Skip to main content

Issue #55 — Evidence as a Byproduct

·1902 words·9 mins

Dear Reader,

A week ago I argued that the real divide in enterprise AI is whether the software advises or acts, and that once it acts, the human is gone unless you design them back in. This issue is about the second thing that goes missing when the human leaves: the record.

While AI advised, a person touched every consequential step. That person read the recommendation, decided, and acted, and in doing so left a trail a human could follow. The email had a sender. The approval had a name. When an agent acts on its own, no one touches the step. The only account of what happened is whatever the system recorded as it ran. If that was not captured at the time, it cannot be recovered afterwards. There is no one to ask.

Two ways to have evidence
#

Most compliance evidence today is reconstructed. When an auditor or a board asks what a system did, a separate team assembles the answer after the fact: they pull whatever logs exist, export records from each system the agent touched, and piece together the rest. Proof is put together on demand, not held in advance.

That approach held while software moved at human speed and a person sat at each decision. It does not survive an agent that takes ten thousand actions a month across four systems, deciding the order of the steps as it goes. Suppose, as an example, one of those actions goes wrong and the regulator asks about that single case. A trail assembled months later, from logs that were never designed to answer the question, is partial and open to dispute. Reconstruction was always the weaker method. Agents are what make its weakness matter.

The alternative is that the system writes the record as it acts: each step, the inputs it used, the human who approved it, the action it took. Ordinary logs already exist, of course, but they were written for engineers to debug with: scattered across systems, unstructured, and often thrown away on a short retention. This is a different kind of record. It is structured, so you can query it instead of grepping through text; complete, because the runtime writes every consequential step rather than a sample; and it captures the one thing debug logs almost never hold, which is which person approved the action. The gap between the two is the gap between having some log files and being able to prove what happened. The evidence comes out of the work rather than a separate exercise bolted on afterwards. This is the governance-as-code idea I have argued for two years, now as something physical in how the agent runs.

The tools were built for a different job
#

The market already has capable software for watching agents. LangSmith, Langfuse, Arize Phoenix, Weights & Biases Weave and AWS Bedrock’s own invocation logging all capture what an agent did: the prompts, the tool calls, the reasoning steps. There is even a shared standard forming, the OpenTelemetry GenAI conventions, so you are not locked to one vendor’s format.

The catch is what they were built for. These are observability tools, made so engineers can debug an agent and improve it. They were not made to prove to a regulator what an agent did in a customer’s case. The gap between those two jobs is where most organisations will get caught. The clearest sign of it: in early 2026, users of LangChain, the most widely used agent framework, filed a request for “structured compliance audit logging for the EU AI Act, Article 12”, a dedicated handler separate from the debugging callbacks the framework already shipped. That the two had to be asked for as separate things is the tell.

Read as compliance evidence rather than a debugging aid, the default tooling has specific holes:

  • The logs are the operator’s to change. Observability data can be edited, sampled or switched off. Amazon’s own security tooling ships a detection rule for when someone deletes the Bedrock invocation-logging configuration, which tells you how normal that event is. Evidence a system owner can quietly turn off is not evidence.
  • The content is off by default. The OpenTelemetry standard deliberately does not record the text of prompts and responses, to avoid pulling personal data into telemetry. So the part that matters for compliance, namely what the agent was told and what it decided, is the part you have to switch on yourself.
  • Sampling misses the single case. Observability keeps costs down by recording a fraction of traffic. A sample is fine for spotting trends and useless for the one disputed action. Article 12 asks for a complete record, not a representative one.
  • Only the ends get logged. A common shortcut records the input and the final output and drops the system prompt and the retrieved context in between, which is exactly where a scope violation or a biased instruction lives.
  • The approval is invisible. Most tracing captures the model’s steps and not the human decision beside them. The checkpoint from Issue 54, where a person releases the irreversible action, leaves no trace unless you record it on purpose.

What it takes to have the record
#

Making evidence a byproduct is deliberate work, not a setting. In practice it means instrumenting the runtime so every step emits a record in a portable format; sending those records to a structured store you can query rather than a pile of text you have to grep; capturing the fields that matter: the system prompt, the retrieved context, the tool inputs and outputs, the human approval and the final action; making the store tamper-evident, so a changed entry shows; and keeping it long enough to meet the law.

