AI Governance15. Juli 202628 min read

AI Agent Audit Program: Scope, Sampling, Evidence, and Reporting

A fieldwork-ready internal audit program for AI agent scope, population completeness, risk assessment, control testing, sampling, evidence, findings, and follow-up.

Antonella Serine

Antonella Serine

Founder, KLA

Founder of KLA, building the independent runtime governance control plane for regulated AI agents under the EU AI Act.

Editorial diagram of an AI agent audit engagement: a complete action population moves through risk stratification, sample testing, evidence review, and a verified report.

A repeatable engagement reconciles the population, selects risk and random samples, tests each action against evidence, and carries findings through verified closure.

Open full-size diagram

A repeatable internal audit engagement for planning, fieldwork, sampling, evidence evaluation, findings, and follow-up. The enterprise framework defines the broad 12-domain audit universe. The AI audit checklist supplies quick control questions, and the accountability matrix assigns roles. This page owns the engagement itself: a scoped assurance question, a reconciled population, risk assessment, design and operating-effectiveness tests, reproducible samples, evidence evaluation, reporting, and closure. The worked figures below describe one illustrative loan-origination audit and can be replaced with the reconciled counts from a live engagement.

1. Set the engagement objective and criteria

Write one assurance question before requesting evidence: During the audit period, were consequential agent actions authorized, governed by approved controls, accurately recorded in the business system, and supported by sufficient evidence? The scope statement then fixes the business Process, agent and Release population, environments, period, decision types, materiality, dependencies, exclusions, and criteria. Every fieldwork procedure must resolve one part of that question.

Keep the authority of each criterion explicit. The IIA Three Lines Model assigns risk management to first-line roles, expertise and challenge to second-line roles, and independent and objective assurance to internal audit. The IIA Artificial Intelligence Auditing Framework is published practical guidance that audit teams customize, and the ISACA Artificial Intelligence Audit Toolkit is a commercial practitioner toolkit covering control design and operating effectiveness. NIST AI RMF 1.0 is a final voluntary framework. Applicable law enters the criteria stack only after the organization documents operator role, intended purpose, classification, and jurisdiction.

The program below separates legal obligations, management controls, professional guidance, and KLA recommendations. Its sample sizes and pass criteria are engagement-planning choices. An internal audit opinion addresses the stated criteria for the defined scope and period. It provides no certification of regulatory compliance, system safety, or future performance.

Copyable engagement-planning checklist with a worked loan-origination scope
Planning fieldRequired entryWorked engagement entryPlanning acceptance
Assurance objectiveOne testable question covering authorization, control operation, outcome accuracy, and evidenceDuring 1 April-30 June 2026, were consequential actions by the production loan-origination agents authorized, preceded by applicable policy, routed for required human decision, accurately written to the loan system, and supported by complete evidence?Audit sponsor, lead auditor, and accountable Process owner approve the exact wording
Business Process and boundaryStart event, end event, included systems, human roles, and dependenciesApplication receipt through approve, decline, or refer outcome; includes identity service, retrieval layer, credit-model service, KLA Policy Engine, Decision Desk, loan system, and Evidence RoomEvery component able to influence authority, decision, action, or evidence is named
Population and periodAgents, Releases, environments, actions, and date range8 production agents; 27 Releases; 184,216 action records; production only; 1 April-30 June 2026Counts reconcile to deployment, identity, gateway, Lineage Record, and business-system sources
Decision types in scopeConsequential allow, deny, escalate, override, state-change, and recovery outcomesApprove, decline, refer, policy deny, human override, applicant-data retrieval, credit pull, offer issuance, Rollback, and access revocationEach material decision type has a population owner and test procedure
MaterialityFinancial, rights, data, operational, and evidence thresholdsAll adverse applicant outcomes; all approvals above EUR 25,000; all special-category or identity data access; all external writes; all incidents, near misses, overrides, and evidence-integrity failuresThresholds are approved before sample selection and cover qualitative impact
Criteria stackPolicy, contract, framework, and applicable legal criteria with authority and versionLending policy LND-04 v6.2; Agent Control Standard ACS-02 v4.1; retention schedule RS-17; vendor contracts; NIST AI RMF as voluntary guidance; EU AI Act provisions only where the documented role and high-risk classification make them applicableEvery criterion is versioned, owned, effective during the period, and mapped to a test
Roles and independenceEngagement sponsor, audit lead, subject-matter support, evidence owners, and quality reviewerAudit committee sponsor; internal audit lead; lending, IAM, model-risk, data, security, and legal subject-matter support; independent audit quality reviewerInternal audit has no control ownership or management approval role in the audited Process
Exclusions and deliverablesReasoned exclusions, effect on assurance, report, workpapers, and follow-up datesDevelopment sandboxes and vendor internal model-training operations excluded; report due 31 July 2026; management responses due 14 August; first retest 30 SeptemberEach exclusion has an owner, rationale, risk effect, and stated opinion boundary

2. Prove population completeness before selecting samples

Population completeness is an audit assertion. Reconcile the Agent Registry to production deployments, non-human identities, model and tool gateways, Lineage Records, Decision Requests, and downstream business events. Freeze the reconciled extracts with query text, filters, extraction time, row count, and hash. Unexplained differences become exceptions or a scope limitation before sampling starts.

