S7.11 - Audit_lineage
S7.11 ? Audit lineage
flowchart LR
A1[Audit trails] --> B[RAIDT - run-level evidence framework]
A2[Evidence-based review] --> B
A3[Answerability] --> B
A4[Contestability] --> B
A5[Traditional limitation:
general governance claims do not explain
specific GenAI uses] --> B
B --> C[[Audit lineage - evidential governance logic for GenAI runs]]
C --> D[Run-level evidence pack]
C --> E[Five-pillar score profile]
C --> F[Reviewer reconstruction]
C --> G[Governance move:
evidence over assertion,
reviewability, audit readiness]
D --> H[Traceable review]
E --> I[Structured judgement]
F --> J[Contestability]
G --> K[Organisational learning]
G --> L[Policy and compliance alignment]
M1[Finance compliance review] --> C
M2[Healthcare documentation support] --> C
M3[Education guidance drafting] --> C
M4[Public service casework] --> C
M5[Enterprise productivity workflows] --> C? Star S7 - Academic Theory and Design Logic
Star context: Positions RAIDT within traditions of auditability, answerability, and evidential review, showing how a design-science governance framework for GenAI becomes academically grounded and operationally inspectable.
Academic picture
Definition / background
Audit lineage refers to the family resemblance between RAIDT and longer traditions of audit trails, evidence-based review, administrative answerability, and contestable decision support. The concept matters because RAIDT does not emerge in an intellectual vacuum. It extends a well-established governance logic into a new domain: if organisations rely on outputs that may affect people, decisions, services, or risks, they need records that allow others to inspect how those outputs were produced and used.
In classical audit settings, the focus is often on financial records, process controls, compliance checks, and traceable decision paths. In GenAI governance, the challenge is different but related. A model output may be persuasive, partially correct, or operationally useful without being self-explanatory. Audit lineage therefore means bringing audit-style reviewability into the run itself: the prompt, model, configuration, context, inputs, outputs, human intervention, and evaluative judgement all become candidates for structured evidence.
This is not identical to general accountability language. Accountability often names a moral or institutional expectation, whereas audit lineage emphasises inspectable artefacts, bounded evidence, and reconstructable sequences. It belongs inside RAIDT because RAIDT operationalises that lineage through two practical outputs: a run-level evidence pack and a five-pillar score profile. These translate abstract governance expectations into something that can be reviewed by supervisors, auditors, practitioners, or external stakeholders.
Audit lineage also clarifies why RAIDT treats the run as the unit of governance. Broad system-level claims about a model are not enough. What matters in practice is whether a particular configured use can later be understood, questioned, and improved. In that sense, audit lineage supports run-level evidence, strengthens evidence packs, and gives normative justification for scoring Responsibility, Auditability, Interpretability, Dependability, and Traceability.
Why this concept matters
Audit lineage matters because GenAI governance often fails at the point where a stakeholder asks a simple but serious question: what happened here, on what basis, and can we review it? Principles alone do not answer that question. High-level policies do not answer it either. Without audit lineage, organisations can claim responsibility while lacking the records needed to test, contest, or improve specific uses.
The concept avoids a common confusion between governance aspiration and governance capability. An organisation may say that its AI use is monitored, but if a run cannot be reconstructed, reviewed, or challenged, then answerability remains weak. Audit lineage solves part of that problem by grounding RAIDT in a practical evidential tradition. It explains why the framework insists on bounded documentation rather than vague assurances.
If audit lineage is missing, several risks emerge: post hoc rationalisation, unreviewable model use, weak incident analysis, difficulty in demonstrating compliance, and poor organisational learning. For organisations using GenAI in real work, this means they may not be able to explain errors, defend legitimate uses, or distinguish isolated failures from systemic weaknesses.
RAIDT uses audit lineage to move from principles to operational governance. It does so by linking each run to evidence that can be checked, compared, scored, and discussed. That makes governance more reviewable, more contestable, and more useful for continuous improvement.
Key idea: Audit lineage matters because it gives RAIDT a defensible governance logic for turning abstract accountability into run-level evidence that can actually be reviewed and challenged.
