AI 扩展计划 / Playbooks
AI Evidence Integrity / Tamper-Evident Audit Ledger Playbook
版本: v1.0
445 行AI_EVIDENCE_INTEGRITY_TAMPER_EVIDENT_AUDIT_LEDGER_PLAYBOOK.md
AI Evidence Integrity / Tamper-Evident Audit Ledger Playbook
版本: v1.0 日期: 2026-06-30 适用对象: experienced CBAP、financial retail PM、product architect、enterprise architect、AI governance lead、audit-risk partner、privacy / legal / records partner、platform owner。
本文是一份执行型手册, 用于把 AI 证据对象、哈希、签名、append-only ledger、provenance claims、attestation chain、segregation of duties、redaction、legal hold 和 audit queries 设计成可落地的 evidence trustworthiness architecture。它不替代记录保留制度、运行观测方案、流程审计、监管报告签署或 AI BOM;它专注于证明证据本身是否可信、是否可验证、是否未被静默改写。
1. Purpose And When To Use
Purpose
本手册帮助团队在 AI 产品上线前回答六个问题:
| Question | Why it matters |
|---|---|
| What exactly is the evidence object? | 没有对象边界, 就无法 hash、sign、query 或 replay |
| Who or what produced it? | 没有 producer identity, 就无法问责 |
| Was it changed after creation? | 没有 tamper-evident ledger, 就无法发现静默改写 |
| What did the reviewer approve? | 没有 approval binding, 人工复核可能只是形式 |
| What was redacted or held? | 没有 derivative redaction 和 legal hold events, 隐私和保全会冲突 |
| Can an independent reviewer verify it? | 没有 audit query pack, 证据可信度无法被挑战 |
Use this playbook when
| Trigger | Example |
|---|---|
| AI output may affect a customer, case record, investigation, payment, credit or board decision | KYC decline recommendation, AML SAR narrative recommendation, payment dispute evidence packet |
| Human approval must be tied to exact AI output or tool input | Maker-checker approval for chargeback submission |
| Evidence may be challenged later by customer, internal audit, legal, regulator or board | Customer communication, adverse action support, board MI |
| Sensitive evidence must be redacted for review but original must remain verifiable | Audit sample export with masked customer identifiers |
| Legal hold may freeze evidence population | AML inquiry, complaint litigation, payment dispute escalation |
| Multiple systems create evidence fragments | RAG service, orchestrator, policy engine, tool gateway, review workflow and system of record |
Do not use this playbook as a general observability plan. Observability tells teams what happened technically; this playbook proves whether the evidence used to explain what happened can be trusted.
2. Operating Model
2.1 Roles and accountabilities
| Activity | PM | BA / CBAP | Product Architect | Enterprise Architect | Platform | Risk / Compliance | Internal Audit Partner | Privacy / Legal / Records |
|---|---|---|---|---|---|---|---|---|
| Evidence scope | A | R | C | C | C | C | C | C |
| Evidence object schema | C | R | A | C | R | C | C | C |
| Ledger architecture | I | C | R | A | R | C | C | C |
| Attestation matrix | C | R | A | C | R | C | C | C |
| Approval binding and SoD | A | R | R | C | R | C | C | C |
| Redaction and legal hold rule | I | C | C | C | R | C | C | A |
| Audit query pack | C | R | R | C | R | A/C | A/C | C |
| Release evidence packet | A | R | R | C | R | C | C | C |
| Exception closure | A | R | R | C | R | A/C | C | C |
Legend: R = responsible, A = accountable, C = consulted, I = informed.
