Attested AI/Learn
Contact Us

Audit Readiness Playbook

This playbook covers how to prepare evidence packages, conduct internal reviews, and demonstrate governance effectiveness to auditors. Follow these steps to be audit-ready at any time.

What is an evidence package?

An evidence package is the complete set of artifacts an auditor needs to verify your governance claims. It includes bundles, policies, and supporting documentation.

evidence-package/
├── bundles/
│   ├── run_001.zip          # Evidence bundles per run
│   ├── run_002.zip
│   └── ...
├── policies/
│   ├── policy_v1.json       # Historical policy versions
│   ├── policy_v2.json
│   └── policy_current.json
├── keys/
│   ├── issuer_public.pem    # Public keys for verification
│   └── boundary_public.pem
├── checkpoints/
│   ├── anchor_proofs.json   # External anchor references
│   └── tsa_tokens/
├── documentation/
│   ├── governance_policy.md # Human-readable policy docs
│   ├── runbook.md           # Operational procedures
│   └── incident_log.md      # Historical incidents
├── verifier/
│   └── verify.js            # Standalone verifier
└── manifest.json            # Package contents index

What is the pre-audit checklist?

Complete this checklist before any audit engagement:

  • Bundle integrity: All bundles pass offline verification
  • Chain continuity: No gaps in receipt chains
  • Policy coverage: All governed workloads have active policies
  • Checkpoint anchoring: Regular checkpoints exist with external anchors
  • Key documentation: Public keys and key_ids documented
  • Verifier available: Standalone verifier included and tested
  • Incident documentation: Any enforcement events have documented resolution

What metrics demonstrate effectiveness?

Track these metrics to quantify governance effectiveness for auditors:

Coverage Metrics

  • - % of workloads under governance
  • - % of operations evaluated (vs pass-through)
  • - Policy coverage by environment (prod/staging/dev)

Detection Metrics

  • - Drift events detected per period
  • - Mean time to detect (MTTD)
  • - False positive rate

Enforcement Metrics

  • - Actions taken by type (CONTINUE/BLOCK/TERMINATE)
  • - Mean time to enforce (MTTE)
  • - Enforcement success rate

Chain Health Metrics

  • - Chain gaps (should be zero)
  • - Degraded receipts (TSA unavailable)
  • - Checkpoint anchor success rate

How do I conduct internal reviews?

Regular internal reviews ensure audit readiness:

  1. 1.Weekly verification: Run offline verifier against recent bundles; flag any failures
  2. 2.Monthly coverage review: Ensure all production workloads are governed
  3. 3.Quarterly policy review: Verify policies are current and enforcement mappings are appropriate
  4. 4.Annual penetration test: Attempt to bypass governance; document findings

What do auditors typically ask?

Be prepared to answer these common auditor questions:

"How do you prove the workload that ran matches what was approved?"

Policy artifact contains subject baseline hashes. POLICY_LOADED receipt proves baseline matched. Each measurement receipt proves continued match or documents drift.

"Can this audit trail be modified after the fact?"

Receipts are signed and hash-chained. External checkpoints anchor to immutable stores. Modification breaks signatures and chain links, detectable by any verifier.

"What happens when you detect a violation?"

Policy enforcement_mapping defines automatic action. Receipt documents detection, decision, and action. Incident response follows documented runbook. Resolution documented in incident log.

"Can I verify this independently without your tools?"

Yes. Evidence bundle includes standalone verifier. Specification is public. Auditor can implement their own verifier or use reference implementation.

Pilot program metrics

When piloting governance, track these metrics to demonstrate value:

Week 1-2: Baseline
  - Document current state (no governance)
  - Identify governance scope

Week 3-4: Shadow Mode
  - Run governance in monitor-only mode
  - Measure detection rate without enforcement
  - Tune selection rules and thresholds

Week 5-8: Enforcement Mode
  - Enable enforcement actions
  - Track enforcement events
  - Document incident response

Week 9-12: Steady State
  - Full production governance
  - Collect metrics for audit readiness
  - Conduct first internal review

Success Criteria:
  ✓ Zero chain gaps
  ✓ 100% coverage of in-scope workloads
  ✓ <1% false positive rate
  ✓ All enforcement events documented
  ✓ Evidence bundles pass verification
← Enforcement ReceiptsBack to Continuity Receipts →