The audit trail a regulator actually asks for.

Who decided, on what model version, with what inputs, and can you still reproduce it eighteen months from now. The post frames the ideal record as deliberately boring: one that cannot be edited after the fact and answers those four questions in sequence. If it can't answer them, the trail is decoration.

Model internals, accuracy metrics, and pretty dashboards. The post recounts a senior examiner waving off twenty pages of model documentation to turn straight to the log. Auditors assume the model is a black box—fine, as long as the decisions around it aren't. Impressive accuracy numbers don't survive an audit; a reproducible decision does. A dashboard is just a view, so they want the source it draws from.

Who approved the decision—a named human with a timestamp, not a team; which model version produced it, pinned to the event so a decision from last Monday still points at the old version even if you upgraded last Tuesday; and whether you can reproduce it—given the logged inputs, running the same version yields the same answer eighteen months later. If reproduction isn't possible, the trail is decoration.

Append-only is the single property that turns a log into evidence, because it can't be rewritten. Each event carries the hash of the one before it, so changing any field in any past event breaks every downstream hash. Tampering isn't prevented—it's made visible, which is why regulators trust the structure. An audit trail you can edit is just a story you tell about the past.

Silicon Prime keeps these records for the full retention window—seven years in most of the regimes their clients operate under. Just as important, the records are kept outside the application that wrote them: the system that makes decisions should not also hold the only copy of the proof.

Because the system that makes decisions shouldn't also hold the only copy of the proof. Keeping the immutable record separate protects it if the application is compromised, changed, or decommissioned, and reinforces the integrity regulators care about. Combined with append-only hashing and a seven-year retention window, separation is what makes the trail trustworthy evidence rather than a convenient internal view.

The model version is attached to each event at the moment the decision is made, so the record points at whichever version actually produced it. If the model is upgraded later, prior decisions still reference the older version. This pinning is one of the three things auditors zero in on, and it's what allows a decision to be reproduced with the same version months or years afterward.

Reproducibility requires three things working together: the inputs are logged, the model version is pinned to the event, and the record is immutable so neither can be quietly altered. Given the logged inputs and the pinned version, you can rerun and get the same answer. The post is blunt: if the answer to 'can you reproduce it' is no, the trail is just decoration.