• integrated_82#Q3.21

As a governance intervention, RAG is a provenance-first arrangement in which retrieval, citation policy, logging, and review protocol are designed together as controls. The model does not simply fetch supporting text; rather, the pipeline binds retrieved evidence to generation and records the lineage of that evidence. In the RAIDT framing, this matters because governance is demonstrated through artefacts. The RAG paper specifies a workflow in which each output is linked to its prompt version, model or adapter lineage, retrieval context IDs, retriever settings, timestamps, and cryptographic hashes. In that sense, RAG is a method for turning otherwise opaque generation into a documented, inspectable process.

RAG can improve auditability because auditors are given concrete records rather than narrative assurances. They can inspect retrieval logs, verify which corpus snapshot was active, check whether citation rules were followed, and compare reviewer adjudications against the stored hashes and identifiers. It improves traceability because salient claims can be followed back to source artefacts such as note spans, policy documents, or indexed passages. In RAIDT terms, Auditability asks whether the run can be examined and reconstructed, while Traceability asks whether claims can be linked to their evidential origins. Provenance-first RAG supports both simultaneously. Within a RAIDT score profile, and with anchors 1=missing / 3=partial / 5=audit-ready, the difference is practical: a generated answer without citation lineage remains only partially governable, whereas a RAG output with retrieval IDs, corpus hashes, and adjudicated review can become audit-ready. The broader RAIDT corpus also shows that RAG is the strongest single lever for provenance, even though it should ideally sit alongside other controls such as prompting, PEFT, or reviewer oversight.

In a finance workflow, a lender drafts an adverse-action explanation for a declined application. A weak pipeline might produce a polished letter but leave compliance staff unable to show why a particular reason code appeared or whether a prohibited proxy feature influenced the wording. Auditability is poor because there is little more than the output text.

A governance-oriented RAG design restricts retrieval to approved policy templates, current underwriting guidance, and the relevant application features. The letter cites the governing policy basis, while the system logs the retriever ID, whitelist, recency window, document IDs, rank scores, prompt version, and output hash. If the applicant contests the explanation, the organisation can inspect the run-level evidence pack and determine whether the issue lay in the source set, the retrieval step, or the generator. That is why RAG improves both auditability and traceability in RAIDT terms.

• 06-RAIDT_RAG_V1
• 07-RAIDT_RLHF_V1