FIELD NOTES ·

AI compliance is an audit trail

Who approved the action, what data touched the prompt, and can you prove it later?

compliance · edge · governance

AI compliance is an audit trail

Customers and regulators rarely ask “which model?” first. They ask: what data went in, who could see it, who approved the side-effect, and can you reproduce the decision six months later when legal calls?

AI compliance is not a checkbox on a vendor questionnaire. It is an audit trail — a chain of evidence that lets you answer those questions without reconstructing memory from Slack threads and someone's laptop.

Controls we implement

This is not paperwork theatre. It is how you sell AI into serious companies without waking up to a breach disclosure or a procurement block at the final stage.

What legal and security actually ask

After dozens of enterprise reviews, the questions repeat:

  1. Data residency. Where do prompts and outputs land? Which region, which account, which subprocessors?
  2. Training use. Does customer data train anyone's model? The answer should be no, and provable.
  3. Access control. Who can invoke the agent, and with what scope? Agent IAM is not “give it admin because it's convenient.”
  4. Reproducibility. Given a decision ID, can you show the prompt version, inputs, model, and output?

If you cannot answer four out of four from logs — not from architecture slides — you are not ready for a serious procurement cycle.

Edge work before launch

Edge is where compliance meets runtime. We treat it as week-one work, not a post-incident retrofit:

Embed agents inherit these controls by default. Forge prototypes get a lighter version, but we never demo to enterprise buyers without being able to show where the trail would live in production.

What not to do

Do not bolt compliance on after the agent has mailbox access. Do not log everything to a shared S3 bucket with no lifecycle policy. Do not treat “we'll add SOC 2 later” as a sales strategy — your buyer's security team has heard that before.

The goal is not perfect governance on day one. The goal is a trail good enough that when something goes wrong — and something will — you can investigate, contain, and explain without guessing.

← All field notes · Book a strike call →