Audit Trails for Public Accountability

Public service systems must be accountable to the people they serve. Audit trails are a core system output that enables oversight, correction, and trust.

4.1 Complete Reasoning History

Every action an agent takes must create an audit entry. These entries are append-only, immutable, and permanently retained.

Audit entry requirements

• Action identifier: A unique identifier for the action, linked to the case, the agent, and the operator.
• Reasoning record: The full reasoning attachment (Section 1.3) including inputs, rule path, intermediate steps, and determination.
• Policy version: The specific policy version applied, with a reference to the canonical source.
• Input values: The actual data values used in the determination — the values themselves as they existed at the time of processing.
• Intermediate decisions: Branch points, threshold comparisons, or conditional evaluations that shaped the final outcome, recorded with both the condition tested and the result.
• Outcome: The final determination or action taken, classified under the standard outcome types (Section 2.3).

4.2 Policy Version Anchoring

Each determination in the audit trail must reference the specific policy version that governed it. This anchoring must be permanent — even when policy is subsequently updated, the audit record retains its original version reference.

Anchoring requirements

• Every audit entry includes the policy version identifier as a mandatory field.
• Policy version references are immutable once written — they cannot be updated to point to newer versions.
• The audit system must be capable of retrieving the full text of any referenced policy version on demand.
• When multiple policy versions apply to different aspects of a single determination, each is recorded separately with its scope of application.

4.3 Temporal Record

Time is a critical dimension of accountability. Every event in the system must be precisely timestamped and permanently stored.

Temporal requirements

• Timestamps on everything: Every action, input, determination, handoff, communication, and system event receives a timestamp at the point of occurrence, using a consistent time standard.
• Permanent storage: Audit records are retained permanently. Retention periods, where required by policy, must be measured in decades. Records may never be deleted, overwritten, or summarized in ways that lose detail.
• Sequence integrity: The chronological ordering of events must be preserved and verifiable. Systems must detect and flag any events recorded out of sequence.
• Clock synchronization: All system components must use synchronized time sources to ensure timestamp consistency across distributed systems.

4.4 Rights Review Path

Any person affected by an agent determination has the right to request a full explanation of how that determination was reached. The audit trail must support this right.

Rights review requirements

• Request mechanism: Any person may request an explanation of any determination that affects them. The mechanism must be accessible, documented, and available through multiple channels.
• Full reasoning path: In response to a request, the system must reconstruct and present the complete reasoning path — from inputs through policy rules to the determination.
• Plain-language explanation: The reconstructed reasoning path must be translatable into a plain-language explanation that a non-technical person can understand.
• Timeliness: Explanations must be provided within defined timeframes, calibrated to the urgency of the matter. Adverse determinations require faster response times.
• Correction mechanism: Where the explanation reveals an error in inputs, rule application, or system behavior, a defined correction process must be initiated.

An audit trail must be understandable by the person it affects. It serves the public.