What do regulators ask for in an AI audit trail?

The FCA, PRA, and ECB supervision teams are increasingly requesting AI decision logs during thematic reviews and model risk examinations. They typically ask for: a record of every decision the AI made and when, the version of the model in use at the time, the data inputs used, the third-party data sources or APIs called, and evidence that a human was able to review or override the decision. EU AI Act Article 14 also requires human oversight records for high-risk AI.

AI Compliance Evidence Pack — Audit Trail for Financial Services AI

Q: What is an AI compliance evidence pack?

An AI compliance evidence pack is a structured document that shows regulators exactly how an AI system made a decision — the inputs used, the model version, the data sources queried, the third-party endpoints called, and the output produced. Under EU AI Act Article 13 and DORA Article 12, high-risk financial AI systems must be able to produce this documentation on demand.

Q: How is Tracient's evidence pack different from a manual compliance log?

Manual compliance logs are typically produced after the fact by compliance teams working from fragmented data sources — model logs, database queries, API records, and risk system outputs stored separately. Tracient intercepts every AI agent action at runtime, correlates it with the regulatory obligation it touches, and assembles the evidence pack automatically. The result is a single document that maps each decision to DORA Article 12, EU AI Act Article 13, and any other applicable obligation — generated in seconds, not days.

What regulators expect

The question regulators are now asking.

Regulatory examinations at UK and EU financial institutions have begun specifically requesting AI decision documentation. The FCA's model risk supervisory programme, the PRA's SS1/23 expectations, and the ECB's TRIM methodology all now include explicit questions about AI audit trails.

EU AI Act Articles 12 and 13 formalise this: high-risk AI systems must automatically log events sufficient to trace the system's decisions throughout its lifecycle, and provide transparency documentation enabling supervisory authorities to assess compliance. For credit scoring and mortgage AI, this obligation becomes enforceable on 2 August 2026.

DORA Article 12 adds another layer: all automated ICT processes must generate logs that enable forensic analysis and traceability. An AI agent that queries a credit bureau API, runs a scoring model, and outputs a decision is touching every one of these obligations simultaneously.

EU AI Act Art. 12 — Logging

Automatic event logging throughout the lifecycle

High-risk AI systems shall have logging capabilities ensuring traceability of the AI system's functioning throughout its lifecycle — including the periods during which it was in use, the data inputs, and the outputs produced.

High-risk AI Enforceable Aug 2026

EU AI Act Art. 13 — Transparency

Documentation enabling supervisory oversight

High-risk AI systems shall be designed to enable deployers to understand the system's operation and the basis on which outputs are produced. This includes full documentation of the model, the data, and the decision logic for competent authority review.

High-risk AI

DORA Art. 12 — ICT Logging

Forensic-grade audit trail for AI agent actions

Financial entities shall implement mechanisms for detecting anomalous activities, generating logs with the level of precision sufficient for forensic analysis, and retaining ICT-related event logs for a minimum of five years.

DORA active

What the pack contains

Everything a regulator needs.
Assembled in seconds.

Tracient intercepts every AI agent action at runtime. When you need to respond to a regulator — or prepare for an examination — the evidence pack assembles itself from the live audit log. No manual trawling through database exports, API logs, and model version histories.

Decision record

The complete input→output trace for each AI decision: timestamp, agent identifier, model version, input parameters, and the output produced. Meets EU AI Act Art. 12 logging requirements.

Data source map

Every data source and third-party endpoint queried during the decision — mapped to your DORA Art. 28 ICT third-party register. Unregistered endpoints are flagged automatically.

Regulatory obligation mapping

Each finding mapped to its regulatory obligation — DORA Article, EU AI Act Article, or FCA/PRA requirement — so the regulator can immediately locate the relevant compliance evidence.

Human oversight record

Where human review was triggered or available, this is documented. EU AI Act Art. 14 requires that high-risk AI systems be designed to enable effective human oversight — this log demonstrates it.

