Diagram Jun 4, 2026 4 min read

The audit trail a regulator actually asks for.

A diagram of what an auditor wants to see when an AI decision is questioned — who approved it, which model version, which inputs, and the immutable log behind it all.

KT
Kelvin TranCo-founder · Silicon Prime

We have sat through enough audits to know what gets skimmed and what gets read line by line. The surprise, every time, is how little the auditor cares about your model. They care about the trail around it.

What they want is boring. A record that cannot be edited after the fact, that answers four questions in order: who decided, on what model version, with what inputs, and can you still produce it eighteen months from now. Here is the shape of that record.

APPEND-ONLY EVENT CHAIN EVENT 001 Decision logged actor · approver_id model · v3.4.1 inputs · hash prev: 000 EVENT 002 Override actor · human_id reason · text timestamp · utc prev: 001 EVENT 003 Sealed hash · sha-256 prev_hash · linked write-once RETENTION 7 years immutable no delete exportable each event hash-links to the one before it WHAT THE AUDITOR ZEROES IN ON Can you reproduce decision 002 from its inputs · who approved · which version · is the chain unbroken
An append-only chain: every event names its actor, model version, and inputs, and links by hash to the one before it.

What auditors ignore.

They do not ask for your architecture diagram. They do not ask which framework you used or how your model was trained. We have watched a senior examiner wave off twenty pages of model documentation and turn straight to the log.

  • The model internals. They assume the model is a black box. That is fine, as long as the decisions around it are not.
  • Your accuracy metrics. Impressive numbers do not survive an audit. A reproducible decision does.
  • Pretty dashboards. A dashboard is a view. The auditor wants the source it draws from.

What they zero in on.

Three things, in this order.

  • Who approved this. Every consequential decision has a named human attached. Not a team. A person, with a timestamp.
  • Which version produced it. The model version is pinned to the event. If you upgraded the model last Tuesday, the decision from last Monday still points at the old one.
  • Can you reproduce it. Given the logged inputs, can you run the same version and get the same answer eighteen months from now. If the answer is no, the trail is decoration.
An audit trail you can edit is not an audit trail. It is a story you tell about the past.

Why append-only matters.

The single property that turns a log into evidence is that it cannot be rewritten. Each event carries the hash of the one before it. Change any field in any past event and every hash downstream breaks. That is the whole trick, and it is the reason regulators trust the structure: tampering is not prevented, it is made visible.

We keep these records for the full retention window — seven years in most of the regimes our clients operate under — and we keep them outside the application that wrote them. The system that makes decisions should not also hold the only copy of the proof.

— Suhail Abidi. Austin, TX. May 2026.

All posts Read next: Coffee, runbooks, and an on-call rotation nobody dreads

Comments