2.2 Cadence
| Cadence | Meeting | Required output |
|---|---|---|
| Use-case inception | Evidence integrity scoping | evidence classes, risk tier, raw vs hashed vs redacted boundary |
| Architecture design | Ledger and attestation review | schema, signer, ledger pattern, provenance graph, verifier checks |
| Pre-pilot | Evidence emission test | sample events, hash verification, signature verification, approval binding |
| Release readiness | Evidence packet review | release packet, query results, open gaps, accepted residual risk |
| Monthly operation | Evidence integrity control review | failed verifications, SoD breaches, redaction exceptions, legal hold state |
| Incident or challenge | Replay and preservation review | case timeline, evidence chain, legal hold decision, customer or regulatory response pack |
2.3 Control principles
| Principle | Operational rule |
|---|---|
| Evidence by design | Every high-impact AI requirement defines evidence object, hash, signer and verifier before release |
| Append, never overwrite | Corrections, redactions and legal holds create new ledger events |
| Minimum necessary raw content | Ledger stores hashes and pointers; raw evidence stays in restricted vault where needed |
| Approval binds to exact content | Reviewer decision references the visible evidence hash, output hash or tool input hash |
| Segregation of duties | Evidence producer, approver, platform operator and independent reviewer are distinct where risk requires |
| Query before trust | Release readiness includes executable audit queries, not only document review |
| Redaction is derivative | A redacted export must prove derivation from the original restricted evidence |
| Legal hold is stateful | Hold, scope, owner, preservation action and release are attested ledger events |
3. Template: Evidence Object Schema
Use this schema for high-impact evidence. Low-risk internal drafts can use a lighter profile, but should preserve evidence_id, event_type, created_at, producer, payload_hash, version_set and ledger_position.
| Field | Type | Required | Completed example | Control purpose |
|---|---|---|---|---|
evidence_id | string | yes | ev_dispute_20260630_008812 | Unique evidence identity |
schema_version | string | yes | ai-evidence-object.v1 | Stable validation |
event_type | string | yes | ai.output.approved | Event taxonomy |
use_case_id | string | yes | payment_dispute_assistant | AI use-case boundary |
risk_tier | enum | yes | high_customer_impact | Control depth |
business_object_ref | string | yes | dispute_case_hash:9a31f0d2 | Links to business case without exposing raw identifier |
created_at | timestamp | yes | 2026-06-30T15:21:09Z | Time of evidence creation |
recorded_at | timestamp | yes | 2026-06-30T15:21:11Z | Time entered ledger |
producer | string | yes | dispute-review-workbench | Producer accountability |
actor_type | enum | yes | human_reviewer | Actor classification |
actor_id_hash | string | yes | sha256:cf079c40f7a2b8a7d2f6e45db9b59fb11f59f66e7d2a95d29c8d8f4b82d03c45 | SoD and privacy |
payload_pointer | URI | conditional | vault://disputes/evidence/008812/final-letter | Restricted raw evidence access |
payload_hash | string | yes | sha256:aa78cb2e6c29f893b7f0b8140918db398f923fbc208805135daac7e8d2f49984 | Raw payload integrity |
canonical_hash | string | yes | sha256:96c67b0c7fd87ab51d8e6d588708b019d8d8f8c942e793efb2d714029f59a529 | Structured evidence integrity |
previous_event_hash | string | yes for chained workflows | sha256:62bcf972c43bb3d0628d5e3f7c7471e23a059f0167c2c57c191d6bc9a71f0632 | Hash-chain ordering |
version_set | object | yes | model=llm-route-2026-06, prompt=disp-p14, policy=network-rule-map-v7, tool=chargeback-submit-v3 | Replay and change trace |
provenance_refs | array | yes | retrieval_ev_701, policy_ev_220, draft_ev_810, approval_ev_891 | Causal chain |
data_class | enum | yes | confidential_customer_financial | Access and privacy |
redaction_profile | string | yes | customer_id_tokenized_amount_bucketed | Export safety |
retention_policy_id | string | yes | ret_dispute_7y_hold_eligible | Lifecycle integration |
legal_hold_state | enum | yes | not_held | Preservation status |
signature_ref | URI | yes | kms-sig://ai-evidence-ledger-v4/sig_77831 | Non-repudiation |
ledger_position | string | yes | ledger:ai-evidence-prod:20260630-15:idx-5221 | Inclusion proof |
Schema acceptance criteria:
| Check | Pass standard |
|---|---|
| Required field completeness | 100% for high-impact evidence |
| Canonicalization | Recomputed canonical_hash matches ledger value |
| Payload integrity | Recomputed payload_hash matches vault object |
| Version set completeness | Model, prompt, policy, tool and source versions present when applicable |
| Privacy discipline | Sensitive raw identifiers appear only in controlled payload vault or tokenized field |
4. Template: Ledger Event Taxonomy
Use a controlled taxonomy so audit queries can test populations consistently.
