← AI Assurance
Insights · AI Assurance

Evidence you can defend, not documents you can find

AI Business Partners · July 2026 · 4 min read

Ask most organisations to demonstrate their AI governance and they will show you a folder. Policies, risk assessments, model cards, sign-off records — all present, all filed, all findable. Then a regulator, a board member, or an incident asks a harder question: does any of this actually prove the obligation is being met? Silence.

That silence is the gap between holding evidence and assessing it. A repository tells you a document exists. It cannot tell you whether the document satisfies the specific clause of the framework it was filed under, whether it is still current, or whether the system it describes has changed since it was written. For AI systems — which retrain, drift, and get redeployed — that last point is fatal. The paperwork stays frozen while the system moves.

The question that exposes the difference

Picture the board meeting. A director asks why your AI assurance score dropped nine points this month. There are two possible answers:

The repository answer: "Our documentation is up to date and our last audit passed." True, and useless — it describes the filing cabinet, not the system.

The assurance answer: "The vision model was updated on the 26th without a reassessment. That breached our change-management control under ISO 42001 clause 8, the linked evidence went stale, and a blocking corrective action is open with a 12-day deadline." Every claim traceable, every step defensible.

Governance you cannot trace from finding back to framework clause back to evidence is opinion with a filing system.

The second answer requires a chain that most document stores simply do not have:

Framework clause Control Evidence, dated Assessment Finding & action

Why "annual" makes it worse

Even organisations that do assess evidence usually do it once a year, at audit time. But evidence has a shelf life. An access review from ten months ago says nothing about who has access today. A bias assessment run on version 3 of a model says nothing about version 5. Between audits, controls degrade silently — and the annual snapshot certifies a system that no longer exists.

This is why we treat evidence freshness as a first-class KPI, not a footnote. In our assurance demo, freshness sits on the executive dashboard beside the confidence score, and a stale artefact triggers a flag the day it expires — not eleven months later. Continuous assessment doesn't just find problems faster; it changes what "assured" means, from we passed a point-in-time check to the chain is holding right now.

What to do about it

You don't need to boil the ocean. Start with one AI system and three questions: Which framework clauses apply to it? What evidence would satisfy each one? And when was that evidence last true? Anything you cannot answer at clause level is a gap — no matter how full the folder is. From there, the work is wiring each piece of evidence to its clause, dating it, and letting an agent re-check the chain continuously instead of annually.

Mandates are catching up to this view. The NSW AI Assessment Framework already expects agencies to demonstrate ongoing assurance of AI systems, and ISO 42001 certification asks for operating evidence, not shelfware. The organisations that treat assurance as a living chain — clause to control to dated evidence to finding — will clear those bars without a scramble. The ones with the tidiest folders will not.

See the chain running live

Our Command Centre demo shows continuous assurance in motion — confidence trend, framework coverage, evidence freshness, and a live audit feed, on simulated data for a fictitious operator.