NIST AI RMF 1.0 is voluntary and supports maintaining an AI-system inventory under GOVERN 1.6. A fieldwork population needs more detail: every Agent, Release, model, identity, temporary delegation, tool, consequential action, policy result, human decision, incident, and external effect for the period.

Search for shadow agents through model-gateway traffic, cloud service principals, package and platform spend, browser extensions, automation credentials, tool-gateway calls, and business records with AI-generated provenance. Reconcile temporary and delegated identities by creation, expiry, revocation, sponsoring principal, and observed use. A missing identity or execution source can invalidate the completeness assertion for every downstream sample.

Copyable population-reconciliation worksheet for the worked engagement
Population componentAuthoritative and corroborating sourcesWorked countReconciliation procedurePass criterion
Production agentsAgent Registry; deployment manifests; model-gateway client IDs8Join agent ID, environment, owner, Process, and active dates; investigate every gateway client absent from the registryAll 8 deployed agents appear in all applicable sources; zero unexplained clients
Releases and RolloutsAgent Registry; immutable Release artifacts; deployment controller; change tickets27 Releases / 31 RolloutsMatch `agent_release_id`, artifact hash, approval, deployment time, environment, and Rollback historyEvery production interval resolves to one approved Release and Rollout
Persistent agent and service identitiesIAM directory; secrets inventory; deployment manifests; gateway logs19 identitiesMatch owner, entity type, credential, scope, activation, expiry, and last use to an in-scope Agent or dependencyZero shared, orphaned, expired-in-use, or unowned identities
Temporary identities and delegationsToken service; authority snapshots; delegation records; revocation events31 temporary identities / 286 delegated JourneysReconcile issue, sponsor, purpose, scope, expiry, use, and revocation; test for use before issue or after expiry100% resolve to an approved sponsor and bounded purpose; zero out-of-window use
Tools and external dependenciesTool Catalog; IAM grants; egress gateway; vendor inventory; contracts14 tools, including 6 write-capable; 4 external dependenciesCompare registered tools and versions with observed endpoints and effective grants; inspect all unknown destinationsEvery observed tool and dependency is approved, owned, versioned, and within Data Boundaries
Agent action recordsLineage Records; policy events; tool gateway; model gateway184,216Join `record_id`, `correlation_id`, event time, agent, Release, policy, and tool effect; sequence duplicate and missing IDsCounts and keys reconcile; zero unexplained gaps or duplicates
Consequential business actionsLoan-system events; Lineage Records; tool effects; applicant notifications14,903Reconcile every approve, decline, refer, credit pull, offer, and state change in both directions100% bidirectional match by `external_reference` or `effect_id`; amount and outcome agree
Control and exception eventsPolicy events; 3,842 Decision Requests; incident system; Assurance Alerts1,126 denials; 214 overrides; 367 anomaly or low-confidence events; 11 incidents or near missesReconcile each event to its action, owner, resolution, downstream effect, and evidence recordEvery exception has a disposition; all affected actions remain in the audit universe
Shadow-agent search resultsModel-gateway unknown clients; cloud principals; spend; browser extensions; automation vault3 candidates, 1 confirmed shadow agentTrace each candidate to owner and use; add confirmed production activity to scope and populationAll candidates resolved; confirmed shadow activity is contained, quantified, and reported

3. Rank agents and action types by risk

Score the action type at its highest credible authority during the period. Use 0-3 for autonomy, reversibility, data sensitivity, financial or rights impact, tool authority, and evidence quality; use 0-2 for external dependencies and incident history. For evidence quality, 0 means independently verifiable and complete, while 3 means material gaps or mutable sources. The 22-point worked rubric uses Critical 17-22, High 12-16, Moderate 7-11, and Low 0-6.

The score orders fieldwork and sample coverage. It does not replace professional judgment. Raise the tier for credible catastrophic impact, active control bypass, an unresolved incident, or an incomplete population even when the arithmetic is lower. Document the evidence and approver for every manual adjustment.

Copyable action-risk ranking worksheet for the worked engagement
Agent action typeAutonomyReversibilityData sensitivityFinancial / rights impactTool authorityExternal dependenciesIncident historyEvidence qualityTotal / tier
Loan decline2333222219 / Critical
Loan approval above EUR 25,0001333321218 / Critical
Cross-agent valuation delegation3222322218 / Critical
Identity-document rejection2233221116 / High
Third-party credit-data retrieval3132321116 / High
Applicant status notification301111018 / Moderate
Document classification without a state change302101018 / Moderate

4. Test control design against the 12 audit domains

A design test asks whether the stated control, if operated as written, addresses the identified risk. Inspect ownership, control objective, trigger, decision logic, authority, evidence capture, exception handling, frequency, retention, and escalation. Walk one normal case and one failure case through the design before testing period records.