What this item explains
- Why RAIDT inherits its governance logic from traditions of audit, evidence-based review, and organisational answerability.
- Why the run, rather than the model in the abstract, becomes the practical unit of review.
- How bounded evidence packs translate accountability expectations into inspectable artefacts.
- Why score profiles are not merely ratings, but structured summaries that support audit-style judgement.
- How contestability and organisational learning depend on being able to reconstruct specific GenAI uses.
- Why RAIDT is positioned as an operational governance framework rather than a purely ethical statement.
Practical example / likely audience question
Audience question
Is RAIDT genuinely a new governance framework, or is it simply traditional auditing applied to AI with new terminology?
Answer
The concern behind the question is understandable: RAIDT clearly draws on audit and accountability traditions, so a reviewer may suspect that it is only relabelling existing ideas. The direct answer is that RAIDT is not a replacement for auditing and not merely a synonym for it. Rather, it extends audit logic into a context where conventional audit methods are often too coarse, too retrospective, or too system-level to explain what happened in a single GenAI-supported task.
The practical novelty lies in the unit of analysis and the form of evidence. RAIDT treats one configured GenAI use in one context at one time as the relevant governance object. It then specifies a bounded evidence pack for that run and a five-pillar score profile for structured review. Traditional auditing might tell an organisation to keep records and enforce controls. RAIDT tells it what kind of run-level evidence is needed to review a prompt-driven, model-mediated interaction whose outcome may later be contested.
For example, if an organisation uses GenAI to draft a regulatory response, a generic governance approach may confirm that a policy exists and that staff were trained. RAIDT goes further by asking whether the exact run can be reconstructed: which model was used, which source material informed the prompt, what instructions were given, what output was produced, what human edits followed, and how the run scored across the five pillars. That is where RAIDT handles the issue better than a generic AI governance approach. It turns the lineage of auditing into a specific evidential method for GenAI use.
Practical example in RAIDT terms
A retail bank uses a GenAI assistant to help compliance analysts draft first-pass summaries of suspicious transaction reports. One analyst runs the tool to interpret an unusual transfer pattern and produce a briefing note for escalation. The run-level issue is not simply whether the model is generally approved, but whether this specific use can later be reviewed if the escalation decision is challenged.
The evidence needed includes the prompt template, the analyst's task framing, the model and version, configuration settings, relevant transaction data snapshot or references, the generated summary, analyst edits, escalation outcome, and notes on whether the output introduced unsupported inferences. Responsibility is affected because a human analyst remains answerable for the decision. Auditability is affected because a reviewer may need to reconstruct the basis for escalation. Interpretability matters because the summary must be explainable to internal reviewers. Dependability matters because unreliable summaries could distort case handling. Traceability matters because the bank needs a documented path from source data to drafted output to final action.
Audit lineage improves governance readiness here by justifying why those run records should exist in the first place. Rather than treating the event as an opaque AI-assisted action, RAIDT frames it as a reviewable run with a bounded evidence pack and an assessable score profile. That supports defensible oversight, incident review, and process improvement.
Detailed link to RAIDT
Audit lineage links to RAIDT in four ways.
First, it gives RAIDT a conceptual foundation in established traditions of auditability, answerability, and evidence-based organisational review.
Second, it justifies RAIDT's decision to treat the run as the unit at which governance evidence should be captured and examined.
Third, it supports the design of the evidence pack and the score profile as practical outputs that make review and comparison possible.
Fourth, it connects RAIDT to reviewability, contestability, audit readiness, and organisational learning rather than leaving governance at the level of abstract principles.
Audit lineage ? Run-level evidence ? Evidence pack ? RAIDT score profile ? Governance readiness
This chain matters because RAIDT is strongest when its theoretical grounding and practical instrumentation remain connected. Audit lineage explains why run-level evidence should exist; the evidence pack organises that material; the score profile summarises evaluative judgement; and governance readiness is improved because the organisation can review, defend, or correct specific uses of GenAI.
