Why now · the pressure is already here

The reasons to keep evidence aren't waiting for 2027.

Auditable AI records get framed as a future EU problem. They are already live — DORA since January 2025, US state and city laws now, insurers asking today. Across every one of them TSP is the same thing: an evidence input, never a legal verdict. It does not classify a system or settle an outcome.

EU AI Act · phased to Dec 2027

Where signed receipts support the obligations

The Act asks teams to record runtime behaviour. Receipts are inspectable evidence for that record — never the compliance decision itself.

Art 12 · logging

Record-keeping

Signed event receipts — answer, action, refusal, review, override — chained, hashed and timestamped across the workflow.

Boundary: Evidence of what happened; not a compliance verdict.

Art 14

Human oversight

Signed human-review and override receipts record who reviewed, what they decided, and when — sealed inside the digest.

Boundary: Shows oversight occurred; not that it was sufficient.

Art 15

Accuracy records

Declared model, tool, data-scope and policy state captured in tamper-evident receipts.

Boundary: Evidence of declared state; not model quality.

Art 19

Logs retention

An append-only, independently checkable feed of receipts an operator can retain and reproduce on request.

Boundary: Durable, reproducible evidence; retention duration is the operator's policy call.

Art 50

Transparency

A TrustBadge and evidence view link an AI output to its provenance receipt for disclosure — a live obligation from August 2026.

Boundary: Supports disclosure; not a labelling decision.

Annex III · Art 6

High-risk support

Portable receipts for decision-support workflows (e.g. creditworthiness) an assessor can inspect.

Boundary: Input to classification; not the classification answer.

DORA · live since Jan 2025

Financial-sector operational resilience

DORA already obliges financial entities to evidence ICT operations and incidents. Where an AI system sits in that chain, its decisions need the same tamper-evident trail.

ICT records

Operations evidence

Signed, chained receipts of automated ICT decisions and the controls around them — reproducible long after the event.

Boundary: Evidence of what was logged; not a resilience attestation.

Incident trail

Incident reconstruction

An append-only record an institution and its supervisor can replay to reconstruct what a system did during an incident.

Boundary: Supports the incident file; not an incident finding.

US · state & city laws, now

Bias audits and AI-decision laws already in force

US obligations don't wait for Europe. NYC Local Law 144 is enforced; Colorado's AI Act and further state laws land through 2026. Each one turns on records of what an automated system actually did.

NYC LL144

Automated employment decisions

Portable receipts of the hiring and promotion decision events an annual bias audit examines.

Boundary: Evidence for the audit; not the bias-audit result.

Colorado AI Act

Consumer AI decisions

Records of consumer-facing automated decisions and the human review around them.

Boundary: Evidence input; not a legal determination.

IL · TX & more

Sectoral notice & records

Tamper-evident proof that a disclosed automated process ran as described, for jurisdictions adding notice and record duties.

Boundary: Evidence of the record; not a finding under any one statute.

Insurance & disputes · today

When something goes wrong, evidence is what's left

Underwriters, claims processes and courts increasingly want to see what an AI system did. Tamper-evident receipts are the forensic record — useful the day a dispute starts, not in 2027.

Underwriting

AI-risk evidence

A reproducible decision trail an underwriter or AI-assurance reviewer (against frameworks such as AIUC-1) can inspect.

Boundary: Strengthens the file; not a coverage decision.

Dispute · forensic

What happened, provably

Signed, time-bound records that survive the incident — the crime-scene photograph, not the verdict.

Boundary: Evidence of the record; not proof of fault or liability.

EU AI Act · aligned by design

Built for the obligations that are already here.

TSP produces the tamper-evident evidence these duties turn on. It supports the record an Article 14 reviewer reads — it is never the compliance verdict itself.

ArticleObligationHow TSP provides evidence
Art. 5Lawful & ethicalReceipts evidence that the declared policy state and prohibited-use guardrails were in force at the moment of the decision.
Art. 11DocumentationEach decision's technical context is captured in a tamper-evident envelope you can retain and reproduce on request.
Art. 12Record-keepingSigned, chained event receipts — answer, action, refusal, review — hashed and timestamped across the workflow.
Art. 13TransparencyA receipt links an AI output to its provenance, so the disclosure shown to an affected person is backed by evidence.
Art. 14Human oversightSigned human-review and override receipts record who reviewed, what they decided, and when — sealed in the digest.
Art. 15Robustness & safetyDeclared model, tool and data-scope state are sealed into the digest as evidence of the configuration that actually ran.
Art. 16Accuracy & qualityTamper-evident records of declared inputs and outputs an assessor can independently re-check, byte-for-byte.
Art. 17AccountabilityAn append-only, independently verifiable trail that fixes each decision to a registered issuer key.

The precedent is on the record

This already went to court — and evidence is what was missing.

Across the cases that drew the lines of automated-decision law, the deciding failure wasn't only bad AI. It was the absence of a verifiable record.

EU AI Act
High-risk systems · In force

Traceability becomes market access.

Missing: Evidence infrastructure
CJEU
SCHUFA scoring · 2023

Credit scoring crossed the automated-decision line.

Missing: Explainable decision evidence
Netherlands
SyRI judgment · 2020

Opaque public-sector risk scoring failed in court.

Missing: Opacity in risk profiling
Italy
Garante v. ChatGPT · 2023

AI services can be stopped at the data layer.

Missing: Accountability & user rights

The common failure is not only bad AI. It is missing evidence.

Regulatory stress test

What if someone asks you to prove it?

Illustrative scenarios — each one a question a regulator, customer, or court can ask, and the gap between “we believe” and “here is evidence.” TSP produces proof, not promises, at the moment the action happens.

Scenario 01 · Auditing

A regulator asks how an AI decision was made.

Without TSP

The team reconstructs the event from app logs, private dashboards and human memory — vague, and dependent on internal trust.

With TSP

The output carries verifiable provenance: exact system context, prompt hash, and model / provider metadata.

Promises replaced with cryptographically verifiable evidence.
Scenario 02 · Authenticity

A customer asks whether AI content is authentic.

Without TSP

They see the content, but cannot verify its origin, its version, or whether it was modified in transit.

With TSP

The content carries a portable verification receipt proving generation context and data integrity.

Trust becomes portable — it travels with the content.
Scenario 03 · Drift

Silent model changes.

Without TSP · Behaviour shifts in production, with no baseline record of versions, prompts or provider state.

With TSP · Outputs bind model details, so change is observable.

Change tracking becomes observable.
Scenario 04 · Containment

A system-harm incident.

Without TSP · Response starts in confusion over which model ran, under what controls.

With TSP · A verifiable chain isolates the prompt, model and lifecycle instantly.

Incidents isolated instantly.
Scenario 05 · Procurement

Procurement blocks the deal.

Without TSP · Security spreadsheets, bespoke audit loops, client-by-client reviews.

With TSP · Machine-verifiable trust dossiers simplify and speed reviews.

Sales loops accelerate.
Positioning

A different question each time — the same answer. In every case the gap closes the moment the action carries its own verifiable evidence.

Article and statute references point to where TSP evidence is useful — they are not legal advice. Confirm applicability and dates with your DPA and counsel before relying on them.

See the obligations in action in the playground →