Certifying AI Agent Outputs: Digital Evidence with Legal Value
AI agents are reshaping enterprise operations. They generate reports, produce evaluations, draft analyses and make operational decisions autonomously. Every day, thousands of organizations trust AI systems with tasks that until recently required hours of human work.
The problem surfaces when someone challenges one of these outputs. A document generated by an AI agent can be modified after creation, intentionally or by mistake. Without proof that locks the exact content at the moment of generation, the organization has no way to demonstrate what the agent actually produced. And with the Product Liability Directive 2024/2853 introducing strict liability for AI software from December 2026, this evidentiary gap becomes a tangible risk.
The answer lies in certifying AI agent data at the moment of generation: a digital seal and a qualified timestamp that make the output immutable, verifiable and legally enforceable.
This insight is part of our guide: Data Certification for AI Agents: Governance, Compliance and Legal Liability
The legal risk of uncertified AI outputs
The European regulatory framework is converging on a clear principle: organizations using AI systems are responsible for demonstrating that their processes are compliant, traceable and verifiable. Three regulations directly impact how AI agent outputs must be managed.
Product Liability Directive 2024/2853: strict liability and presumption of defectiveness
The new EU Product Liability Directive explicitly extends the definition of "product" to software and AI systems. The critical point for businesses using AI agents is the presumption of defectiveness: when damage is caused by a manifest malfunction during normal use, the product is presumed defective. And when technical complexity prevents the injured party from proving causation, the court may presume both defectiveness and the causal link.
In practical terms: if an AI agent produces an output that causes harm and the company cannot demonstrate exactly what the agent generated and when, the burden of proof shifts. The company must prove the output was not defective. Without certification with a certain date, this proof does not exist.
The Directive also introduces the concept of "substantial modification": a software update or the AI's post-sale learning can make the modifier liable as if they were the manufacturer. EU Member States must transpose the Directive by 9 December 2026.
GDPR Article 22 and the right to explanation: why original output evidence matters
Article 22 of the GDPR prohibits decisions based solely on automated processing that produce legal effects or significantly affect individuals. When an AI agent evaluates candidates, assigns a credit score or determines service eligibility, the data subject has the right to an explanation of the logic involved and to contest the decision.
The Court of Justice of the EU clarified in 2025 that merely communicating a mathematical formula does not constitute an adequate explanation. What is required is a concise and intelligible description of the decision-making process. To provide this explanation, the organization must have the original agent output, with certainty that it has not been altered after generation.
Without certification, the company risks an impossible defensive position: it must explain a decision without being able to prove what the actual output was that determined it.
How AI output certification works
Certifying an AI agent's output means applying, at the very moment of generation, a digital seal and a qualified timestamp that guarantee two fundamental properties: content immutability and a certain date of creation. TrueScreen implements this certification through a forensic acquisition process that captures the output, seals it and makes it independently verifiable for a minimum of 20 years.
Digital seal and qualified timestamp under eIDAS
The eIDAS Regulation establishes the probative value of qualified electronic seals and qualified timestamps across all EU Member States. Article 42 provides the presumption of accuracy for the indicated date and time: in a dispute, the opposing party must prove the date is inaccurate, not the party that applied the timestamp.
Applied to AI agent outputs, this mechanism creates a solid evidentiary chain:
- The output is captured at the moment of generation using forensic methodology
- The qualified digital seal binds the content to the organization's identity
- The qualified timestamp certifies the exact moment of creation
- Any subsequent modification to the content invalidates the seal, making tampering immediately detectable
The result is digital evidence admissible in court across all EU countries, with a presumption of integrity and a certain date.
| Regulation | Key requirement for AI outputs | Role of certification |
|---|---|---|
| PLD 2024/2853 | Prove the output was not defective at generation time | Immutable proof with a certain date of the original output |
| eIDAS (Art. 41-42) | Presumption of date accuracy and content integrity | Qualified seal + timestamp with EU-wide legal value |
| GDPR (Art. 22) | Explainability and contestability of automated decisions | Preservation of the original output as the basis for explanation |
| AI Act (Art. 12, 50) | Traceability and record-keeping for high-risk systems | Certified audit trail with forensic value |
The HR scenario: AI candidate evaluations challenged in court
A concrete case illustrates the practical impact. A company uses an AI agent for initial candidate screening. The agent generates a report with scores, rationale and recommendations for each candidate. An excluded candidate challenges the decision, alleging the system operated in a discriminatory manner.
In the United States, the Mobley v. Workday case (2025) achieved class action certification on precisely these grounds: AI screening tools allegedly penalized candidates based on protected characteristics such as age and ethnicity. In Europe, GDPR Article 22 grants comparable rights to anyone subject to automated decisions.
In this scenario, the company must produce the exact AI agent output for that candidate, with proof that the document was not modified after generation. It must be able to reconstruct the decision logic and demonstrate that the system was functioning correctly at the time of evaluation.
With output certification through the TrueScreen API, every report generated by the agent is captured using forensic methodology at the moment of creation. The digital seal and qualified timestamp guarantee that the document presented in court is identical to what the agent produced. The company can demonstrate the original content, the date of generation and the absence of tampering, transforming a legal risk into a solid defensive position.