Link to the five RAIDT pillars
Responsibility
Audit lineage strengthens Responsibility by clarifying who must be answerable for a run and on what evidential basis that answerability can be exercised. It discourages vague claims that "the system decided" by requiring identifiable human and organisational accountability around use.
Example evidence / implication:
- Named role responsible for initiating, reviewing, or approving the run.
- Record of human judgement, escalation, override, or sign-off after model output.
Auditability
Audit lineage has its strongest direct effect on Auditability because it frames RAIDT as a review-oriented governance framework rather than a mere performance instrument. It supports the expectation that a run can be inspected after the fact using bounded, relevant evidence.
Example evidence / implication:
- Evidence pack showing prompt, model, configuration, output, and review notes.
- Review trail indicating what a second party could reconstruct and verify.
Interpretability
Audit lineage contributes to Interpretability by insisting that outputs must not only exist but also be explainable enough for human review in context. An unintelligible but logged output is still weak governance.
Example evidence / implication:
- Notes explaining why the output was accepted, amended, or rejected.
- Plain-language rationale connecting output content to task purpose or source material.
Dependability
Audit lineage supports Dependability indirectly by making repeated assessment possible. If runs are documented consistently, an organisation can compare failure patterns, reliability concerns, and context-specific weaknesses over time.
Example evidence / implication:
- Records of run quality issues, instability, or recurring error types across similar tasks.
- Evidence that reliability concerns triggered mitigation, fallback, or tighter review.
Traceability
Audit lineage strongly affects Traceability because it requires a visible path from context and inputs through configuration and output to downstream action. This is essential when a decision or recommendation later becomes disputed.
Example evidence / implication:
- Logged relationship between source material, prompt instructions, generated output, and final human action.
- Versioning information for model, template, and workflow conditions at the time of the run.
Audit lineage most strongly shapes Auditability and Traceability, but it also reinforces Responsibility, Interpretability, and Dependability by making evidential review possible across the full governance chain.
Why this item is more than a generic concept
In general AI governance, audit lineage may simply mean that systems should be documented, monitored, or accountable to some reviewing authority. In RAIDT, the concept is narrower and more operational. It means that each consequential GenAI run should leave behind enough structured evidence to support reconstruction, scoring, challenge, and learning.
That distinction matters. A generic governance statement can remain valid even when nobody can explain a particular use. The RAIDT meaning is more demanding because it ties audit lineage to run-level evidence. The concept therefore becomes actionable: it changes what must be captured, how review occurs, and how governance readiness is judged.
Common misunderstanding
Misunderstanding
Audit lineage means RAIDT is basically an audit checklist for compliance teams.
Correction
Audit lineage does not reduce RAIDT to compliance checking. It explains the governance heritage of the framework, but RAIDT applies that heritage to the design and evaluation of specific GenAI runs. A checklist may confirm that a policy exists; RAIDT asks whether a concrete run can be reconstructed and assessed across five pillars.
For example, a university might have an AI use policy for student-support staff. That policy alone does not show whether a specific GenAI-assisted student advice message was produced responsibly. RAIDT would require run-level evidence showing the prompt, guidance source, output, human review, and final communication. The lineage is audit-related, but the operational method is run-level governance.
Boundary and limitation
Audit lineage does not prove that a run was correct, fair, lawful, or beneficial. It also does not replace domain expertise, human judgement, risk assessment, or sector-specific compliance obligations. A well-documented run can still contain poor reasoning, weak evidence, or harmful consequences.
The concept may also fail if evidence capture is too shallow, overly burdensome, or disconnected from actual work practices. If staff treat documentation as a box-ticking exercise, the lineage remains symbolic rather than useful. Likewise, some run contexts may involve privacy, confidentiality, or security constraints that limit what can be retained in an evidence pack.
RAIDT handles these limitations by treating audit lineage as necessary but not sufficient. The framework pairs evidential review with pillar-based assessment, bounded documentation, and context-sensitive governance design. In other words, lineage creates the conditions for review, but good governance still depends on judgement, proportionality, and institutional follow-through.