| Event type | Meaning | Required attestations | Example scenario |
|---|---|---|---|
evidence.created | Evidence object first recorded | producer signature | KYC document extraction evidence created |
evidence.corrected | New object corrects prior evidence | producer signature, correction reason | Payment dispute packet updated with missing receipt |
evidence.superseded | New object replaces prior object for future use | producer signature, reviewer approval if high-risk | Credit policy advice regenerated after policy update |
evidence.redacted | Redacted derivative created | privacy attestation, original evidence hash | Board MI pack masks customer details |
evidence.hold_applied | Legal hold applied | legal / records attestation | AML inquiry preserves case evidence |
evidence.hold_released | Legal hold released | legal / records attestation | Inquiry closed and normal lifecycle resumes |
evidence.accessed | Sensitive evidence viewed | requester, purpose, authorization | Internal audit views restricted KYC packet |
evidence.exported | Evidence exported from workbench | export approval, redaction profile | Audit sample exported to secure review folder |
ai.input.assembled | Prompt or tool input assembled | producer signature, source attestation | RAG prompt for credit advice |
ai.output.generated | Model output generated | model route, prompt hash, source refs | AML SAR recommendation draft |
ai.output.reviewed | Human reviewed output | reviewer attestation, visible evidence hash | KYC analyst accepts or rejects AI recommendation |
ai.output.approved | Final output approved | approval signature, SoD check | Customer communication approved |
ai.tool.invoked | Tool called | policy decision, input hash | Dispute submission tool invoked |
ai.tool.completed | Tool side effect completed | side effect id, idempotency key | Chargeback submission accepted |
release.evidence_packet_signed | Release packet attested | governance approval, packet hash | AI copilot release readiness |
board.mi.snapshot_signed | Board metric population snapshot signed | query hash, data source attestation | Monthly AI governance MI |
Taxonomy rule:
If an event can change what a customer, investigator, underwriter, dispute operator, board member or regulator sees, it must have a distinct ledger event rather than being hidden inside an untyped log line.
5. Template: Attestation Matrix
| Attestation | Issuer | Input evidence | Claim made | Verification check | Failure response |
|---|---|---|---|---|---|
| Producer attestation | AI orchestrator | canonical evidence object | Evidence was produced by the registered service under schema version | Signature valid, key active at event time, schema valid | Quarantine event and block release evidence use |
| Source attestation | Data / retrieval gateway | source refs, entitlement decision, source version | Sources were available, authorized and versioned at retrieval time | Source hash and entitlement decision match | Mark output unsupported and require review |
| Policy attestation | Policy engine | policy id, inputs, obligations | Decision followed policy version and obligations | Policy version active and decision signed | Block tool action or require manual risk exception |
| Reviewer attestation | HITL workflow | visible evidence hash, output hash, reason code | Reviewer saw this exact evidence and made this decision | Approval hash matches output/tool input; SoD pass | Treat approval as invalid |
| Tool attestation | Tool gateway | tool input hash, policy decision, approval id | Tool executed exact approved input and recorded side effect | Tool input hash equals approved scope; side effect id exists | Start incident review for unauthorized action |
| Redaction attestation | Privacy service | original hash, redaction rule, redacted payload hash | Redacted object derives from original and follows rule | Original exists; derivative relation signed; restricted fields absent | Revoke export and investigate exposure |
| Legal hold attestation | Legal / records service | evidence scope, reason, owner | Hold applies to defined evidence and lifecycle actions are frozen | Hold state present and delete/export controls reflect hold | Stop delete jobs and preserve affected evidence |
| Release attestation | Governance workflow | release packet hash, query results, open exceptions | Release evidence packet supports go-live decision | Packet hash, approver roles and exception acceptance valid | Release cannot proceed |
| Board MI attestation | MI owner / data control | query hash, population snapshot, metric output | Board metric came from defined population and query | Snapshot root verifies, query version approved | Reissue MI correction event |
6. Template: Tamper-Evidence Test
Run these tests before pilot, before high-risk release and after major architecture changes.
