• workshop_dense_100#slide 58

Auditability in RAIDT is the property that makes a generative-AI run reconstructable and independently reviewable. RAIDT reframes responsible GenAI governance as a run-level evidence and measurement problem, so Auditability is not satisfied by broad transparency claims or by system-level documentation alone. Instead, it asks whether the organisation can show what happened in one specific run, with enough retained evidence for another party to inspect the case. This is why RAIDT positions Auditability as one element of the five pillars (Responsibility, Auditability, Interpretability, Dependability, Traceability) and why it treats the run as the unit of governance.

The practical definition is evidence-based. An auditable run has a run-level evidence pack that records the task context, prompting arrangement, model and tool configuration, retrieved sources where applicable, produced output, integrity markers, and oversight actions. The score profile then makes readiness visible through the anchors 1=missing / 3=partial / 5=audit-ready. This anchor logic matters because a run may look well documented while still lacking the exact artefacts needed for independent reconstruction. The framework also treats influence methods as governance interventions, meaning that retrieval, adaptation, prompting structure, or alignment controls must themselves be evidenced if they materially shaped the output.

Auditability matters because contested organisational uses rarely turn on abstract policy statements. They turn on whether a concrete case can be reconstructed, challenged, and learned from. In RAIDT, Auditability therefore supports internal audit, incident review, compliance work, and continuous improvement without claiming that evidence completeness alone guarantees substantive correctness.

In cybersecurity alert triage, a GenAI assistant helps an analyst classify whether an alert should be escalated. Suppose a serious alert is wrongly deprioritised and the organisation later investigates a breach. If reviewers can see only the final analyst note, the organisation cannot determine which prompt template was used, whether a retrieval step pulled a playbook excerpt, which model version generated the recommendation, or what checks were performed.

With RAIDT, the evidence pack would preserve the run ID, timestamp, prompt version, model deployment identifier, any retrieved playbook snapshot and hash, the generated recommendation and output hash, and the analyst's approval or override. That makes the incident review concrete: investigators can reconstruct the run, identify whether controls failed, and improve the workflow rather than relying on speculation.

• 08-RAIDT_Foundations_M_V50
• 00-RAIDT_Scoring_v1