Subnet345

Glossary

What is audit by construction?

Audit by construction is the discipline of producing the audit record as a property of the action itself, not as a downstream reconstruction from logs.

§ 01 Definition

The record is part of the action.

Audit by construction is the discipline of producing the audit record as a property of the action itself, not as a downstream reconstruction from logs. When an AI agent takes an action, the action and the record of the action are written together: who acted, on what data, under which policy, with what outcome. The record cannot be partial or missing because the substrate does not execute the action without writing it.

The opposite of audit by construction is audit by reconstruction, where the record is assembled later from logs, ticketing systems, and operator memory. Reconstruction works until the question is consequential. The first time an examiner asks for the trail, the gap between what was logged and what was actually done becomes the conversation.

§ 02 Questions

Audit by construction, answered.

What does audit by construction look like in practice?

At the moment an agent acts, the substrate writes an attributed event: the agent identity, the action class, the policy in force, the inputs, the outcome, the timestamp. The event is hash-chained to the previous event so the chain is verifiable from any point. Refusals are recorded as events the same as actions. Nothing happens that the record does not capture.

How does audit by construction differ from cryptographic logging?

Cryptographic logging signs or hashes log entries after they are written, often by a separate logging system. Audit by construction makes the record part of the action's execution path: the substrate refuses to act if the record cannot be written. Cryptographic guarantees still apply, but the load-bearing property is that the record exists at all, for every action.

Which regulatory frames are easier to satisfy with audit by construction?

Any frame that expects record-keeping or attribution: SR 26-2, NERC CIP, the EU AI Act record-keeping and human-oversight obligations, DORA attributable ICT operations, and the NIST AI RMF 1.0 Manage function. Audit by construction is the implementation-side discipline that makes the record-side burden satisfiable on demand.

§ 03 Related

Where the term lives.

Regulatory frames

NERC CIPNIST AI RMFEU AI ActDORA

When the record has to be there, is it there?

Become a design partner →Compliance overview →