| Test ID | Test objective | Procedure | Pass standard | Evidence retained |
|---|---|---|---|---|
| TE-001 | Detect modified payload | Change one byte in a test vault payload and recompute hash | Verifier flags payload hash mismatch | verifier report, altered test object id |
| TE-002 | Detect modified canonical field | Change risk_tier or version_set in a copied object | Canonical hash mismatch detected | canonicalization report |
| TE-003 | Detect broken hash chain | Remove or reorder a case-level ledger event | Chain verification fails at first inconsistent event | chain validation output |
| TE-004 | Verify Merkle inclusion | Provide proof path for one daily customer communication event | Proof verifies against signed daily root | Merkle proof file and root event |
| TE-005 | Reject invalid signature | Verify event with wrong key or expired key context | Signature verification fails and event is quarantined | signature validation report |
| TE-006 | Approval binding | Execute controlled test where approval references old output hash | Tool gateway blocks or audit query flags mismatch | approval mismatch query result |
| TE-007 | SoD enforcement | Same actor attempts to generate and approve high-risk evidence | Workflow blocks approval or query flags breach | SoD control record |
| TE-008 | Redaction derivation | Generate redacted export and verify derivative relation | Redacted object references original hash and passes field suppression | redaction attestation |
| TE-009 | Legal hold override | Apply hold then run delete lifecycle simulation | Delete job skips held evidence and logs hold reason | hold event and delete job report |
| TE-010 | Replay completeness | Reconstruct one KYC decline from source to final decision | Source, policy, AI output, review, decision and customer communication all linked | replay packet |
Execution rule:
A high-impact release cannot pass evidence integrity readiness if TE-001 through TE-007 fail. TE-008 and TE-009 are mandatory when redaction or legal hold applies.
7. Template: Legal Hold / Redaction Rule
7.1 Legal hold rule
| Field | Completed AML example |
|---|---|
hold_id | lh_aml_20260630_cluster_04 |
| Trigger | regulator inquiry into suspicious activity monitoring for date range 2026-05-01 to 2026-06-15 |
| Scope | AML cases with typology mule_network, model route aml-llm-route-2026-06, analyst team retail-fincrime-team-3 |
| Evidence classes | transaction timeline, KYC facts, RAG retrieval, AI recommendation, analyst review, supervisor approval, case notes, access logs |
| Preservation action | freeze deletion, lock payload vault, preserve signing keys and verification metadata |
| Redaction rule during hold | review exports may be redacted, but original payload and keys remain preserved |
| Access boundary | legal, assigned fincrime lead, internal audit partner and named technical custodian |
| Release condition | legal owner signs evidence.hold_released event with scope and effective time |
| Query | show all held evidence with access, export or attempted delete events during hold window |
7.2 Redaction rule
| Field | Completed board MI example |
|---|---|
redaction_rule_id | redact_board_mi_customer_mask_v2 |
| Purpose | board-level AI governance MI pack |
| Original evidence | restricted customer communication sample and complaint-linked AI output |
| Redacted derivative | customer identifiers tokenized, account numbers removed, amounts bucketed, free-text PII masked |
| Fields preserved | use case, risk tier, output category, control result, reviewer role, date bucket, issue taxonomy |
| Derivation proof | redacted payload hash signed by privacy service and linked to original evidence hash |
| Access rule | board pack viewers see only redacted derivative; raw evidence requires separate legal or audit approval |
| Failure action | revoke export, log exposure incident, regenerate derivative, notify privacy owner |
Boundary rule:
Redaction reduces exposure for review and MI; it does not destroy the original evidence chain. Legal hold can preserve both original and derivative objects depending on scope.
8. Template: Audit Query Pack
Create these queries as saved catalog items before release. The exact SQL or graph query depends on platform, but each query must have population, join logic and owner.
