to keep controlled, and it changes state faster than any manual evidence cycle can track. The question a regulator, a board or an insurer will ask is no longer “what is your policy?” but “show me what actually happened, on that action, at that time.”
This paper sets out a model that answers that question by construction. Each application runs inside an isolated enclave; every agent turn passes through a fixed harness of controls; and every consequential decision seals into an append-only, hash-chained evidence locker you can export and verify. Obligation becomes a byproduct of operating, not a project you run twice a year.
Under the Security of Critical Infrastructure Act’s risk-management program obligations, and the sector-specific security rules that sit alongside them, responsible entities are expected to identify material risks to their assets, apply and maintain controls, and be able to demonstrate that those controls are operating, on an ongoing basis. The telecommunications sector carries analogous security and competent-oversight expectations.
Two properties of the regime matter most for this paper. First, it is continuous: the obligation is to keep controls effective over time, not to certify a snapshot. Second, it is evidentiary: an operator is expected to be able to show, on request, that a control was in force when a given action occurred, and who was accountable.
From attestation to demonstration. It is no longer enough to hold a policy that says an action requires approval; you are expected to show the approval that was actually given, for the action that actually ran.
That shift is manageable for slow, human systems. It is unmanageable for autonomous ones unless the evidence is produced by the system itself, at the moment of action, in a form nobody can quietly revise later.
Most assurance today is reconstructed after the fact from logs that were never designed to be evidence: they are mutable, scattered across tools, and silent on the questions that matter, who was accountable, what data was touched, whether a human signed off. For a periodic control that is uncomfortable. For an autonomous agent it fails outright.
Risk concentrates when a single agent can, in one action, hold three capabilities at once: access to private data, exposure to untrusted content, and the ability to communicate externally. That combination is what turns a prompt-injection or a poisoned document into exfiltration.
The riskiest agents are usually the ones nobody registered: scheduled scripts with standing credentials, copilots wired to production, MCP servers with no owner. They generate no reliable evidence because no one decided they should.
Closing the gap is not a matter of collecting more logs. It requires the evidence to be a designed output of the runtime, produced at the point of action and sealed so it cannot be edited afterwards.
You bring an application or agent; Tovel runs it inside a dedicated, isolated enclave. Only two things cross the boundary: least-privilege scopes going in, and signed evidence coming out.
Inside the enclave, every agent carries a cryptographic identity, a trust tier and a named human owner. The enclave is the unit you assess, score and export, which is also the unit an auditor can reason about.
The same six control layers apply to every agent, on every turn, from the orchestration loop down to an independent verifier. None is optional; the record shows each one was applied.
Guardrail verdicts, human approvals, tool calls and verifier checks are written to an append-only evidence locker, hash-chained so a record cannot be altered after the fact, and exportable for board, auditor or insurer review. A record does not contain the raw payload; it contains proof of what was decided and by whom.
Data and inference stay in Australia, on AWS Bedrock and AgentCore in Sydney (ap-southeast-2). No inference leaves the region, and the enclave’s raw traces and payloads are never exfiltrated.
Because evidence is produced continuously and sealed as it is created, an audit pack is an assembly step, not a collection project. Posture is scored against the framework packs Tovel has shipped and you have enabled; the export is the same record a board can read and an auditor can verify. Anything that leaves the enclave is reviewed by a named human first.
The result is the property the regime is really asking for: on any given action, at any given time, you can show the control that was in force, the data it touched, the person accountable, and the proof that none of it was edited after the fact.
Regulated buyers distrust hype. So we are explicit about the line between what Tovel evidences today and what it does not.
A 30-minute walkthrough: we stand up an enclave around one of your agents and walk the harness, the maturity matrix and the evidence a board can read.