EVE AI Core
EVE AI Core
An audit trail is only as good as how hard it is to forge. A real AI decision audit trail records each decision’s inputs, the policy applied, and the verdict — in a form an auditor can verify without trusting the system that produced it.
“An AI decision audit trail is a verifiable record of each AI decision — its inputs, the policy applied, and the verdict — that an auditor can reconstruct and confirm independently.”
A decision is auditable only if the record answers every question an examiner will ask. That takes more than a line in a log file.
What the system was about to do and the data it was about to do it on — captured at the moment of the decision, not reconstructed later.
Which policy version was in force, which rules were evaluated, which fired, and the final outcome: allowed, modified, or blocked.
A signature that ties the record to its content and its position in a sequence, so any edit, deletion, or reordering is detectable.
Most systems “have an audit trail” in the sense that they write logs. But logs can be edited, truncated, or lost, and they ask the auditor to trust the very system under review. A real audit trail is provable: each record is signed and hash-chained, so it can be verified with a public key by someone who has no access to your infrastructure. The difference is the difference between “trust our logs” and “here is the signed record — check it yourself.”
| Application logs | Signed decision record | |
|---|---|---|
| Can be edited after the fact | Yes, often silently | No — changes break the signature |
| Verifiable by an outside party | Requires trusting the system | Yes — offline, with a public key |
| Proves order / completeness | No | Yes — hash-chained sequence |
| Reproduces the decision | Rarely | Yes — replayable from inputs + policy version |
The strongest audit trail does not just describe a decision — it lets you re-run it. Because a deterministic control plane produces the same verdict for the same inputs, any decision in the trail can be replayed from its inputs and policy version to reproduce the exact outcome. That property is what regimes like SR 11-7 and the EU AI Act ultimately need: not a story about a decision, but the decision itself, reproducible on demand.
The audit trail is the output. These explain the control that produces it and the regime that demands it.
The proposed action and its inputs, the policy version, which rules fired, the verdict, a timestamp, and a tamper-evident signature linking the record to its place in a sequence.
Logs can be edited or lost and require trusting the system that wrote them; a signed, hash-chained record can be verified offline with a public key, so any change is detectable.
It requires automatic record-keeping/logging for high-risk AI (Article 12); a signed, replayable record is one way to meet that — illustrative, not legal advice.
See a signed Decision Certificate generated for a real decision — and verify it yourself with the published public key, no access to our systems required.