Traceability by Design: Auditability Is Architecture, Not Documentation
Part 2/3 of the EU AI Act Series In Part 1, we focused on data quality. Part 2 builds on that. Because even with good data, the same question almost always arises in practice:
Where does this number come from and can I later prove it exactly as it is?
Especially in High-Risk contexts, traceability (end-to-end lifecycle transparency) becomes the bottleneck. Evidence must be durably reliable — not just “plausible at the moment.”
For context: we covered the High-Risk framework and the foundation of data quality in last week’s post: EU AI Act Art. 10: Data Quality That Withstands Audits
Our thesis: Auditability is not created by additional PDFs, but by an architecture that generates evidence automatically.
Note: This is not legal advice, but a technical perspective.
Why Traceability Becomes the Problem
In many BI and AI setups, the issue is not documentation — it is reproducibility. As soon as a number or model output is questioned, the search begins: source, logic, version, approvals. Without systematic traceability, this quickly turns into reconstruction.
inics practical example:
A scoring model supports decisions. During review, it must be clear which databasis, which logic, which model version, and which approvals led to a specific result.
EU AI Act: What Matters for Traceability
The EU AI Act does not treat traceability as an end in itself. It makes it a requirement once a use case falls into a High-Risk category. In such cases, it is not enough that something is “somehow documented” — it must be possible to trace how the system was built, how it is operated, and what has changed overtime.
Important: This is less about “a new documentation process” and more about a platform and governance characteristic. When the platform generates evidence automatically (and responsibilities and controls are clearly defined), effort decreases — and discussions become fact-based more quickly.
The Misconception: More Documentation Does Not Mean More Auditability
More documents increase effort, but rarely increase traceability.
Traceability exists when the platform can answer, for every relevant statement:
What was the input? Which transformation ran? Which version was in use? What controls and decisions were applied and where is the evidence stored?
Audit Evidence Pack Blueprint: The Target State for Traceability
An Audit Evidence Pack is not a single document. It is an automatically generatedset of artifacts that makes traceability practical:
- Lineage from source to KPI or model output (e.g., via Unity Catalog lineage / dbt metadata)
- Versioning for code, models, semantics, and central configurations
- Run Evidence, including run reference, timestamp, input versions/partitions, outputs, check status, and version references
- Operational logging with retention, ensuring traceability of system usage and deviation handling
RAG example (non-deterministic):
Without clean evidence, a RAG output is often not reproducible later, because source retrievals, index/embedding versions, or prompt/pipeline versions mayhave changed. Therefore, at minimum, the following must be logged: source retrievals, index/embedding version, prompt version, pipeline version (ideally including run reference)
- Discoverable storage and monitoring, ensuring evidence can be quickly retrieved and operational deviations remain visible
Short Practical Example (Databricks+ dbt)
For a KPI run, an Evidence Pack is automatically generated containing, among others, the following core data:
dbt: manifest.json+ run_results.json (transformations + test status)
Databricks: workflow run reference (timestamp, status, runtime/cluster context)
Inputs: main.raw.sap_orders@ Delta version=4431, main.raw.fx_rates @ Delta version=120
Output: main.gold.finance_revenue_daily@ Delta version=882 + row count
→Result:
A third party does not need to “trust” the KPI, it can be proven, including data version, transformation logic, and run reference.
Pragmatic Start Without a Large Program
There is no need to launch a large transformation initiative. In projects, we usually start small and visible: one critical flow, one KPI, or one AI use case that is actually in use. Then we define what must always be explainable. Only after that do we build the minimal components so these answers are delivered automatically rather than searched for.
Practically, this means: start with lineage and versioning. Then standardize run evidence and logging. Finally, define storage, retention, and monitoring so that everything runs continuously in operations.
Conclusion
The market no longer rewards documentation. It rewards systems that generate traceability in operations. Traceability by Design is the difference between “we believe it is correct” and “we can prove it.” If evidence is not generated automatically, it will be generated during an audit — as stress, effort, andrisk.
In the final part of the series, we will address inventory and governance of AI and analytics, enabling responsibility and prioritization to scale.
Traceability That Withstands Audits?
We show you how to implement lineage, versioning, and logging in a way that evidence is automatically generated in operations.
Request your free initial consultationThomas Howert
Founder and Business Intelligence expert for over 10 years.
Discover more articles
EU AI Act Art. 10: Data Quality That Withstands Audits
What data engineering must deliver before the high-risk rules take effect (Part 1/3). In many organizations, data quality was long treated as a hygiene topic: important, but rarely decisive. With the introduction of the High-Risk rules, data quality becomes verifiable. It must be measurable, controllable, and evidentially demonstrable in operations.
AI is a Bubble
So was the Internet.
The Impact of the EU AI Act on Business Intelligence
The EU’s Artificial Intelligence Act is the world’s first comprehensive AI law, and while it doesn’t regulate every dashboard, it has major implications for Business Intelligence once AI features are involved.