- Home
- The Thinking Wire
- Two Reasons You Can't Audit Your Agent
A security practitioner inspected the “extended thinking” output of Claude Code in June 2026 and reported something most teams have never checked: the visible reasoning trace appears to be a generated summary, while the authentic trace returns as an encrypted signature of roughly 600 characters. Reading the genuine reasoning, by his account, requires an enterprise agreement and a vendor key.
Treat that as observed behavior from a first-party inspection, not an Anthropic-confirmed specification. The implication still lands. If your audit process relies on reading what the agent “thought,” you may be reading a plausible reconstruction, gated behind a paid tier, rather than the computation that produced the answer.
That is the first reason you can’t audit your agent. There is a second, and it has nothing to do with access. Even when the output is fully visible, it is the model’s most-confident answer, not its verified-correct one. Two independent failure modes, one conclusion: the trust you place in agent output cannot come from the agent.
Reason One: The Reasoning Is Behind a Paywall
Many governance frameworks adopted in the last eighteen months treat chain-of-thought as an audit trail. The pitch was clean. The model shows its work, a reviewer reads the steps, errors get caught before they ship. Auditability becomes a feature you can read.
The McCanna inspection complicates that picture in a way the existing interpretability literature did not. We already knew, from Anthropic’s own research, that displayed reasoning is post-hoc rationalization rather than a log of the actual computation. We covered that in When Your AI Explains Its Reasoning, It’s Making It Up. The new wrinkle is access. The summary you see is not just unfaithful to the internal process. It may also be a different artifact from the authentic trace, which is encrypted and reserved for customers who sign the right contract.
Consider what that does to a compliance review. A regulated firm wants to show an auditor why an agent approved a transaction, flagged a document, or escalated a case. The reviewer opens the reasoning panel. What appears is a readable narrative. It looks like evidence. Under this observed behavior, it is a summary the vendor produced for display, while the trace that might actually explain the decision sits behind an enterprise key the firm may not hold.
Auditability is quietly becoming a tiered product. The free experience gives you a story. The paid experience gives you something closer to the trace. Neither, per the interpretability research, is a faithful record of the computation. So even the enterprise key buys access, not certainty.
Reason Two: Confident Is Not Correct
The second failure mode is more fundamental, and Konvoy framed it sharply in June 2026. A language model returns the answer it considers most probable given its training and your prompt. Probable is not proven. The model has no internal mechanism that separates “this is likely the right token sequence” from “this is verified true.”
Konvoy is a venture firm, not a formal-methods lab, so read their framing as an investment thesis with a point worth keeping. Their line is the useful part: a language model tells you what is likely true, while a verified system tells you what is certainly true. For an arithmetic answer, the difference is academic. For a contract clause, a dosage, a tax position, or a safety interlock, the difference is the whole point of having a control function.
Konvoy’s proposed direction is a formal-verification stack wrapped around the model: proof assistants like Lean 4, Coq, and Isabelle, symbolic engines like Wolfram Alpha, and research systems such as DeepMind’s AlphaProof and AlphaGeometry 2, or Harmonic’s Aristotle. The common thread is determinism. These systems do not return a confident guess. They return a result that either checks out against formal rules or does not, with no probability attached.
You do not need a theorem prover bolted to every workflow to use the insight. The principle is portable. Wherever an agent’s output feeds a decision that matters, a separate, deterministic check should sit between the agent and the consequence. The check does not ask the model to grade itself. It evaluates the output against a source of truth the model cannot influence.
Why the Answer Is Not a Smarter Model
The reflex, when an agent gets something wrong, is to wait for the next model. Better weights, longer context, higher benchmark scores. That instinct misreads both failure modes.
A smarter model does not unencrypt its own reasoning trace. The access barrier is a commercial and architectural decision, not an intelligence limit. And a smarter model is still a probabilistic one. Raising the average confidence of a guess does not convert it into a proof. The most capable model on the market still returns its most-likely answer, delivered with the same fluency whether it is right or wrong. We made the adjacent argument in When the Model Decides Before It Reasons: the order of operations inside the model already breaks the assumption that the visible reasoning drives the conclusion.
The structural answer is to stop asking the model to be its own auditor. Verification has to be external, deterministic where possible, and independent of the system it checks. We laid out the building blocks of that posture in Structured Reasoning Is a Governance Requirement and in The Attribution Loop You Can’t Audit. The throughline across all of them is the same: a system that produces an output cannot be the system that certifies it.
What an External Verification Layer Looks Like
In practice, the layer is less exotic than a proof assistant and more disciplined than a second model reviewing the first. It has three properties worth holding to.
It is independent. The check runs on infrastructure the agent does not control, against data the agent did not generate. A model verifying its own output, or a second model trained on the same distribution, inherits the same blind spots.
It is deterministic where the domain allows. Numbers reconcile against ledgers. Dates validate against calendars. Entitlements check against a permissions table. Where a domain has formal rules, the verification should be a rule check, not a vibe check.
It is auditable on its own terms. The verification layer produces a record that does not depend on reading the agent’s encrypted reasoning. You log what was checked, against what source, with what result. That record is the audit trail, and it survives whether or not you ever buy the enterprise key.
This is more expensive than trusting a reasoning panel. It is also the only version of trust that holds when the reasoning is encrypted and the answer is merely probable.
Do This Now
Pick one agent workflow where a wrong output has real consequences. Map the path from the agent’s answer to the decision it drives. Then insert one deterministic check between them that does not ask the model to grade itself: a reconciliation, a rule validation, an entitlement lookup against a source the agent cannot touch. Log the result. You now have an audit trail that does not depend on a reasoning trace you may never be allowed to read.
This analysis synthesizes The text in Claude Code’s Extended Thinking output is not authentic (Patrick McCanna, June 2026, first-party inspection) and How Sure is Your AI? (Konvoy Ventures, June 2026).
Victorino Group helps enterprises build external verification layers that hold even when the agent’s reasoning is encrypted. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation