Nobulex Audit — May 2026

25 AI Agents.
Zero Receipts.

Median composite score: 32 / 100
Agents producing cryptographic per-action receipts by default: 0

We audited 25 major AI agents for one thing: do they produce cryptographic proof of what they actually did?

Not logs. Not conversation history. Not vendor-controlled records. Cryptographic receipts. Signed at execution time. Independently verifiable. Tamper-evident.

The answer, across every agent we tested, is no.

Akeyless — State of AI Agent Identity Security, May 12 2026
2/3 of enterprises suspect agents accessed unauthorized data
14 hours average detection time for a compromised agent
7% have controls that would stop it

The detection problem is a receipts problem. An agent that produces no signed record of its actions takes 14 hours to detect because you're hunting behavioral anomalies. An agent that produces a bilateral receipt for every action can be verified in real time.

None of the 25 agents we tested close this gap.

The Scores

Composite score out of 100 — higher is better
32
Median Score
0 / 25 produce cryptographic receipts
Microsoft Copilotno receipts
55
Stripe Agentno receipts
55
GitHub Copilotno receipts
50
Amazon Qno receipts
48
Gemini Code Assistno receipts
45
Salesforce Einsteinno receipts
42
Replit Agentno receipts
40
Claude Codeno receipts
35
OpenAI Codexno receipts
35
Windsurfno receipts
32
Bolt.newno receipts
30
Tabnineno receipts
30
v0 by Vercelno receipts
28
Clineno receipts
25
Aiderno receipts
25
Continueno receipts
22
AutoGPTno receipts
20
ChatDevno receipts
20
MetaGPTno receipts
18
Devinno receipts
15
Cursorno receipts
15
SWE-Agentno receipts
15
Lovableno receipts
12
Manusno receipts
10
Smol Developerno receipts
8

Methodology

Each agent was evaluated against five criteria. Scores reflect what exists in the agent's default behavior, not what could theoretically be added.

Cryptographic signing
Does the agent produce a cryptographic signature for each action it takes?
Bilateral attestation
Is the receipt countersigned by both the agent and the counterparty?
Independent verifiability
Can a third party verify the receipt without trusting the vendor?
Tamper evidence
Are actions hash-chained so gaps or modifications are detectable?
Audit trail completeness
Does the record cover every action, not just outcomes?

EU AI Act Article 12 enforcement begins August 2, 2026. These agents will need to produce records that meet evidentiary standards. Currently, none do.

The Protocol

Nobulex is the open receipt layer. Ed25519 signed. Bilaterally attested. MIT licensed. Already merged into Microsoft's Agent Governance Toolkit.

View on GitHub