The table reuses the enterprise framework taxonomy verbatim. It is the copyable audit test program for design. Add local workpaper references and results without changing the domain names, population, procedure, evidence, or pass criterion.

Copyable 12-domain control-design audit test program
Test ID and audit domainDesign populationProcedureEvidencePass criterion
D-01: 1. Inventory and scope8 agents, 27 Releases, 31 Rollouts, 14 tools, 4 external dependenciesInspect inventory schema and reconciliation control; trace one addition, one change, and one retirement through approval and production discoveryAgent Registry, Process map, inventory procedure, reconciliation output, approval recordRequired objects, owners, environments, active dates, dependencies, and reconciliation sources are defined; unknown production activity triggers escalation
D-02: 2. Responsibility and accountability8 agents and all 12 control ownersMap outcome, risk acceptance, control operation, incident, evidence, and remediation decisions to named roles with authority and deputiesResponsibility matrix, role charters, committee mandate, escalation pathOne accountable Process owner exists; every control and exception has an authorized owner and escalation route
D-03: 3. Identity and delegation19 persistent and 31 temporary identities; 286 delegated JourneysInspect unique identity, sponsor, purpose, scope, duration, token issue, expiry, and revocation design; walk a delegation and an emergency revokeIAM standard, token claims, authority snapshot, delegation and revocation proceduresEach actor and delegation is unique, bounded, attributable, time-limited where applicable, and revocable before further use
D-04: 4. Permissions, tools, and data boundaries14 tools, 6 write-capable tools, 19 identities, 7 action typesCompare intended purpose to effective grants, Tool Catalog actions, resource scopes, Data Boundaries, value limits, and enforcement pointsAccess model, grants, Tool Catalog entries, Data Boundaries, deny testsLeast-privilege restrictions are enforced at action time; unregistered tools, broad wildcards, and direct bypass paths are blocked
D-05: 5. Risk classification and pre-production assurance27 Releases and 9 model or vendor changesInspect risk rubric, impact assessment, test plan, thresholds, exception approval, and release gate; trace one failed thresholdRisk assessments, model and Process evaluations, release criteria, sign-offs, accepted exceptionsEach Release maps material risks to tests and measurable thresholds; failures block release unless an authorized, bounded exception exists
D-06: 6. Runtime policy enforcement184,216 action records and applicable policy versionsWalk allow, deny, escalate, and exception paths; verify policy evaluates before execution and direct tool calls use the same gatePolicy Builder definition, KLA Policy Engine configuration, Simulation results, event sequenceEvery consequential path requires an approved pre-execution verdict; denial and stale-policy states prevent the tool effect
D-07: 7. Human approval and escalation3,842 Decision Requests and 214 overridesInspect routing thresholds, reviewer authority, evidence presented, conflict handling, expiry, reassignment, rationale, and late-decision preventionDecision Desk configuration, reviewer matrix, request schema, escalation timersRequired human decisions occur before execution by an authorized reviewer using defined evidence and a recorded rationale
D-08: 8. Execution lineage and business outcomes14,903 consequential actionsTrace intent, inputs, retrieved data, tool calls, policy, human decision, before and after state, downstream effect, and applicant notificationLineage Record, Journey, tool receipt, loan-system record, notification referenceStable identifiers reconstruct every material action and the recorded outcome agrees with the business system
D-09: 9. Continuous assurance and change management27 Releases, 31 Rollouts, 9 vendor or model changes, 367 alertsInspect change classification, regression trigger, approval, first-execution monitoring, alert thresholds, owner review, and remediation linkageRelease diffs, test plans, Rollout conditions, Assurance Alerts, review recordsEvery material change triggers reassessment and monitoring; failed signals create owned, time-bound remediation
D-10: 10. Incident response, revocation, and rollback11 incidents or near misses; 19 access revocations; 4 RollbacksWalk detection, triage, containment, affected-population query, credential revoke, Rollback, communication, recovery, and lessons learnedIncident plan, runbook, revoke and Rollback tests, severity and notification matrixOwners can stop further action, identify affected cases, revoke authority, restore safe state, and preserve evidence within approved targets
D-11: 11. Evidence integrity, retention, and Independent Verification184,216 records in 91 daily evidence bundlesInspect synchronous capture, manifest creation, hashes, signatures, custody, verifier access, retention, legal hold, and deletion controlsEvidence schema, manifests, key records, custody log, retention schedule, verifier resultA reviewer can reconcile, validate, and reperform sampled actions; alteration or missing records are detectable and escalated
D-12: 12. Multi-agent and third-party dependencies286 delegated Journeys, 4 external dependencies, 9 vendor or model changesInspect authenticated handoff, constraint propagation, version pinning, supplier evidence, incident duties, termination, and fallbackHandoff schema, gateway receipts, contracts, assurance reports, dependency inventoryEvery contributing service and agent is attributable, authorized, versioned, constrained, and covered by evidence and incident terms

