Most AI agent frameworks log what happened. Lancelot proves what happened. The difference matters when an auditor asks for evidence, not anecdotes.
Every major AI agent framework ships with some form of logging. LangChain has LangSmith traces. CrewAI has event logs. AutoGen records conversation histories. These tools tell you what the agent did. They do not tell you what governance checks the agent passed through, who authorized the action, what risk classification was applied, or what the rollback path would be if something went wrong.
This distinction is invisible during development and catastrophic during an audit. A SOC 2 Type II auditor does not want to see a JSON trace of LLM calls. They want to see evidence that controls were operating effectively over a sustained period. They want to know that every action above a certain risk threshold was classified, evaluated, approved by an authorized party, verified after execution, and linked to a reversal mechanism.
Standard agent logs fail this test in four ways:
The result is that enterprises deploying AI agents must build a parallel compliance infrastructure on top of whatever the framework provides. Manual evidence gathering. Spreadsheets. Screenshots of dashboards. This is expensive, error-prone, and fundamentally disconnected from the system it claims to document.
Lancelot operates on a simple axiom: if there is no receipt, it didn't happen. Every action that passes through the governance pipeline produces a structured, immutable receipt. Not a log line. A receipt.
A receipt is a structured record that captures the full governance context of an action: what the action was, what risk tier it was classified into (T0 through T3), whether it passed the Soul constraint check, what verification was performed after execution, and what rollback reference exists if the action needs to be reversed. This is not metadata bolted onto a log. It is the primary output of the governance pipeline.
Both success and failure paths produce receipts. If an action is blocked by a Soul constraint, that produces a receipt. If an action fails verification, that produces a receipt. If an action is escalated to owner approval and the owner denies it, that produces a receipt. The absence of a receipt is itself a governance violation, because it means something bypassed the pipeline entirely.
Receipts are immutable once written. They cannot be edited, deleted, or backdated. They form a directed acyclic graph (the receipt DAG) that represents the complete, tamper-evident history of every governance decision the system has made. This DAG is the ground truth. Not the logs. Not the dashboard. The receipts.
The receipt DAG is not just an audit trail. It is a compliance-ready evidence store that maps directly to the control requirements of major regulatory frameworks.
SOC 2 Type II requires demonstrating that controls were operating effectively over a period of time, not just at a point-in-time snapshot. The receipt DAG provides continuous, timestamped evidence of every governance control execution. Auditors can query the DAG for any time range and see exactly which controls fired, how often, and whether they passed or failed. There is no sampling required because the coverage is 100%.
ISO 27001 requires documented information security management processes with evidence of consistent application. Every receipt records the security-relevant governance checks applied to an action, the classification rationale, and the verification outcome. The receipt DAG serves as the living evidence base for Annex A controls related to access management, operational security, and information security incident management.
GDPR Article 30 requires controllers to maintain records of processing activities. When an AI agent processes personal data, the receipt captures the processing activity, its legal basis (encoded in the Soul constraints), and the governance checks applied. This is not a manually maintained register. It is generated automatically as a byproduct of normal system operation.
Lancelot's compliance export subsystem generates framework-specific reports directly from the receipt DAG. One click for SOC 2 evidence packages. One click for ISO 27001 control documentation. One click for GDPR processing records. No manual evidence gathering. No spreadsheets. No screenshots of dashboards stitched together the night before an audit.
Compliance is the single largest blocker for enterprise AI agent deployment. It is not a technical problem. The models are capable. The frameworks are functional. The blocker is that compliance teams cannot sign off on systems that produce no auditable evidence of governance. And they are right not to.
Most AI agent frameworks punt on this problem entirely. They provide capability and leave compliance as an exercise for the deployer. This means every enterprise that adopts these frameworks must build custom compliance infrastructure from scratch, at significant cost, with no guarantee that the result will satisfy an auditor.
Lancelot takes the opposite approach. When the audit trail is architectural rather than bolted on, compliance becomes a byproduct of normal operation. The system cannot operate without producing compliance evidence, because the receipts are generated by the same governance pipeline that authorizes actions. You do not need a separate compliance process. The compliance process is the execution process.
This changes the economics of enterprise AI deployment. The marginal cost of compliance approaches zero because the evidence generates itself. The time-to-audit drops from weeks of manual evidence gathering to minutes of report generation. And the confidence level increases because the evidence is immutable, complete, and structurally linked to the actions it documents.
The question for enterprise teams is not whether they need governance. It is whether they want governance that produces compliance evidence automatically or governance that requires a parallel manual process to document. The receipt principle makes that choice architectural.
Lancelot is free, open source, and deploys in one command. Constitutional governance with immutable audit trails from day one.
Explore the Architecture