Risk flag timeline

A chronological record of any compliance flags raised — breach, warning, or advisory — with the remediation action taken or pending. Gives auditors the narrative, not just the data.

Model & system documentation

The model identifier, version, and system description in place at the time of each decision. Required under EU AI Act Art. 11 (technical documentation) and Art. 17 (quality management system).

The compliance gap

Most firms can't produce this. Yet.

The gap between "we have logs somewhere" and "here is a regulator-ready evidence pack" is typically measured in days of analyst time, not minutes. AI agent actions are recorded across model serving logs, database query logs, API gateway logs, and risk system outputs — all in different systems, all in different formats.

During an examination, you don't have days. Tracient closes this gap by capturing everything at the point of decision — runtime interception, not retrospective assembly — so the evidence pack exists before anyone asks for it.

This also means the compliance record is accurate by design, not reconstructed from memory. When a regulator finds a discrepancy between your policy documentation and your actual AI behaviour, it is far better to have found it yourself first.

❌ Without Tracient

3–5 days to assemble evidence from fragmented logs across multiple systems

Manual cross-referencing between model logs, API logs, and risk system records

No single document mapping decisions to regulatory obligations

Unregistered ICT endpoints not visible until a breach investigation

Evidence reconstructed after the fact — regulators can identify inconsistencies

✓ With Tracient

✓

Evidence pack generated in seconds from the live, real-time audit log

✓

Every data source and API call already mapped to DORA Art. 28 register entries

✓

Each finding pre-mapped to the applicable regulatory article

✓

Unregistered endpoints flagged at the moment they are first called

✓

Evidence exists before any regulator request — examination-ready at all times

FAQ

Common questions.

What is an AI compliance evidence pack?

A structured document showing regulators exactly how an AI system made a decision — the inputs, model version, data sources, third-party endpoints called, and output produced. Under EU AI Act Article 13 and DORA Article 12, high-risk financial AI systems must be able to produce this documentation on demand.

Does EU AI Act require an AI audit trail?

Yes. EU AI Act Articles 12, 13, and 17 together require that high-risk AI systems automatically log events sufficient to trace the AI system's decisions throughout its lifecycle. Logs must be retained and produced for competent authorities on request. The August 2, 2026 deadline applies to all high-risk AI systems already in operation — including credit scoring and mortgage assessment AI.

Which regulators are asking for AI decision records?

The FCA's supervisory programme now includes explicit questions about AI model documentation and audit trails in firm visits. The PRA's SS1/23 on model risk management requires firms to maintain model inventories and documentation. The ECB's TRIM (Targeted Review of Internal Models) includes AI systems. From August 2026, EU AI Act competent authorities have a statutory right to request compliance documentation.

How is Tracient's evidence pack different from a manual compliance log?

Manual compliance logs are produced after the fact by compliance teams working from fragmented data. Tracient intercepts every AI agent action at runtime, correlates it with the regulatory obligation it touches, and assembles the evidence pack automatically. The result is a single document mapping each decision to DORA Article 12, EU AI Act Article 13, and any other applicable obligation — generated in seconds, not days.

Which AI systems need an evidence pack in financial services?

Under the EU AI Act, any AI system used in credit scoring, creditworthiness assessment, mortgage suitability, or insurance underwriting is explicitly classified as high-risk under Annex III and requires a full audit trail. Under DORA, any AI agent that calls a third-party API or queries an external data source must have those actions logged — this applies to customer onboarding AI, portfolio monitoring systems, and credit decisioning engines.

Get early access

Be examination-ready
before they ask.

Tracient is in private early access. We're working with a small number of regulated fintechs ahead of the August 2026 EU AI Act deadline. If you have a credit scoring or mortgage AI system in production — or agents calling third-party APIs — we'd like to talk.

⚠ 120 days to EU AI Act enforcement

The question regulators are now asking.

Everything a regulator needs.Assembled in seconds.

Most firms can't produce this. Yet.

Common questions.

Be examination-readybefore they ask.

Everything a regulator needs.
Assembled in seconds.

Be examination-ready
before they ask.