5. Test operating effectiveness over the audit period

Operating-effectiveness testing uses actual period records. Run deterministic assertions across the full population where source completeness and field semantics are proven, then inspect sampled cases for judgment, context, and evidence quality. Preserve query text, source snapshots, row counts, exceptions, reviewer notes, and reperformance results in the workpapers.

Each exception remains tied to its denominator. A late policy verdict in 3 of 14,903 consequential actions has a different exposure from 3 cases in an unreconciled population. Quantify both the observed rate and the population limitation, then expand testing when the failure may be systemic.

Copyable operating-effectiveness test program with concrete populations and pass criteria
Test IDPopulation and selectionProcedureEvidencePass criterion
OE-01: Action records and policy sequenceAll 184,216 records; separate 14,903 consequential actionsTest uniqueness, required fields, timestamp order, policy version, and pre-execution verdict; identify denied actions with a downstream `effect_id`Frozen Lineage Record and policy-event extracts; query; exception file100% unique and attributable; every consequential action has an applicable prior allow or escalate result; zero denied actions execute
OE-02: Policy denialsAll 1,126 denials analytically; 40 cases selected across rule, action type, agent, and Release for human reviewConfirm requested action stopped, no equivalent retry bypassed the rule, notification and escalation followed policy, and evidence explains the decisionPolicy result, matched rules, retry chain, tool gateway, notification, Decision RequestZero prohibited effects or equivalent bypasses; every sampled denial is correct, timely, and reconstructable
OE-03: Human approvalsAll 3,842 Decision Requests analytically; 60 sampled by risk, reviewer, outcome, and monthTest reviewer authority at decision time, evidence presented, decision timing, rationale, conflicts, expiry, and match to executed actionDecision Desk record, IAM snapshot, presented-evidence hash, tool receipt, business outcome100% required approvals precede action; sampled decisions have authorized reviewers, sufficient evidence, rationale, and matching effects
OE-04: Human overridesAll 214 overrides analytically; 50 sampled across original verdict, reviewer, reason code, outcome, and ReleaseCompare override authority and rationale to policy; trace original decision, new decision, tool effect, notification, and later incident or complaintOriginal and override decisions, authority snapshot, rationale, Lineage Record, outcomeEvery override is authorized, reasoned, timely, within delegated bounds, and accurately reflected downstream
OE-05: Business-state reconciliationAll 14,903 consequential actions analytically; 60 sampled for source inspectionJoin requested action, approved action, tool response, before and after state hashes, amount, final loan status, and applicant notificationTool receipt, loan-system event, notification, `before_state_hash`, `after_state_hash`, `external_reference`100% outcome and amount agreement; sampled source records support the recorded before and after state
OE-06: Releases and first executionsAll 27 Releases; first and second consequential execution after each Release, 54 actionsVerify approval, artifact and policy versions, regression results, deployment time, expected monitoring, evidence completeness, and absence of pre-approval executionRelease manifest, test results, approval, Rollout record, first Lineage RecordsEvery Release is approved before use; all 54 first executions use the intended versions and pass control and evidence checks
OE-07: Access revocationsAll 19 revocation events and all later activity for affected identitiesCompare request, approval, effective time, token expiry, gateway enforcement, residual sessions, and subsequent denied or successful callsIAM and token events, gateway logs, authority snapshots, incident linksRevocation meets the approved target; zero successful use occurs after the effective time
OE-08: Incidents and near missesAll 11 events and the full affected-action population for eachReperform severity, affected-population query, containment, revocation, Rollback, notification, root cause, remediation, and closure approvalIncident file, Lineage Records, affected-case list, revoke and Rollback receipts, closure evidenceEvery event has a complete affected population, timely containment, approved recovery, preserved evidence, and verified remediation
OE-09: Evidence integrity and retentionAll 91 daily bundle manifests; 30 bundles selected for signature and chain validation; every sampled actionRecalculate manifest and record hashes, validate signatures and chain order, confirm retention class and legal hold, and resolve records through an independent verifierBundle manifests, signature keys, custody log, retention records, verifier outputAll manifests reconcile to source counts; all 30 validations and every sampled record pass integrity, custody, and retention tests
OE-10: Vendor, model, and delegation changesAll 9 vendor or model changes and 286 delegated Journeys analytically; 50 Journeys sampledTest change approval, contract and evidence terms, authenticated sender and recipient, propagated purpose and constraints, versions, sub-agent effects, and final outcomeChange record, contract, handoff receipts, authority snapshots, component versions, Journey outcomeEvery change is approved before use; every sampled handoff is attributable, bounded, versioned, and traceable to the final outcome

6. Select a reproducible risk and random sample

Freeze the population before selection. Record the source queries, extraction time, filters, random seed, hash method, sample owner, duplicate treatment, replacements, and final case list. Keep every applicable stratum tag on a selected case so one action can satisfy several coverage objectives without disappearing from exception reporting.

