Audit

Evidence, not assertions.

Logs capture what, not why — and reconstructing "why a decision fired" takes a week, not a query. Audit is the evidence motion: every decision hash-chained, artifacts generated instead of authored, and a scoped portal for the auditor.

SHA-256
Hash-chained audit log
12
Governance artifact editors
Nightly
Chain integrity verification
3
Export formats — PDF, JSON, sealed ZIP

Decision Traceability

Each finding traced back to the prompt, the policy, and the regulation. An append-only, hash-chained audit trail follows every decision from the triggering event to its final disposition.

Regulators want evidence, not assertions. Without a structured chain, answering "what happened on this decision on this date" means stitching together logs over days. With one, it's a lookup — and the integrity of the record is independently checkable.

Designed against — EU AI Act Art. 12 · GDPR Art. 22 · SOC 2 CC7.2
In the app — /audit/decision-trace · /findings/:id/trace · /findings/:id/why · /systems/:id/audit-chain
Tamper-evident by construction
Each audit-log row carries a SHA-256 hash of its content plus the prior row's hash — an unbroken chain.
Nightly integrity verification
Chain integrity is verified org-by-org every night, distinguishing breaks from forks.
The "why" behind every finding
An explain-why view per finding ties the decision to the policy that bound it and the regulation behind that policy.
Break-glass with dual approval
Emergency suspensions require two approvers and are themselves immutable records.
Exports for humans and machines
Human-readable PDF audit packs and machine-readable JSON for GRC import.
korasafe.ai/audit/decision-trace
Decision trace, hash-chained, tamper-evident, audit-ready

Auditor Portal

A scoped, time-bounded access portal for external auditors — structured evidence, an engagement workflow, an immutable interaction log, and a branded PDF export of the compliance package.

External audit prep is high-friction: assembling evidence for dozens of criteria takes weeks, and auditors reviewing AI governance for the first time have no consistent evidence schema. A scoped portal removes both frictions.

In the app — /audit/auditor-portal · /auditor/engagements · /auditor/compliance
Minimum-access by design
Auditor accounts are scoped to the engagement and deprovisioned at the end date.
Full evidence surface
The decision trace, active policies with version history, finding logs, SBOMs, and generated evidence packs.
Chain-of-custody for the audit itself
A sealed engagement interaction log records every access and exchange.
Hash-sealed exports
PDF, JSON, and sealed ZIP — no post-hoc disputes about what was provided. The PDF is customer-branded, with cover, contents, and conformity summary.

Governance Artifacts

Compliance dashboards mapping findings to EU AI Act, GDPR, and NIST AI RMF — plus a draft engine that pre-populates governance artifacts from each system's profile, with per-field provenance and a conformity dashboard.

Customers subject to several frameworks shouldn't author the same artifact four times. One Risk Register can satisfy EU AI Act Article 9, ISO 42001 Clause 6.1, NIST AI RMF Manage 1.1, and SR 11-7 at once — coverage chips show exactly which requirements each field closes.

Designed against — EU AI Act Art. 9 & 11 · ISO 42001 Cl. 6.1 · NIST AI RMF · SR 11-7
In the app — /audit/compliance · /compliance-packages/:id/conformity · /systems/:id/compliance
12 artifact editors
Model Card, Risk Register, Residual Risk with board sign-off, HITL Specification, Technical Documentation, Data Provenance, Bias Testing, Performance Metrics, Post-Market Monitoring, QMS Manual, Resource Allocation, Serious Incident report.
No blank pages
The draft engine pre-fills every field; you accept or edit, and acceptance updates the conformity dashboard.
Provenance on every field
Source chips tie each value to where it came from; coverage chips tie it to the requirements it satisfies — all chained into the audit log.
Regulator-ready bundle
The accepted package exports as a customer-branded PDF — a complete, defensible submission.
korasafe.ai/audit/compliance
Compliance dashboards mapping findings to EU AI Act, GDPR, NIST AI RMF
Explore the platform
Bring your toughest auditor. We'll show you the rest →
Start a free trial Run a readiness assessment