What happens when AI agent state drifts between check and execution?

When system state changes between the time an AI agent's action is approved and the time it's executed, you have a TOCTOU (Time of Check to Time of Use) vulnerability — the most overlooked class of AI agent security flaws.

Here's a concrete example: Your agent evaluates a refund request at 10:00:00 AM. The policy engine approves it — the customer is eligible, the amount is within limits. But between 10:00:00 and 10:00:02 (when the agent executes), another process has already issued the same refund. The agent executes the refund again — a double-spend. Two refunds for one request.

TOCTOU vulnerabilities in AI agents manifest as:

• Double-spend attacks: The same action is executed twice because state changed between approval and execution
• Stale-state execution: Actions execute against outdated data, producing incorrect results
• Race condition exploits: Concurrent agents approve conflicting actions simultaneously
• Approval replay: An old approval token is used to execute against changed state

Most AI agent frameworks have zero TOCTOU prevention. LangChain, CrewAI, AutoGen, and vanilla OpenAI function calling all have a gap between reasoning and execution where state can drift.

Exogram prevents TOCTOU through SHA-256 state hashing. At evaluation time (/v2/evaluate), Exogram computes a hash of all relevant system state. At commit time (/v2/commit), the hash is recomputed. If the hashes differ — meaning anything changed — the commit is rejected with 409 Conflict. The agent must re-evaluate against current state. This is the Execution Idempotency invariant: no action commits against stale state.