Full-population automated testing works for deterministic assertions over structured, reconciled records: uniqueness, required fields, timestamp order, policy-before-action sequence, amount matching, expired authority, denial followed by execution, and hash validation. Human review remains required for decision rationale, semantic consistency with purpose, relevance of retrieved data, quality of reviewer judgment, credible downstream harm, chain-of-custody exceptions, and opaque third-party evidence.

The selection counts below are KLA recommendations for this worked population. They are a defensible starting point for engagement planning. Document the expected assurance, tolerable deviation, population variability, reliance strategy, and expansion rules when the engagement needs statistical inference.

Copyable sampling matrix for the worked 1 April-30 June 2026 population
Required stratumConcrete populationSelection method and sizeHuman procedureEvidencePass and expansion rule
High-risk action types2,412 Critical-tier declines, approvals above EUR 25,000, and cross-agent valuation actions60 cases: 20 highest-value or highest-impact, plus 40 spread across action type, agent, Release, and monthReperform authority, policy, required human decision, tool effect, outcome, and evidence integrity end to endLineage Record, authority snapshot, policy, Decision Request, tool receipt, business state, evidence manifestZero unauthorized or unsupported consequential effects; any such failure expands to the full affected action type and Release
Random population sampleBase population of 184,216 action records; selection excludes cases already chosen for mandatory strata80 records selected by ascending SHA-256 of fixed seed plus `record_id`; retain the seed and queryInspect end-to-end completeness and compare recorded purpose, action, and outcome with source recordsAll minimum evidence groups and authoritative source recordsNo unexplained missing or inconsistent field; one systemic schema gap expands to all records using that schema version
Exceptions and policy denials1,126 denials across 18 policy rulesFull-population automated sequence test; 40 human reviews covering every material rule and all 8 agentsConfirm the denied effect stopped, retry paths stayed governed, and escalation or notification matched policyPolicy decision, matched rules, retry chain, gateway record, Decision Request, notificationZero denied effects; any bypass expands to all executions sharing rule, agent, Release, tool, or retry pattern
Human overrides214 overrides by 23 reviewersFull-population authority and timing test; 50 human reviews including every reviewer with 5 or more overridesAssess evidence presented, rationale, authority, conflict, timing, executed action, and later complaint or incidentOriginal decision, override, IAM snapshot, rationale, tool effect, outcome historyEvery override is authorized, reasoned, prior to effect, and bounded; one invalid reviewer expands to all of that reviewer's decisions
Anomalous or low-confidence outcomes367 events from retry, outlier, drift, latency, data-quality, or low-confidence rules60 cases: 10 from each anomaly family, weighted to Critical and High actionsValidate the alert, investigation, disposition, decision route, effect, and remediation; inspect false-negative risk around thresholdsAssurance Alert, model and tool records, reviewer analysis, outcome, Remediation PlanEvery sampled alert is timely and correctly resolved; any missed required escalation expands to the family and threshold window
First executions after a ReleaseFirst and second consequential action after each of 27 Releases: 54 actionsTest all 54Match deployed versions, approval, regression results, policy, permissions, monitoring, outcome, and evidence schemaRelease manifest, Rollout record, first Lineage Records, Assurance AlertsAll 54 use approved versions and pass controls; any failure expands to every action until correction or Rollback
Cross-agent delegation286 Journeys containing at least one agent-to-agent handoff50 Journeys across sender, recipient, tool, risk tier, and Release; include every three-hop JourneyTrace authenticated parties, delegated purpose, scope, expiry, constraint propagation, message integrity, tool effects, and final outcomeHandoff receipts, authority snapshots, component Lineage Records, tool receipts, Journey outcomeEvery handoff is attributable and within delegated bounds; any broken chain expands to the sender-recipient-version combination
Incidents and near misses7 incidents and 4 near missesTest all 11 and the complete affected-action population for eachReperform detection, severity, containment, revoke, Rollback, notification, root cause, remediation, and closureIncident file, affected-case query, action records, recovery receipts, closure evidenceComplete and accurate affected population with timely response and verified closure; any omission reopens the event
Vendor or model changes9 changes: 4 model versions, 2 retrieval vendors, 2 tool APIs, 1 orchestration serviceTest all 9 changes and the first 3 consequential actions after each, 27 action reviews with overlap retainedInspect due diligence, contract and evidence terms, risk reassessment, evaluation, approval, version pinning, monitoring, and fallbackChange approval, contract, evaluation, manifest, gateway records, first outcomesEvery change is approved and tested before use; any unapproved use expands to the complete exposure interval

7. Evaluate evidence sufficiency for every sampled action

Evidence is sufficient when it is relevant to the assertion, reliable, complete, timely, traceable to the population, and protected against undetected change. Document the producer, authoritative system, extraction method, field semantics, retention, integrity mechanism, and chain of custody. Reperform the policy result and reconcile the downstream effect whenever the evidence supports those procedures.

