Why auditability matters

Auditability is the ability to reconstruct what happened, prove integrity, and explain a decision to engineers, auditors, and regulators—without relying on informal chat logs or ad hoc spreadsheets.

Without decision-level audit#

Teams often have:

• model metrics in experiment trackers,
• pull request reviews in Git,
• policy documents in Confluence,

but no single, tamper-evident chain tying a specific deployment decision to the evidence that justified it. When an incident or audit occurs, reconstruction is slow and disputed.

With GovAI-style auditability#

Technical properties that matter#

1. Append-only evidence — Events are not silently rewritten.
2. Hash chaining — Detect tampering after the fact (GET /verify, bundle hashes).
3. Deterministic summary — Same evidence + policy → same verdict.
4. Explicit blocked state — Missing prerequisites surface as BLOCKED, not implicit pass.
5. Export for third parties — Bundles and regulatory export tooling for review outside your app.

What auditability does not replace#

• Organizational policies and training
• SOC 2 control operation
• Legal interpretation of the EU AI Act or other regimes
• Model quality assurance (GovAI governs evidence and promotion, not accuracy alone)

Evidence GovAI captures (examples)#

Event types depend on your policy version; typical lifecycle evidence includes:

• data registration and dataset fingerprint references,
• training and evaluation completion,
• human approval and promotion records,
• runtime or governance attestations where integrated.

See ../trust-model.md for verdict definitions and ../standards/governance_evidence_pack_standard.md for pack structure.

Further reading#

• How GovAI works
• ROI and business case
• Trust center