Evidence, Records and Audit Trails
Audit trails are the chronological record of what an automated system did, when it did it, and what inputs produced each output. They are the foundation of post-hoc accountability. Without an intact audit trail, a decision cannot be reconstructed, a governance failure cannot be investigated, and an organisation cannot demonstrate what its system did.
Decision records document individual automated decisions — what data was used, what the system produced, and when. They are the only way to reconstruct what happened in a specific case. When an individual challenges a decision, or a regulator investigates a pattern, decision records are the primary evidence of governance.
System logs are the technical records an automated system generates during operation. They differ from governance records: a system log records what the system processed; a governance record establishes accountability for what the system did. Both are required, but they serve different purposes and must not be confused.
Incident reporting is the formal documentation of system failures, harmful outputs and governance breaches. It is both a governance obligation and the starting point for learning from failure. Organisations that do not report incidents cannot demonstrate that they detected them — and those that detected but did not report face regulatory exposure.
Evidence preservation is the immediate securing of records after an incident — before they can be overwritten, deleted or altered. The window between incident identification and evidence loss is short. Governance requires a defined evidence preservation process, because records created after the fact are not the same as records that existed at the time.
Investigation records document how an inquiry was conducted, what was examined, what was found, and what was decided. For an investigation to produce findings that withstand scrutiny — regulatory, legal or internal — its methodology and conclusions must be documented in a form that independent parties can review and challenge.
Documentation in AI governance means maintaining the records that allow a system to be understood, accounted for and governed — not simply the act of writing things down. The test is whether the documentation that exists would allow an external party to reconstruct what the system does, why it was deployed, and what governance was in place.
Data retention defines how long records must be kept and the conditions under which they can be deleted. Governance requires that retention periods are defined before records are created — not decided retrospectively when records become inconvenient. Premature deletion of governance records is, in many jurisdictions, itself a legal breach.
Record accuracy means that governance records describe what actually happened — not what should have happened, what the organisation intended, or what a review concluded after the fact. A record altered to reflect a desired outcome rather than an actual event is not a governance record. It is evidence of a governance failure.
System explanations are accounts of why an automated system reached a specific decision for a specific person. They are distinct from technical descriptions of how a system works. A system explanation must be specific, accessible and actionable — sufficient for the person affected to understand and challenge the decision.
Internal reviews are periodic structured examinations of an automated system's governance, performance and compliance. A review that produces no documentation of what was examined, what was found, or what was changed is indistinguishable from no review at all. The record of the review is as important as the review itself.
External investigation occurs when a regulator, court or independent body examines an automated system and the governance that surrounded it. Organisations face two requirements: the substantive governance must have existed, and the records demonstrating that governance must be retrievable. Neither is sufficient without the other.
System documentation is the complete record of an automated system's design, training, testing, deployment, governance and performance. It differs from the documentation that describes the system to users. Regulators increasingly require system documentation as a compliance obligation — and its absence, in a high-risk deployment, is itself a regulatory breach.
Traceability is the ability to follow a decision — forward from inputs to outputs, and backward from outputs to inputs, training data and governance decisions. Without traceability, accountability has no evidential foundation and decisions cannot be explained, challenged or defended.
AI systems change continuously through retraining, prompt modification and configuration updates. Version control governance creates a record of what the system was doing at any given time — enabling accurate decision reconstruction when specific historical decisions are challenged.
When an automated system stops operating, its governance obligations do not stop with it. Decommissioning governance ensures records are retained, model artefacts preserved, outstanding decisions covered, and accountability for historical conduct maintained.