Identity evidence must resolve the user or sponsoring principal, agent, service context, delegator, and approver. The shared schema uses `sponsoring_principal_id`, `agent_identity_id`, `authority_snapshot_id`, `delegated_by`, and `reviewer_id`; linked IAM records carry actor type, credential lifecycle, effective grants, and service context. Preserve the exemplar field names below so samples can move between the enterprise framework, Lineage Explorer, and Evidence Room without translation.

A screenshot, dashboard total, or management representation can corroborate a test and cannot replace the underlying period record. Where one required group is missing, classify the gap, identify the affected population, attempt an equivalent alternative procedure, and qualify the conclusion when the same assertion remains unsupported.

Copyable evidence-request list using the shared minimum evidence field names
Request ID and field groupExact minimum fieldsRequested source and formatSufficiency and pass test
ER-01: Record and correlation`record_id`, `occurred_at`, `environment`, `tenant_id`, `process_id`, `journey_id`, `correlation_id`Immutable Lineage Record extract plus schema, timezone, query, row count, and extract hashIDs are unique; timestamp order is coherent; record reconciles to the frozen population and complete Journey
ER-02: Agent and release`agent_id`, `agent_release_id`, `model_id`, `model_version`, `orchestrator_version`, `prompt_template_version`Agent Registry and signed Release manifest with immutable artifact referencesEvery version resolves to the artifact approved and deployed at `occurred_at`
ER-03: Principal and delegation`agent_identity_id`, `sponsoring_principal_id`, `delegated_by`, `session_id`, `authority_snapshot_id`, `expires_at`IAM, token, session, delegation, effective-grant, service-context, and revocation recordsUser or sponsor, agent, service context, and delegation are attributable, active, scoped, unexpired, and authorized for the action
ER-04: Purpose and risk`purpose_code`, `decision_type`, `risk_tier`, `regulatory_classification`, `classification_basis_version`Approved Process purpose, decision catalogue, risk assessment, and classification recordRecorded purpose and tier match the approved use and the classification effective for the Release
ER-05: Data provenance`input_reference[]`, `source_hash[]`, `retrieval_query_hash`, `data_boundary_id`, `redaction_profile_id`Protected inputs or resolvable references, retrieval receipts, source versions, Data Boundaries, and redaction recordEvery material input and retrieved item resolves to the allowed source, time, boundary, and protected representation
ER-06: Tool action`tool_id`, `tool_version`, `action`, `resource_scope`, `requested_args_hash`, `response_hash`, `effect_id`Tool Catalog entry, gateway request and response, effective permission context, and effect receiptRequested authority, actual call, response, and downstream effect agree and remain within approved scope
ER-07: Policy decision`policy_id`, `policy_version`, `policy_decision`, `matched_rule_ids[]`, `exception_id`, `evaluated_at`Policy Builder artifact, KLA Policy Engine event, matched rules, exception approval, and Simulation inputsAuditor reperforms the same result; `evaluated_at` precedes the governed tool effect
ER-08: Human decision`decision_request_id`, `reviewer_id`, `reviewer_role`, `presented_evidence_hash`, `decision`, `rationale`, `decided_at`Decision Desk record plus reviewer IAM snapshot and the evidence presented at decision timeApprover identity and role are authorized; evidence, decision, rationale, and timing support the action taken
ER-09: Outcome and recovery`outcome`, `before_state_hash`, `after_state_hash`, `external_reference`, `incident_id`, `rollback_id`, `revocation_event_id`Authoritative before and after business records, notification, incident, Rollback, and revocation receiptsRecorded state and downstream effect match the business system; recovery events resolve and sequence correctly
ER-10: Integrity and retention`evidence_hash`, `previous_record_hash`, `bundle_manifest_hash`, `signature_key_id`, `sealed_at`, `retention_class`, `legal_hold_id`Sealed Evidence Bundle, manifest, signature and key record, custody log, retention schedule, and legal-hold recordHashes recalculate; signature and chain validate; sealing is timely; custody, retention, and hold cover the sample

8. Write findings and form a bounded audit opinion

Use a four-level severity model. Critical means an active or credible unauthorized, irreversible, safety, rights, or material financial exposure requiring immediate containment. High means a material or systemic control failure, significant affected population, or weak prevention over consequential actions. Moderate means a bounded control weakness with compensating controls and limited current exposure. Low means an isolated documentation or process weakness with low direct impact. Record likelihood, impact, velocity, detectability, population, compensating controls, and management risk acceptance behind the rating.

