Signed AI Audit Evidence

Why audit evidence matters

Regulated organizations need to demonstrate what happened with AI traffic — what data was sent, which policy was applied, which provider was used, and what decision was made. SAIG creates this evidence automatically for every request.

Hash chain

Every audit record includes a SHA-256 hash that references the previous record, forming a tamper-evident chain. If any record is modified or deleted, the chain breaks and the tampering is detectable.

Ed25519 signatures

Each governance receipt is cryptographically signed with Ed25519. This provides non-repudiation — the signature proves the record was created by the SAIG instance and has not been altered.

Governance receipt example

This is an example of the governance metadata shape. This is not a real customer record.

{
  "request_id": "req_7h2k9...",
  "tenant_id": "acme-eu",
  "action": "ANONYMIZE",
  "risk": "MEDIUM",
  "rule": "THIRD_PARTY_PII_TO_EXTERNAL_PROVIDER",
  "intent": "document_generation",
  "provider": "azure-openai-eu",
  "sovereignty_mode": "EU_ONLY",
  "pii_detected": ["PERSON", "EMAIL"],
  "audit_hash": "sha256:...",
  "signature": "ed25519:..."
}

Decision traces

Each record includes a deterministic decision trace — an ordered list of pipeline steps that led to the governance decision. This allows compliance teams to understand exactly why a request was allowed, anonymized, or denied.

Evidence export

Audit records can be exported from the governance console for regulator reviews, internal audits, and SIEM integration. Records are structured data, not logs — they are designed for machine processing.