| Query ID | Question | Population | Evidence joins | Pass standard | Owner |
|---|---|---|---|---|---|
| AQ-001 | Which high-risk AI outputs lack evidence object creation? | high-risk ai.output.generated events | output registry to evidence ledger | zero missing | Platform |
| AQ-002 | Which evidence objects fail hash verification? | all release-candidate evidence | evidence object to vault payload and canonicalizer | zero blocking failures | Platform |
| AQ-003 | Which signed events fail verification? | high-risk producer, reviewer, policy and tool events | ledger event to key registry | zero invalid signatures | Platform security |
| AQ-004 | Which approvals are not bound to exact visible evidence hash? | ai.output.approved and ai.tool.invoked | approval event to output/tool input hash | zero for customer-impacting actions | Product architect |
| AQ-005 | Which high-risk approvals breach SoD? | approved high-risk events | actor hash to reviewer hash and role table | zero unresolved breaches | Risk / compliance |
| AQ-006 | Which tool executions lack policy decision? | write or customer-impacting tool events | tool event to policy decision event | zero missing | Tool gateway owner |
| AQ-007 | Which customer communications changed after approval? | delivered customer messages | approval output hash to delivered message hash | zero unauthorized diffs | Customer operations |
| AQ-008 | Which KYC decline recommendations lack source document hash? | KYC decline support cases | recommendation to document extraction evidence | zero missing for declined cases | KYC process owner |
| AQ-009 | Which AML SAR recommendations used stale policy or source material? | AML recommendation events | recommendation to policy and source version | zero outside approved freshness window | AML operations |
| AQ-010 | Which payment dispute submissions have approval mismatch? | dispute tool completion events | tool input hash to checker approval scope | zero mismatch | Dispute operations |
| AQ-011 | Which redacted exports lack derivative proof? | evidence.exported with redaction | export to redaction attestation and original hash | zero missing | Privacy |
| AQ-012 | Which legal hold evidence had attempted delete or unauthorized export? | held evidence population | hold events to delete/export/access events | zero unapproved actions | Legal / records |
| AQ-013 | Which board MI metrics lack population snapshot hash? | board MI signed snapshots | MI pack to query hash and Merkle root | zero missing | MI owner |
| AQ-014 | Which release evidence packets reference unverifiable evidence? | release packet evidence index | release packet to verifier results | zero blocking unverifiable items | AI governance |
Audit query acceptance criteria:
- Query owner can run it without delivery-team manual filtering.
- Query result includes evidence ids, event ids, business object hash, owner and exception classification.
- Query distinguishes control failure, documentation defect, justified exception and out-of-scope event.
- Query output is itself saved as a signed evidence object for release readiness.
9. Template: Release Evidence Packet
Use this packet for high-impact AI release or material change.
| Section | Required content | Completed example |
|---|---|---|
| Release identity | release id, use case id, risk tier, owner | rel_kyc_decline_assist_20260630, high customer impact, KYC Product Owner |
| Scope statement | what AI may and must not do | AI may recommend missing evidence and decline rationale; final decline remains human decision |
| Evidence object inventory | event classes, schema versions, required fields | 14 event classes, ai-evidence-object.v1, 100% required fields in pilot |
| Ledger design | append-only store, hash chain, Merkle batch, signing key | case-level hash chain and daily Merkle roots signed by ai-evidence-ledger-v4 |
| Attestation matrix | producer, source, policy, reviewer, redaction, legal hold, release | all high-risk attestations mapped to issuer and verifier |
| Segregation design | writer, approver, operator and reviewer separation | analyst cannot approve own AI-assisted decline recommendation |
| Privacy and raw evidence boundary | raw vault, redacted derivative, access logging | document images stored in vault; audit export tokenizes customer identifiers |
| Legal hold readiness | hold trigger, scope, preservation action, release process | regulatory inquiry trigger freezes evidence ids and signing metadata |
| Audit query results | AQ-001 to AQ-014 results | all blocking queries zero exceptions; 2 documentation defects accepted with owner and due date |
| Tamper-evidence test results | TE-001 to TE-010 | all mandatory tests pass in pre-release environment |
| Replay sample | one complete case replay | case from submitted documents to AI recommendation to human decline to customer communication |
| Exception register | open issues, owner, expiry, residual risk | 2 non-blocking documentation defects, closure due 2026-07-15 |
| Release decision | approve, approve with conditions or reject | approve with condition: daily AQ-004 approval binding report for first 30 days |
| Release attestation | packet hash, approvers, timestamp | signed release.evidence_packet_signed event |
Minimum release packet statement:
The release evidence packet for rel_kyc_decline_assist_20260630 contains signed evidence objects, verified hashes, attestation mappings, audit query results, redaction and legal hold rules, and one complete replay sample. The AI system may assist KYC reviewers with evidence organization and rationale drafting. It may not autonomously decline customers or send customer communications. Blocking evidence integrity queries returned zero unresolved failures.
