What is Plexus™ by Subnet345
Prove what your AI agents did. Verify it yourself.
Plexus is the governance and audit substrate for AI agents. It attributes every action, records it by construction, and lets you recompute the proof outside our servers. Access control decides whether an agent may act; Plexus is the evidence of what it actually did, inside your boundary.
§ 01 The wedge
Independently verifiable
Recompute the proof yourself, outside our servers. You do not have to trust us.
Plexus publishes the hash formula and the external anchor for the record. You, or your auditor, recompute the anchor's recent-horizon scope and compare it against the published one, without our servers in the loop. A mismatch is a genuine tamper signal, not chain-growth noise. The anchor and the formula are public, so the check never depends on the vendor's word. And the record is produced by the substrate as your agents act, so it is a recomputable audit you did not have to build, instrument, or operate yourself.

§ 02 Feature
Access is the gate. Plexus is the record.
Access control decides whether an agent may act. Plexus records what it actually did.
Most agent tooling answers one question: is this agent allowed to act? That is the gate. It cannot tell an examiner what the agent did once it was let through. Plexus is the layer underneath: what the agent decided, who approved or refused it, and whether the evidence still holds up later.

§ 03 Feature
Attribution by construction
Every action is attributable to a specific agent, at a specific moment.
Plexus attributes each action to the agent that took it, the identity it ran under, the action it took, and the time it happened. Nothing is anonymous, and nothing is reconstructed after the fact. The record is created as the action runs, not assembled once someone asks.

§ 04 Feature
Governance coverage
See exactly how much of your operation is under governance, right now.
Coverage answers how much. Plexus shows the repositories and agents operating under governance and the share of actions that are attributed, so nothing is quietly unaccounted for. This view runs live against our own multi-agent operation today.

§ 05 Feature
Works across your AI stack
Claude Code, OpenAI Codex, and the other runtimes your teams run normalize into a single attribution record.
Plexus does not replace the agent tools your team already uses. It sits underneath them. Actions from different runtimes normalize into a single attributed record, so your evidence does not fracture across whichever tool each team happened to choose.

§ 06 Feature
A refusal is evidence too
Plexus records what the agents were stopped from doing, not only what they did.
When an action is refused, because policy denied it or a person declined it at the human-verification wall, the refusal itself is recorded as first-class evidence. The moments an agent was held back are as auditable as the moments it acted.

§ 07 The evidence, concretely
The records an auditor actually asks for. Not a description of them.
These are real records from a running Plexus fleet, with internal identities sanitized for demo. Every value is substrate-produced at the moment of the action, not reconstructed later. The digests are real, and you can recompute the proof yourself.
A single recorded action
The atomic unit Plexus records: who acted, how it was attributed, and the content digest, populated at ingest.
{
"id": 92,
"repo": "jrtorrez31337/executable-positive-geometry",
"commit_sha": "38121a40e7be515074f49ed5c79508eeb18e9f28",
"occurred_at": "2026-07-13T18:01:52Z",
"agent_attribution": "quant-phy-agent",
"attribution_method": "co_authored_by",
"runtime_class": "claude_code",
"author_email": "quant-phy-agent@demo.plexus",
"subject": "Fourth note: arrow-origins survey converged",
"body_digest": "046b76bd8f710dc187e4f9e78a28ac38cc15d2291902d442f6fccaa173a1fc54",
"signed": 0,
"parent_count": 1,
"files_changed": 3,
"bytes_delta": 1420
}Verify it without trusting us
An auditor recomputes the day’s chain digest and compares it to the anchor. The endpoint is unauthenticated.
$ curl -s https://plexus.example.com/api/v1/plexus/public/audit/anchor-verify?day=2026-07-12 | jq
{
"found": true,
"anchor_day": "2026-07-12",
"anchor_substrate": "s3-object-lock",
"stored_digest": "d1bdf3cd0935beb0b67dc8deb1b4f6078a59daea5156713449e9c359217966fa",
"recomputed_digest": "d1bdf3cd0935beb0b67dc8deb1b4f6078a59daea5156713449e9c359217966fa",
"match": true,
"chain_high_water_event_id": "52be126dc966d92a",
"verified_at": "2026-07-14T15:32:41Z"
}match: true means the stored digest and the digest recomputed from the actual events agree: no tampering since the anchor was published, visible to anyone who runs the check. A match: false is a tamper signal. The verifier walks the recent-horizon window bounded by the anchor, not the full chain from genesis, and that scope is deliberate. Why recent-horizon →
A day-scoped auditor packet, in coverage
Attribution method on that day: 8 from a signed Co-Authored-By trailer, 2 operator-corrected, 1 admin-corrected, 1 left unattributed and flagged. The substrate recorded every action; where the parser could not attribute one, it recorded the gap rather than guessing, and every human correction carries its own audit trail. That is the record-not-gate story in one packet.
Retention, operator-set
Event rows live for a window you configure at install and can change live, and the change is itself recorded. Regulated tiers commonly set multi-year retention, matching records rules such as SEC 17a-4.
Anchored daily, off your box
At each day’s rollover the chain’s high-water digest is published to a substrate you hold but do not fully control: S3 object-lock, WORM tape, or a partner-signed receipt.
Why an external anchor
A hash chain alone makes tampering inside the chain visible. The external anchor makes replacement of the whole chain visible: a substitute chain will not match a digest already committed off the operator’s box.
Wondering where Plexus fits?
See how it sits next to the access controls, observability, and identity tools you may already run.
See where we fit →Ready to put it to work?
There are three ways to engage, from a paid proof of value to a full design partnership.
See the ways to engage →