Cryptographic Attestation for AI Agent Governance under the EU AI Act: A Survey of Approaches and Standards

The European Union Artificial Intelligence Act (Regulation (EU) 2024/1689) imposes obligations on providers and deployers of high-risk AI systems that, on close reading of Articles 12, 14, 50 and 72 together with Annex IV and the Article 43 conformity assessment regime, presume the existence of independently verifiable evidence about agent behaviour. Conventional governance, risk and compliance (GRC) tooling, AI observability platforms, and policy documentation regimes do not, as a matter of architecture, produce such evidence: they aggregate operator-side assertions rather than cryptographically attested claims that a third party can validate without operator cooperation. A new category of systems has emerged in 2025–2026 that aims to close this gap by binding AI agent actions to signed, time-stamped, often hardware-rooted attestations. This paper presents the first comprehensive survey of cryptographic attestation approaches for AI agent governance. We motivate the problem by analysing the AI Act's record-keeping and conformity-assessment requirements alongside adjacent regulation (eIDAS 2.0, NIS2, GDPR) and horizontal management-system standards (ISO/IEC 42001:2023, the NIST AI RMF). We derive a threat model and operational requirements, survey the recently published OVERT 1.0 open standard as the first horizontal specification targeting this category, and propose a six-axis taxonomy covering hardware-rooted (TEE-based) attestation, software-only cryptographic attestation, identity-focused attestation, payment- and commerce-specific attestation, and two adjacent (non-attestation) categories: compliance automation platforms and AI gateway / runtime layers. We map each category to representative systems, identify standards bodies relevant to the trajectory (ETSI, CEN-CENELEC JTC 21, FIDO, Linux Foundation AAIF), articulate seven open research problems including reproducibility of non-deterministic outputs in conformity assessment and statistical safety attestation, and observe a structural geographic gap: as of mid-2026, no major attestation provider operates from an EU-anchored, eIDAS-qualified trust services base.