Answer the examination question with evidence, not a reconstructed story.
When a regulator, internal audit, or the board asks “Why was this action allowed at this moment?” you should not need a week of log reconstruction. You should be able to produce a verifiable record: what was decided, which rule applied, what the system saw, who approved (if anyone), and cryptographic proof that the rule held when the action ran.
The Regulatory Evidence Trail is what your organisation can show when AI touches consequential decisions—payments, onboarding, rebalancing, clinical authorisation, reporting. Each allowed action carries a structured record your compliance and legal teams can read without reading code. The record is tamper-evident: later edits to the log are detectable, so the evidence you bring to a review is the evidence that existed at decision time.
This is examination-ready evidence—meaning the artefacts are shaped for supervisory and internal audit review—not a promise of approval in any specific jurisdiction.
| Element | Question it answers | Example (illustrative) |
|---|---|---|
| What was decided | Allow, reject, or escalate? | “Payment release approved” |
| Which rule applied | What policy or invariant governed this? | “Three-way match complete before disbursement (Policy §4.2)” |
| What state the system saw | What facts were true when the decision was made? | “Invoice, PO, and receipt amounts aligned; supplier not on sanctions list” |
| Who approved | Which role signed off, under what delegation? | “Treasury ops lead — dual-control step 2 of 2” |
| Cryptographic evidence | Can an auditor verify the rule held without trusting a narrative? | “Proof attached: policy check passed at timestamp T; hash links to prior log entry” |
For each AI-assisted action, you can show the decision, the rule, the facts at decision time, any human approval, and independently verifiable proof that the rule was satisfied—not a reconstructed story from scattered systems.
Conventional audit logs
Systems emit verbose logs; after an incident, engineering and compliance reconstruct a timeline from CRM, payment hub, chat, and ticket exports. Narrative risk is high; selective disclosure is hard.
Evidence trail approach
The validator—the component that accepts or rejects actions against formal rules, not the AI—records the decision at enforcement time, with entries linked in a hash-chained audit log. Where selective disclosure matters, a zero-knowledge proof (ZK proof) can show a rule was satisfied without exposing underlying client or counterparty data.
Examiner “Show me every supplier onboarding approved last quarter where the beneficial-owner check was overridden.”
You (with evidence trail) Export scoped to that rule ID and outcome. Each row shows the formal rule reference, system state at decision time, approver if applicable, and verifiable proof artefacts—filterable without hand-auditing model prompts.
Examiner “Why was this high-risk payment released on 14 March at 09:04?”
You Single decision packet: rule “dual authorisation above threshold,” state “both authorisers active, limits not breached,” cryptographic proof the predicate held at 09:04:12 UTC. No reliance on what the AI “intended.”
Compliance Operator (CECO) — the product family that produces this trail on agentic workflows: AI proposes; enforcement decides before execution. Pilot / PoC on domain workflows (wealth, procurement, payments).
SDD adoption — programmes that trace policy language → living specifications → CI-enforced rules, so the rules in the evidence trail match what compliance and the business agreed.
Software engineering (Spec++ SDD) — joint delivery that implements the trail on your workflow and packages evidence for internal QA or supervisory dialogue.
DecisionRecord {
action_id, outcome, rule_ref, state_snapshot_hash,
approver_ref?, proof_bundle, prev_log_hash
}
Every allowed action gets a structured record linked to the previous one—so your audit export is a chain, not a pile of files.
We do not promise regulatory approval or zero findings in any jurisdiction. “Examination-ready” means evidence shape and verifiability—your legal team still owns supervisory relationships.
Zero-knowledge proofs prove rule satisfaction to verifiers; they do not replace human accountability where policy requires it—they support it with stronger artefacts.