An AI agent acted across two companies. Whose audit log knows which human?

Here is a setup that is going to be normal soon, if it isn't already.

Alice logs into her company's tools through their identity provider. She points an agent at a task. That agent hands part of the work to a sub-agent, and the sub-agent calls a tool that lives in a partner company's system, behind a different identity provider. The tool does something it shouldn't. An auditor pulls the record.

Whose log knows it was alice?

Not the agent's. The agent is a process; it can claim to be anyone. Not the model's either, which reads whatever it was handed and has no idea which human is behind the session. The honest answer in most deployments today is that the partner's system can prove a bot called it, and can prove which company's bot, and then the trail goes cold. The person who actually directed the action dissolves into "some agent at the vendor."

I have been building Crumb to refuse that outcome: a tamper-evident record that binds the individual human behind an agent's tool call, verifiable by someone who does not have to trust whoever ran the agent. Within a single identity provider, that chain was already working. This post is about the part that wasn't, and why it took longer than I expected.