10. PM / BA / Architecture Questions
PM questions
| Question | Strong answer |
|---|---|
| Which product decisions require tamper-evident evidence? | High-impact customer, regulatory, financial and board-facing decisions are identified by use case and risk tier |
| What is the customer harm if evidence cannot be trusted? | Complaint, appeal, regulatory challenge, incorrect decline, unsupported dispute or misleading communication |
| What evidence is a release gate? | Hash verification, approval binding, SoD, legal hold readiness and replay completeness |
| Who consumes the evidence? | Process owner, risk, internal audit, legal, privacy, board MI owner and regulator-facing response team |
| What is the acceptable residual risk? | Explicitly accepted exceptions with owner, expiry and compensating control |
BA / CBAP questions
| Question | Strong answer |
|---|---|
| What business event creates evidence? | Intent, input, retrieval, policy decision, recommendation, review, approval, tool action, final record, redaction and hold events |
| What is the business object boundary? | Case, customer communication, dispute submission, KYC decision, credit advice, board MI snapshot |
| What actor roles participate? | Requester, AI service, analyst, checker, supervisor, privacy approver, legal hold owner |
| What are the exception classes? | Documentation defect, control failure, justified exception, process gap and privacy exposure |
| How will replay prove the business story? | Provenance links source, AI output, policy, human decision and final business record |
Architecture questions
| Question | Strong answer |
|---|---|
| Where is raw evidence stored? | Restricted vault with pointer and payload hash in ledger |
| How is content canonicalized? | Deterministic serialization with schema version, normalized timestamps and stable key ordering |
| What signing keys are used? | Managed KMS/HSM keys, key version in signature, historical verification metadata preserved |
| What ledger pattern applies? | Hash chain for case timeline; Merkle batch for high-volume daily evidence |
| How does verifier work? | Recomputes hashes, validates signatures, checks inclusion proof, SoD, approval binding and legal hold state |
| How does this integrate with OpenTelemetry? | Trace ids link technical spans to evidence events, but audit trust comes from signed ledger and attestations |
| How are redactions represented? | New derivative evidence object with privacy attestation and original hash reference |
| How is legal hold enforced? | Hold state blocks deletion, preserves payload, keys and metadata, and logs access/export attempts |
11. Release Checklist
| Check | Required result |
|---|---|
| Evidence object schema approved | Schema reviewed by BA, architect, platform, risk and privacy |
| Required event taxonomy configured | High-impact event classes mapped to workflow states |
| Producer signing enabled | Service signatures verify in target environment |
| Ledger append-only control enabled | Writes are append-only; correction uses new event |
| Hash chain or Merkle proof tested | TE-003 and TE-004 pass where applicable |
| Raw evidence vault configured | Payload pointers resolve only for authorized roles |
| Redaction rule tested | Redacted derivative passes field suppression and derivation proof |
| Legal hold rule tested | Held evidence cannot be deleted and access is logged |
| Approval binding enforced | Reviewer approval references exact visible evidence hash or tool input hash |
| SoD enforced | Requester and approver cannot be same actor for high-risk actions |
| Audit query pack saved | AQ-001 to AQ-014 saved with owner and pass standard |
| Query results signed | Release readiness query output is stored as evidence |
| Replay sample complete | At least one end-to-end case can be reconstructed |
| Exception register clean | No unresolved blocking control failures |
| Release packet signed | Governance workflow signs packet hash and decision |
Release decision rule:
| Decision | Condition |
|---|---|
| Approve | All blocking evidence integrity checks pass and residual risks are accepted |
| Approve with conditions | No blocking tamper or approval failures; non-blocking defects have owner, due date and compensating control |
| Reject | Hash, signature, approval binding, SoD, legal hold or replay completeness fails for high-impact path |
12. Executive Narrative
Use this narrative for steering committee, board risk committee or audit-risk partner conversations.
We designed the AI evidence integrity control as a platform-level trust mechanism, not a manual document pack. For high-impact AI workflows, each critical prompt, source retrieval, model output, policy decision, approval, tool action, customer communication and management metric becomes a structured evidence object. The object is hashed, signed by the producing service, written to an append-only ledger and linked to its provenance and attestation chain.
This means we can independently verify whether evidence was changed after creation, whether the human approved the exact output or tool input, whether redacted review material still derives from the original evidence, and whether legal hold freezes the right population. The design minimizes raw sensitive data in the ledger by storing hashes and restricted pointers, while preserving the ability to reconstruct a case under controlled access.
For release readiness, we do not rely on assurance by assertion. We run audit queries for missing evidence, failed hashes, invalid signatures, approval mismatches, segregation-of-duties breaches, unauthorized tool actions, redaction defects and legal hold conflicts. These results are themselves signed into the release evidence packet. The outcome is a defensible evidence chain for AML, KYC, credit policy advice, payment dispute handling, customer communication and board MI.
