The auditor's verdict on most compliance platforms
The most common audit findings against compliance-automation platforms:
- The evidence is a dashboard screenshot. Dated, but reproducible only against the live database — which has been updated 47 times since the screenshot was taken. The screenshot represents defunct data in a defunct view.
- The aggregation SQL changed. Three times in the past 18 months. The values shown in the audit period cannot be re-derived from the current source.
- The vendor's portal is the only viewer. Year 5 verification depends on the vendor still being in business, still hosting the portal, and still supporting the format. Three contingent dependencies, each of which has a non-trivial fail probability over the retention horizon.
- The signature is at the report level, not the verdict level. The PDF is signed. The underlying verdicts are not. A change to a single source record cascades into the report without breaking the signature.
- The "audit log" is a database table. Tamper-evident only if the database hasn't been restored, mutated, or migrated. None of which the vendor will certify against over a 5-year window.
acipta was architected against these five failure modes specifically. The five fundamentals (Traceability, Explainability, Authorization, Immutability, Reproducibility) plus the four-primitive cryptographic substrate are the technical answers to the deposition questions auditors actually ask.
The four-primitive cryptographic substrate
Every verdict acipta emits runs through four primitives. The combination is what makes byte-identical 5-year replay achievable:
The combination is more than the sum of parts. Pull any one out and the system fails the five fundamentals. This is why audit-defensible compliance is a category, not a feature checklist.
The byte-identical 5-year replay test
This is the test that separates audit-defensible compliance from everything else. Given any verdict_id years later:
- Reconstruct pipeline state. Pull the Determinism Ledger entry. Identify the version-pinned execution conditions and deterministic state required to reconstruct the verdict. Verify hash chain back to the prior verdict.
- Pull the source artifact. Evidence Locker, SHA-256-keyed. Verify the artifact hash matches the verdict's recorded source reference.
- Re-execute the deterministic pipeline against the stored source artifact, using pinned models from the Determinism Ledger.
- Compare output hashes. If they match — the verdict is independently verified. If they don't — replay fails explicitly. No silent substitution.
The test runs with standard cryptographic libraries. acipta provides reference implementations for verification but does not require them. A skeptical auditor with openssl, a JSON parser, and the independent third-party trusted timestamp authority certificate chain can verify any verdict independently — no acipta access required.
The deposition question: "Counsel, you have submitted this signed evidence pack for verdict 7a1f23... dated May 15, 2026. Run it through your client's verification tool of choice. Does the hash match?" If yes, the verdict stands. If no, the platform's audit trail is invalidated. The test is binary, third-party-runnable, and platform-independent. That is what audit-defensibility requires.
ALCOA+ native to the substrate
For FDA, EMA, clinical-trials, and pharmaceutical audits, ALCOA+ is the regulatory bar. acipta is built so each ALCOA+ property is satisfied by a specific substrate primitive — not retrofitted via process controls:
| ALCOA+ Property | Substrate primitive that satisfies it |
|---|---|
| Attributable | Verdict signed by specific agent + capability token + tenant Ed25519 key |
| Legible | Structured, human-readable, parseable with standard tools |
| Contemporaneous | RFC 3161 timestamp at write time via independent TSA (an independent timestamp authority) |
| Original | Source artifact SHA-256-keyed in Evidence Locker, immutable |
| Accurate | Byte-identical replay test guarantees verdict matches original |
| Complete | Full pipeline-state snapshot in Determinism Ledger, not just the verdict |
| Consistent | Hash-chained verdict ledger, tamper-evident across the chain |
| Enduring | 5-year retention contractually guaranteed; cryptographic primitives outlive the platform |
| Available | Standard cryptographic tools; no vendor lock-in on verification |
This satisfies 21 CFR Part 11 alignment for FDA-regulated workflows, EMA's electronic record requirements, and the converging direction across HIPAA Security Rule AI guidance, EU AI Act Article 12 record-keeping, and SOX 404 for AI-augmented financial controls. ALCOA+ is the substrate, not a deliverable.
What you (the auditor) walk away with at procurement
The procurement-readiness package acipta delivers to the auditor at the deal:
- Cryptographic substrate specification — technical documentation of Ed25519 key custody (FIPS-validated HSM, per-tenant isolation), RFC 3161 TSA contract (an independent timestamp authority), Determinism Ledger and Evidence Locker
- Reference verification scripts — open-source implementations in Python, Node.js, and Go for independent replay. Run against any verdict_id. No acipta access required.
- Sample replay walkthrough — pick a verdict, run the 4-step replay (reconstruct, pull, re-execute, compare), watch the hash match in real time
- 5-year retention contractual commitment — written into the MSA
- ASP-1.0 open adapter specification — third-party plugin boundary signing contract
- Platform policy invariant documentation — the platform's architectural commitments, enforced at the orchestrator
- SOC 2 Type 2 attestation (targeted August 30, 2026) · HITRUST e1 (Q3 2026)
What this means at annual review
The auditor's review cycle becomes simpler, not more complex:
- Pick a sample of verdicts from the prior period — by URL, by framework, by date range, by agent class
- Run the byte-identical replay against each. Verify hash match.
- Spot-check the hash chain across the ledger. Verify continuity.
- Sample-test the framework view projections from the CMC. Verify the view definitions reproduce the same per-Article / per-CFR / per-§ verdicts as last year.
- Confirm the Plugin Audit Mode signatures for any new ASP-1.0 adapters integrated since last review. Verify boundary signatures.
Five steps, all automated, all reproducible, all independent of vendor cooperation. If acipta is unavailable at year 5 — vendor bankrupt, acquired, or simply offline — the verification still runs. The cryptographic primitives outlive the platform. That is the architectural commitment that makes acipta audit-defensible rather than audit-attestable.