Implementation levels
Manual implementation
A researcher or small team can apply audit lineage manually by recording each significant run in a structured template. The template would capture the task, context, prompt, model details, output, reviewer comments, and final decision so that later discussion is evidence-based rather than memory-based.
Semi-automated implementation
Semi-automated implementation can use forms, metadata fields, prompt wrappers, and review checklists to populate evidence packs consistently. This reduces omission risk and makes pillar scoring easier across repeated runs without requiring a fully integrated governance platform.
Fully automated implementation
At scale, audit lineage can be implemented through orchestration layers, logging pipelines, model gateways, workflow dashboards, and governance services that automatically bind run metadata, artefacts, reviewer actions, and scoring records into a retrievable evidence pack. In that form, RAIDT becomes a practical organisational capability for monitoring, reviewing, and improving GenAI use across many contexts.
Practical use in the RAIDT project
Within the RAIDT project, audit lineage helps explain the theoretical seriousness of the framework in Paper 08 Foundations by linking run-level evidence to established governance traditions rather than presenting RAIDT as an isolated invention. In Paper 09 Empirical Validation, the concept supports evaluation questions about whether reviewers can reconstruct and judge runs more effectively when evidence packs follow a clear audit logic. In Paper 10 Policy Pathways, it helps translate RAIDT into language that policymakers, regulators, procurement teams, and institutional leaders recognise.
The concept is also useful in sector playbooks because it explains why evidence requirements differ by context while preserving the same review principle. It informs evidence-pack design, scoring rubrics, influence methods, and governance interventions by clarifying what kinds of records make organisational learning possible. For supervision meetings, viva defence, and journal positioning, audit lineage is a strong answer to the question of why RAIDT is both theoretically grounded and practically necessary.
Key audience questions to prepare for
Q1. If RAIDT has an audit lineage, what is actually new about it?
The novelty lies in operationalising audit logic for GenAI runs. RAIDT specifies the run as the unit of governance, defines a bounded evidence pack, and links review to a five-pillar scoring profile. That combination is more precise than generic audit language.
Q2. Why is audit lineage important for PhD-level positioning?
It shows that RAIDT is anchored in recognised traditions of organisational governance and Information Systems thinking. This strengthens theoretical legitimacy and helps explain why the framework is more than a technical logging proposal.
Q3. Does audit lineage imply retrospective checking only?
No. Although audit traditions are often retrospective, RAIDT uses the lineage to support prospective design as well. If a run must be reviewable later, teams are encouraged to configure, document, and monitor it properly from the start.
Q4. Can audit lineage work in sensitive domains where evidence retention is constrained?
Yes, but only with bounded and context-appropriate evidence design. RAIDT does not require unlimited retention; it requires enough structured evidence to support proportionate review without violating privacy, confidentiality, or security requirements.
Q5. How does audit lineage help with contestability?
Contestability depends on there being something concrete to inspect and challenge. Audit lineage provides the rationale for preserving that material, while RAIDT provides the structure through evidence packs and score profiles.
Suggested citation concepts to support this item
- audit trails in information systems governance
- accountability and answerability in organisational decision-making
- administrative review and contestability in public sector governance
- evidence-based auditing and assurance mechanisms
- algorithmic accountability and documentation practices
- AI auditability and reviewability frameworks
- traceability and provenance in socio-technical systems
- design science research and governance artefacts
- human oversight in AI-assisted decision support
- organisational learning from audit records and incident review
Short explanation for presentation
Audit lineage explains why RAIDT is more than a scoring tool for AI use. It places RAIDT within established traditions of audit trails, answerability, and evidence-based organisational review, then extends that logic to generative AI runs. The key move is that RAIDT treats the run as the unit of governance and requires a bounded evidence pack plus a five-pillar score profile. That means accountability is no longer just a principle or policy claim. It becomes something that can be inspected, challenged, and improved in relation to a specific use of GenAI in a specific context. For supervision and viva purposes, the concept helps justify RAIDT academically while also showing its practical value for reviewability, contestability, audit readiness, and organisational learning.
One-line takeaway
Audit lineage is RAIDT's connection to traditions of evidential accountability because it turns abstract answerability into reviewable run-level evidence.