Every finding needs condition, criterion, cause, consequence, affected population, evidence, owner, remediation, and retest date. Separate a control exception from an evidence limitation. Where population completeness, evidence integrity, or a third-party dependency prevents the procedure, state the affected assertion and residual uncertainty in a qualified conclusion.

The final opinion names the scope, period, criteria, assurance level, domains tested, reliable populations, exceptions, and limitations. It reports whether controls were suitably designed and operated effectively for the stated engagement. It provides no certification of legal compliance, system safety, individual decision correctness outside the tested work, or future operation.

Copyable fully written sample finding
Finding fieldCompleted finding: IA-AGT-2026-04
Title and severityHuman overrides were executed without complete contemporaneous approval evidence: High
ConditionAcross the complete population of 214 human overrides, 37 records had an empty `rationale` and 12 additional records used a `reviewer_role` that did not resolve to the approved underwriter matrix at `decided_at`. Five of those 12 decisions were recorded after the related write-capable tool effect. The 49 unique affected overrides represent 22.9% of the override population.
CriterionLending policy LND-04 v6.2 section 7.3 and Agent Control Standard ACS-02 v4.1 control HAO-4 require an authorized underwriter to review the presented evidence, record a decision and rationale, and complete the decision before any override reaches the loan system.
CauseThe June IAM migration omitted the contractor-underwriter group from the Decision Desk role mapping. The override API schema also allowed a blank rationale, and the tool gateway accepted an override reference without checking `decided_at` against the effect time.
ConsequenceThe organization cannot demonstrate contemporaneous, authorized judgment for 49 overrides. Five loan-system effects occurred before the recorded decision, creating a direct control bypass. Affected applicants may have received outcomes that cannot be supported from the preserved approval record, and management lacks reliable evidence for complaint, regulator, or internal review.
Affected population49 of 214 overrides between 1 April and 30 June 2026: 31 approvals, 13 declines, and 5 referral changes across 6 agents and 4 Releases. The five late decisions affected applications requesting EUR 286,000 in total.
EvidenceFull-population query IA-AGT-OE-04; frozen Decision Desk extract hash `8d61…c4a2`; IAM role snapshots; 49 Lineage Records; five tool receipts and loan-system events; policy LND-04 v6.2; control ACS-02 v4.1. Independent reperformance confirmed the counts and event order.
Owner and due dateAccountable owner: Head of Lending Operations. Supporting owners: IAM owner and agent technical owner. Remediation due 15 September 2026.
RemediationMake `rationale` mandatory for every override; synchronize approved reviewer groups from IAM; require the gateway to validate reviewer authority and `decided_at` before a write; re-review all 49 affected cases; correct applicant and loan records where required; preserve the original gap and new review as separate evidence; monitor override completeness daily for 30 days.
Retest and closure criterionRetest date: 30 September 2026. Reperform design tests for schema, role synchronization, and gateway sequencing; test the full 49-case remediation population and all overrides from 16-30 September. Close only when every affected case has an approved disposition, every new override has an authorized prior decision and rationale, and the 30-day monitor has zero failures.
Opinion effectQualify the operating-effectiveness conclusion for 7. Human approval and escalation and consequential overrides during the audit period. Preserve separate conclusions for other domains where sufficient evidence supports them.

9. Report, follow up, and establish continuous assurance

Track each finding through one Remediation Plan with the owner, actions, due dates, dependencies, interim risk treatment, evidence, and status. Internal audit retests the failed assertion using the original criterion plus post-fix operating records. Closure requires verified design, effective operation for the defined observation window, complete treatment of the affected population, and approval under the audit methodology.

Run recurring analytics between audits over population reconciliation, policy denials followed by effects, late approvals, overrides, expired authority, Release and model changes, anomaly disposition, incident closure, evidence completeness, and signature validation. Management owns these controls and reviews. Internal audit validates the source, logic, thresholds, review evidence, and issue follow-through before relying on the analytics.

Trigger out-of-cycle audit work for a new high-impact agent, material Release, model or vendor replacement, permission expansion, new write-capable tool, Process or classification change, incident or near miss, unexplained population variance, evidence-integrity failure, repeated override or denial anomaly, or overdue Critical or High finding. Use the Agent Audit Readiness Assessment to score preparation, then use the 12-domain enterprise framework to expand any weak domain into deeper procedures.

