Evidence Model

AKIOS Pro structures compliance evidence into four layers: traces, findings, control mappings, and export bundles. Each layer is independently reviewable and auditable.

Pipeline Overview#

Evidence PipelineObserve → Detect → Map → Export

Observe

LLM calls · Tool invocations · Policy events

Detect

PII exposure · Violations · Anomalies

Map

EU AI Act · GDPR · SOC 2 · HIPAA

Export

Evidence packs · SIEM · Audit

→

1. Traces#

A trace is a chronological record of material AI activity. Every event — LLM call, tool invocation, policy evaluation, human review — is captured with full context for reconstruction.

Session identity

User, agent, deployment, and correlation IDs that let auditors reconstruct the full context across systems. Every trace belongs to exactly one session.

Timeline

Events are timestamped with nanosecond precision. Types: llm_call, tool_invocation, policy_evaluation, pii_detection, review_action, system_event.

Model context

Model name, system prompt, input/output tokens, temperature, top_p, max_tokens, stop sequences, and response metadata. Captures the exact inference parameters that affected behavior.

Tool activity

Tool name, input arguments, output/result, latency (ms), token cost ($), policy decision (allow/deny/escalate), and correlation to parent event.

Trace JSON structure

json

{
  "trace_id": "trc_8f7d3a1e",
  "session_id": "sess_abc123",
  "agent": "customer-support-v2",
  "framework": "langchain",
  "user_id": "user_456",
  "events": [
    {
      "type": "llm_call",
      "timestamp": "2026-05-04T14:23:11.123456Z",
      "model": "gpt-4o",
      "prompt": "I need a refund",
      "completion": "Let me check your order",
      "tokens_prompt": 45,
      "tokens_completion": 120,
      "latency_ms": 3400,
      "policy_evaluations": [
        {
          "policy": "pii_scan",
          "decision": "pass",
          "findings": []
        }
      ]
    },
    {
      "type": "tool_invocation",
      "timestamp": "2026-05-04T14:23:14.567890Z",
      "tool": "get_order",
      "input": {"order_id": "ORD-789"},
      "output": {"status": "delivered", "amount": 49.99},
      "latency_ms": 1200,
      "decision": "allow"
    }
  ],
  "status": "completed",
  "created_at": "2026-05-04T14:23:11Z"
}

2. Findings#

A finding is a structured observation derived from trace data. Each finding has a type, severity, confidence, and lifecycle state. Findings are more useful than raw logs because each one can be owned, reviewed, remediated, and mapped to a compliance control.

PII Exposure

Detected sensitive data in prompts, tool inputs, or LLM responses. Classified by type (SSN, credit card, email, health data) and confidence level (0.0–1.0). Includes the matched context and character offset.

Policy Violation

Agent action that violated a defined policy: blocked tool access, disallowed domain, cost threshold exceeded, unauthorized data access. Includes the policy rule matched and the action taken (deny, warn, escalate).

Review Required

High-risk action requiring human approval. Tracks escalation path, reviewer assignment, review decision, and time-to-review. Escalated automatically if review SLA is exceeded.

Cost Anomaly

Per-agent or per-session token spend exceeds configured threshold. Includes the threshold, actual spend, time window, and correlated agent/session context.

Loop Detection

Agent entered a behavioral loop: repeated tool calls with identical inputs or outputs exceeding the configured retry limit. Includes the loop pattern detected and termination action.

Missing Review

A high-risk action required human approval but was not reviewed within the required window. Escalated for compliance review with full audit trail.

Finding lifecycle

Each finding progresses through: open → reviewing → remediated → closed. Status transitions are recorded with actor, timestamp, and comment. Auditors can verify that every finding was handled to completion. Findings can be reopened if remediation is incomplete.

3. Control Mapping#

Traces and findings are mapped to compliance controls. This lets legal, security, and compliance teams verify that specific regulatory obligations are met without reading raw technical records. Mappings are configurable per organization and per framework.

EU AI Act Article 12

Record keeping

Traces capture model, prompt, tool calls, decisions, and policy evaluations for each agent session.

EU AI Act Article 13

Transparency

Evidence packs include human-readable explanations of agent decisions, data sources, and control applications.

EU AI Act Article 14

Human oversight

Findings track review status, escalation path, reviewer, approval decision, and time-to-review.

EU AI Act Article 15

Accuracy

Anomaly findings capture cost spikes, loop detection, unexpected tool access, and policy drift.

GDPR Article 5

Data minimization

PII findings identify sensitive data exposure in prompts/outputs with retention controls and deletion support.

GDPR Article 32

Security of processing

Encryption at rest and in transit. Access controls. Audit logging. Incident detection.

SOC 2 CC6

Logical and physical access

Session identity, tool access logs, policy enforcement records mapped to access control evidence.

SOC 2 CC7

System operations

Monitoring, anomaly detection, incident escalation, and review workflows captured as findings.

HIPAA 164.312(a)

Access control

User authentication, session attribution, and tool-level access authorization.

HIPAA 164.312(b)

Audit controls

Chronological records of all ePHI access by agents with user attribution and tool context.

4. Export Bundles#

Evidence Pack Previewaudit-pack-q2-2026.pdf

SESSION

sess_8f7d3a1e

AGENT

customer-support-v2

FRAMEWORK

langchain

MODEL

gpt-4o

TRACES

247

FINDINGS

EXPORT

audit-pack-q2.pdf

RETENTION

90 days

Trace Timeline5 events · 3.1s

14:23:11.123LLM Callgpt-4o · 165 tokenspass

14:23:12.345Policy EvalPII scan · confidence 0.97warn

14:23:13.567Tool Callget_order(ORD-789) · 1.2spass

14:23:14.890FindingPII Credit Card · escalatedalert

14:23:16.234ReviewApproved by sarah@copass

SHA-256: a1b2c3d4...e5f6g7h8 · Signed: AKIOS-Pro/1.0

An export bundle packages traces, findings, control mappings, and retention proof into a single deliverable. Bundles are the primary artifact for audit requests, security reviews, procurement files, and regulator responses.

Formats

JSON for programmatic ingestion. HTML with navigation for human review. PDF with cover page and table of contents for regulator submission. Parquet for data warehouse import.

Scope selection

Filter by time range, agent, user, finding type, control framework, severity level, or session ID. Combine filters for precise audit packages.

Retention proof

Each export includes SHA-256 hashes of all records and a signed attestation that records have not been modified since capture. Usable as evidence of data integrity.

SIEM forwarding

Configure continuous forwarding to Splunk HEC, Microsoft Sentinel, or generic syslog. Events are structured with consistent schema for correlation.

bash

# Generate an evidence pack
docker exec akios-pro akios pack --last 7d \
  --include-controls \
  --include-retention-proof \
  --format pdf \
  --output /data/audit-pack-q2-2026.pdf

# Export raw evidence for SIEM
docker exec akios-pro akios export --since "2026-04-01" \
  --until "2026-05-01" \
  --format parquet \
  --output /data/evidence-q2-2026.parquet

# List available packs
docker exec akios-pro akios pack list
# pack_abc | Q2 2026 Audit | 2026-05-04 | PDF | 12.4 MB | 3,247 traces