I looked at two very different pieces of agentic infrastructure over the past few months, and both are built on this idea. One is a framework that engineering teams build their own agents on: as an agent runs, the framework writes each decision, each action and the person who approved it into structured records you can query, so “show me every irreversible action this agent took last quarter and who approved each one” is answered in a single query rather than a forensic exercise. The other is a system in which agents write and ship software, where what went to production, and on whose approval, is emitted as the work runs. Neither treats the audit trail as a report to be produced later. In both, the record comes out of the work itself.

The hardest part is not technical. To prove what an agent decided you have to store what it saw, and what it saw often contains personal data. Complete evidence and data minimisation pull against each other, and no tool resolves that for you. It is a design decision: what to store in full, what to store as a reference, how long to keep it. And it belongs to you, not the vendor.

The law asks for the same thing
#

This is not only good practice. The EU AI Act, in Article 12, requires high-risk systems to record events automatically across their lifetime. The word that carries the weight is automatic: the record has to be produced by the system as it runs, not assembled by hand afterwards. The engineering argument and the legal requirement point the same way.

There is more runway than there was. The obligations for high-risk systems in Annex III, which cover many ordinary agent uses such as deciding claims, scoring credit and screening candidates, were deferred by the EU’s Digital Omnibus and now apply from 2 December 2027. That is runway, not a reprieve. Evidence architecture is not something you retrofit in the last quarter before a deadline, because a system that was not recording from the start has nothing to go back and record. Once the obligation does bite, the penalties reach €15 million or 3% of global turnover. In Poland this is UODO’s ground on the data-protection side, and KNF’s the moment an agent acts inside a banking or insurance workflow. No Polish company has yet published how it audits what its agents do, and the firm that can already answer “what did your agent do, and prove it” with a query is ahead of a market treating December 2027 as far off.

Where the evidence comes from is decided when you choose the runtime, not when the auditor calls. A tool that lets you watch your agents is not the same as one that can prove what they did, and the difference does not show in a demo.

Briefing
#

Microsoft set up a separate business, backed by $2.5 billion and around 6,000 engineers, to go into enterprises and deploy AI for them, days after Amazon committed $1 billion to its own forward-deployed AI engineers (TechCrunch, The AI Insider). The model vendors are moving into the implementation and advisory layer themselves, which changes the build-versus-buy question and where an enterprise’s independence actually sits.

OpenAI has reportedly discussed giving the US government a 5% stake in the company (CNBC). Any continuity or model-sourcing plan built on a single US frontier lab now carries a political variable that has nothing to do with the technology.

Europe’s senior bankers and financial supervisors warned that AI is moving faster than the rules meant to govern it (CNBC). The mood is hardening even though the AI Act’s high-risk deadlines have just slipped to 2027, so the pressure is arriving ahead of the formal rules rather than because of them. Expect KNF and its peers to ask sharper questions regardless of the date.

Questions for your leadership team
#

  1. For each agent we run, is the record of what it did written as it acts, or assembled afterwards on demand?
  2. Can we answer “show me every irreversible action this agent took last quarter and who approved each one” as a query, or is that a project?
  3. Are we treating an observability tool as an audit trail, and have we checked whether its logs can be sampled, edited or switched off?
  4. For our high-risk agent uses, are we building the evidence trail now, while we have runway to December 2027, or will we retrofit it under deadline? And who owns the tension between logging enough to prove decisions and holding no more personal data than we should?

Summary
#

When an agent acts on its own there is no person in the step to leave a trail, so the only evidence is what the system records while it works. Reconstructing that trail afterwards worked when decisions moved at human pace; it fails once an agent acts thousands of times across systems. The tools for watching agents exist, but they were built to debug, not to prove: their logs can be sampled, edited or switched off, and the content that matters is off by default. Generating evidence as the work happens is deliberate: emit the record as the agent acts, into a store you can query, tamper-evident and kept long enough. Article 12 of the AI Act asks for exactly this, automatically and not by hand; its high-risk obligations were deferred to December 2027, which is runway to build it properly, not a reason to wait. The choice is made when you pick the runtime.

Stay balanced, Krzysztof Goworek

Krzysztof Goworek is founder of Quintant — AI advisory that gets enterprises from experiment to production value.