  • Remediation tracking: update owner, due date, action, dependency, interim control, evidence, and risk acceptance at least weekly for Critical and High findings.
  • Control retesting: repeat the failed design step, test the complete known affected population, and inspect a defined post-fix operating window.
  • Closure evidence: retain corrected configuration, approvals, affected-case dispositions, new period records, query results, verifier output, and audit closure sign-off.
  • Recurring analytics: route breaches to an Assurance Alert with an owner, severity, due date, affected-population query, and Remediation Plan.
  • Out-of-cycle work: open a scoped review when a trigger changes authority, impact, evidence reliability, or the audit population.
Copyable final-report outline and completion test
Report sectionRequired contentAttached artifactCompletion criterion
1. Executive summary and opinionAssurance question, conclusion, severity profile, material exposure, reliable areas, and required actionSigned opinion and issue summaryConclusion is bounded to criteria, scope, period, population, procedures, and evidence
2. Objective, scope, and criteriaBusiness Process, agents, Releases, dates, decision types, materiality, exclusions, authority of each criterionApproved engagement-planning checklistEvery test traces to the assurance question and an effective criterion
3. System boundary and populationArchitecture, owners, identities, tools, dependencies, counts, reconciliation results, and shadow-agent searchPopulation worksheet, source queries, hashes, and variance logPopulation is complete or the exact limitation and affected assertions are stated
4. Risk assessment and methodologyRisk rubric, ranked actions, design and operating-effectiveness approach, automated tests, sample method, seed, sizes, and expansion rulesRisk worksheet, test program, and sampling matrixA reviewer can reproduce the selection and understand reliance on every procedure
5. Results by audit domainDesign conclusion, operating conclusion, population tested, exceptions, rates, and evidence quality for all 12 domainsWorkpaper index and evidence-request trackerEvery conclusion is supported by reviewed evidence and quantified exceptions
6. Findings and management actionsCondition, criterion, cause, consequence, population, evidence, severity, owner, action, due date, and risk acceptanceFinding sheets and signed management responsesActions address root cause and complete affected-population treatment
7. Limitations and qualified conclusionsMissing evidence, failed alternatives, unavailable dependencies, residual uncertainty, and opinion effectScope-limitation and alternative-procedure workpapersThe reader can identify every assertion outside supported assurance
8. Follow-up and Continuous AssuranceRemediation governance, retest plan, closure criteria, analytics, owners, thresholds, cadence, and out-of-cycle triggersRemediation Plans, analytics inventory, and follow-up calendarEvery open issue and recurring signal has an owner, evidence source, due date, and escalation path
9. AppendicesDefinitions, criteria versions, detailed populations, queries, sample list, exclusions, evidence index, and severity rubricReproducibility package and Sealed Evidence Bundle referencesAn independent reviewer can trace report statements to workpapers without exposing protected data

Häufig gestellte Fragen

What is an AI agent audit program?

It is the repeatable work plan for one assurance engagement: objective, criteria, complete population, risk assessment, control design and operating-effectiveness procedures, sampling, evidence tests, findings, opinion, and follow-up. The broader 12-domain enterprise framework defines the audit universe.

How should internal audit scope an AI agent engagement?

Start with the business Process and exact assurance question. Name the agents, Releases, identities, tools, models, dependencies, decision types, period, materiality, downstream effects, evidence stores, exclusions, and criteria. Reconcile the full population before selecting samples.

How should auditors sample AI agent actions?

Combine a reproducible random baseline with mandatory risk strata: high-risk actions, denials, overrides, anomalies, low-confidence outcomes, first executions after Releases, cross-agent delegation, incidents, near misses, and vendor or model changes. Preserve the population query, seed, selection logic, and expansion rules.

What evidence is required for one sampled AI agent action?

The record should resolve the principal and agent identities, delegation and service context, Agent and model Release, inputs and retrieved-data references, tool and permission context, policy result, human decision and rationale, before and after state, downstream effect, timestamps, retention, integrity proof, and chain of custody.

Can automated testing replace human sample review?

Automated tests can cover complete populations for deterministic assertions such as sequence, required fields, authority expiry, outcome reconciliation, and hash validation. Human review is still needed for rationale, context, semantic consistency, judgment quality, credible harm, and evidence limitations.

What should the audit report say when evidence is incomplete?

Classify the gap, quantify the affected population, attempt an equivalent alternative procedure, and state the unsupported assertion and residual uncertainty. Qualify the relevant domain or opinion boundary and assign remediation with a retest date.

Die wichtigsten Erkenntnisse

A usable AI agent audit program begins with a precise assurance question and a complete population. It ranks action risk, tests control design and actual operation, combines full-population analytics with reproducible samples, evaluates one consistent evidence schema, writes quantified findings, and verifies closure. Start with the Agent Audit Readiness Assessment, use the enterprise framework for deeper domain criteria, and compare the evidence request with the Evidence Room sample.

In Aktion sehen

Bereit, Ihre Compliance-Nachweise zu automatisieren?

Buchen Sie eine 20-minütige Demo, um zu sehen, wie KLA Ihnen hilft, Human Oversight nachzuweisen und auditfertige Annex IV Dokumentation zu exportieren.

AI Agent Audit Program: Scope, Sampling & Evidence