Board-level one-liner:
We can prove not only what the AI system did, but whether the evidence used to prove it remained intact, attributable, approved, redacted and preserved.
13. Interview Drills
Drill 1: Explain evidence integrity in 30 seconds
Strong answer:
Evidence integrity means the AI system's evidence can be independently trusted. I would create structured evidence objects, hash and sign them, store them in an append-only ledger, link them through provenance claims and verify approvals, redactions and legal holds through attestation. This is different from ordinary logs because it proves the evidence was not silently altered and that reviewers approved exact content.
Drill 2: How would you design it for a KYC decline assistant?
Strong answer:
I would separate the AI recommendation from the final human decline decision. Document extraction, sanctions results, policy references, AI rationale, reviewer decision and customer communication each become evidence objects. The final decline decision must reference the AI recommendation hash only as support, not as autonomous decision authority. Customer challenge replay can then show original document hashes, extraction version, policy version, reviewer attestation and the exact customer message sent.
Drill 3: How do you avoid storing too much sensitive data?
Strong answer:
The ledger stores hashes, pointers, classification, version set and attestations, not every raw document. Raw evidence stays in a restricted vault. Redacted exports are derivative evidence objects linked to original hashes. Access, export and legal hold are also ledger events, so privacy control becomes part of the evidence chain.
Drill 4: What is approval binding?
Strong answer:
Approval binding means the reviewer decision references the exact evidence hash, output hash or tool input hash visible at review time. If a payment dispute tool executes a different input than the checker approved, the verifier or audit query flags it as invalid. This prevents generic approvals from being reused for changed content.
Drill 5: What would make you reject a release?
Strong answer:
I would reject a high-impact release if hashes fail, signatures cannot be verified, customer-impacting tool actions lack policy decision, approvals are not bound to exact inputs, SoD is breached, legal hold behavior is untested, or replay cannot reconstruct a representative customer-impacting case.
Drill 6: How is this different from OpenTelemetry?
Strong answer:
OpenTelemetry is excellent for traces, spans, metrics and logs. I would use its trace ids to connect technical execution to evidence events. But audit trust requires signed evidence objects, append-only ledger records, approval attestations, redaction lineage and legal hold state. Observability explains runtime behavior; evidence integrity proves the evidence chain is trustworthy.
Drill 7: How would you handle board MI?
Strong answer:
Board MI should have a signed population snapshot, query hash, data source attestation, metric output and reviewer approval. If numbers are adjusted, the adjustment is a correction event, not an overwritten slide. Redacted board packs link back to restricted evidence populations, so management can rely on metrics without exposing raw customer data.
14. Source Anchors
| Source | Link | Playbook use |
|---|---|---|
| W3C Verifiable Credentials Data Integrity | https://www.w3.org/TR/vc-data-integrity/ | Proof, verification method and signed data integrity concepts |
| W3C PROV Overview | https://www.w3.org/TR/prov-overview/ | Entity, Activity and Agent structure for provenance claims |
| OpenTelemetry documentation | https://opentelemetry.io/docs/ | Linking technical traces with evidence events without treating traces as audit proof |
| NIST SP 800-53 Rev. 5 Audit and Accountability controls | https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final | Audit accountability, review and protection control vocabulary |
| C2PA specifications | https://c2pa.org/specifications/specifications/2.1/index.html | Claims, manifests and content provenance inspiration |
| NIST AI Risk Management Framework | https://www.nist.gov/itl/ai-risk-management-framework | AI risk governance framing for evidence controls |
| ISO/IEC 42001 | https://www.iso.org/standard/81230.html | AI management system operating context |
15. Self-Check
| Check | Pass standard |
|---|---|
| Focus is evidence trustworthiness | Content centers on hash, signature, ledger, attestation, replay, redaction and legal hold |
| Not duplicating neighboring notes | Retention, observability, process audit, regulatory reporting and AI BOM are integration points only |
| Templates are usable | Schema, taxonomy, matrix, tests, legal hold, audit queries and release packet include completed examples |
| Financial retail context present | AML SAR recommendation, KYC decline, credit policy advice, payment dispute, customer communication and board MI are covered |
| Controls are testable | Release checklist and audit queries define pass standards and owners |
| Privacy boundary is explicit | Raw vault, hashes, pointers, redacted derivatives and access logging are separated |
| Executive communication included | Steering narrative and board one-liner are ready for portfolio use |