Evidence Model

RADAR structures compliance evidence into four layers. Each is independently reviewable and auditable. Together they form the chain from raw activity to regulator-ready package.

Traces

A trace is a chronological record of material AI activity. Every event — LLM call, tool invocation, policy evaluation, human review — is captured with full context.

  • Name
    Session identity
    Type
    string
    Description

    User, agent, deployment, and correlation IDs. Auditors reconstruct full context across systems. Every trace belongs to exactly one session.

  • Name
    Timeline
    Type
    array
    Description

    Events timestamped with nanosecond precision. Types: llm_call, tool_invocation, policy_evaluation, pii_detection, review_action, system_event.

  • Name
    Model context
    Type
    object
    Description

    Model name, system prompt, input/output tokens, temperature, top_p, and response metadata. Exact inference parameters that affected behavior.

  • Name
    Tool activity
    Type
    object
    Description

    Tool name, input arguments, output, latency, token cost, policy decision (allow/deny/escalate), and correlation to parent event.

Findings

A finding is a structured observation derived from trace data. Each has a type, severity, confidence, and lifecycle state. Findings answer specific compliance questions — raw logs don't.

Findings progress through a lifecycle: open → reviewing → remediated → closed. Every status transition is recorded with actor, timestamp, and comment. Findings can be reopened if remediation is incomplete.

  • Name
    PII Exposure
    Description

    Detected sensitive data in prompts, tool inputs, or LLM responses. Classified by type (SSN, credit card, health) and confidence (0.0–1.0). Includes matched context and character offset.

  • Name
    Policy Violation
    Description

    Agent action violated a defined policy: blocked tool access, disallowed domain, cost threshold exceeded. Includes the policy rule matched and action taken.

  • Name
    Review Required
    Description

    High-risk action requiring human approval. Tracks escalation path, reviewer, decision, and time-to-review. Escalated automatically if SLA is exceeded.

  • Name
    Cost Anomaly
    Description

    Per-agent or per-session token spend exceeds configured threshold. Includes threshold, actual spend, time window, and correlated context.

  • Name
    Loop Detection
    Description

    Agent entered a behavioral loop: repeated calls with identical inputs/outputs exceeding retry limit. Includes pattern detected and termination action.

  • Name
    Missing Review
    Description

    High-risk action required human approval but was not reviewed within the required window. Escalated for compliance review with full audit trail.

Control mapping

Traces and findings are mapped to compliance controls. Legal, security, and compliance teams verify obligations without reading raw technical records.

  • Name
    EU AI Act Art. 12
    Description

    Record keeping — Traces capture model, prompt, tool calls, decisions, and policy evaluations per session.

  • Name
    EU AI Act Art. 13
    Description

    Transparency — Evidence packs include human-readable explanations of agent decisions and data sources.

  • Name
    EU AI Act Art. 14
    Description

    Human oversight — Findings track review status, escalation, reviewer, decision, and time-to-review.

  • Name
    EU AI Act Art. 15
    Description

    Accuracy — Anomaly findings capture cost spikes, loop detection, unexpected tool access, and policy drift.

  • Name
    GDPR Art. 5
    Description

    Data minimization — PII findings identify sensitive data exposure with retention controls and deletion support.

  • Name
    SOC 2 CC6
    Description

    Logical access — Session identity, tool access logs, policy enforcement mapped to access control evidence.

  • Name
    HIPAA 164.312(b)
    Description

    Audit controls — Chronological records of all ePHI access by agents with user attribution and tool context.

Export bundles

An export bundle packages traces, findings, control mappings, and retention proof into a single deliverable. Bundles are the primary artifact for audits, security reviews, and regulator submissions.

  • Name
    Formats
    Type
    enum
    Description

    JSON for ingestion, HTML for human review, PDF for regulator submission, Parquet for data warehouse import.

  • Name
    Scope selection
    Type
    object
    Description

    Filter by time range, agent, user, finding type, control framework, severity, or session ID. Combine filters for precise audit packages.

  • Name
    Retention proof
    Type
    object
    Description

    Each export includes SHA-256 hashes of all records and a Fernet-signed attestation (AES-128-CBC + HMAC) that records have not been modified since capture.

  • Name
    SIEM forwarding
    Type
    object
    Description

    Continuous forwarding to Splunk HEC, syslog. Events structured with consistent schema for correlation.

docker exec radar radar evidence build --pack-id eu_ai_act_article_14 \
  --include-controls \
  --include-retention-proof \
  --format pdf --output /data/audit-pack.pdf

Was this page helpful?