Skip to main content
AUDIT

Audit evidence gap analysis.

What audit evidence AI deployments typically lack, why it matters to internal audit and external reviewers, and what a governed execution path produces instead.

Evidence gapTypical stateGoverned state
No authorization recordActions are logged with timestamps and outcomes. There is no record of the authorization decision that preceded execution.Every execution event references a permit. The permit references the policy version and the human approval decision.
Parameter substitution undetectableThe approved action description and the actual parameters passed to execution are stored separately and not cryptographically bound.Approval tokens include a SHA-256 digest of the normalized action manifest. Execution is cancelled if the digest does not match.
Policy version not recordedThe policy that was active at the time of execution is not referenced in the audit record. Policy changes are not correlated to outcomes.Policy version is a required field in every governed execution record.
No lineage from intent to actionThe AI model produced output, the output was acted on. There is no evidence chain from the original task intent to the final side effect.Execution manifests record the originating session, the policy evaluation, and the permit lineage.
Audit chain not verifiable externallyThe audit record exists inside the runtime. It cannot be independently verified because the hash chain is internal-only or absent.Hash-chained evidence is designed for external verifiability. Corruption is detectable outside the runtime.
No governance suspension recordWhen governance checks are disabled or bypassed for an execution, this is not recorded. The audit record appears identical to a governed execution record.Governance-suspended execution is an explicit mode. The audit record includes the governance mode and the lineage at the time of suspension.

What auditors ask.

These are the questions that internal audit, security review, and external assessors ask when evaluating an AI deployment. A governed path produces answers. An ungoverned path does not.

  • Who authorized this action, and when?
  • What policy was in effect at the time of execution?
  • Were the actual execution parameters the same as the approved parameters?
  • Can the audit record be verified outside the runtime?
  • Was governance active for this run, or was it suspended?
  • What is the lineage from the originating task to the final side effect?

Identify your evidence gaps.

The AI Execution Boundary Assessment surfaces the specific gaps in your current deployment posture.

Start assessment