Product Modules

Evidence Room

Export cryptographically Sealed Evidence Bundles and Control Packs that auditors can verify offline (signatures, hashes, and the bundle's own Merkle root) without a live connection to KLA.

3 min read781 words

The Evidence Room (/evidence-room) is where governed agent activity becomes audit-ready proof. It compiles signed records, execution lineage, and policy state into portable, tamper-evident artifacts you can hand to an external auditor, and that the auditor can verify on their own laptop, offline (checking the signatures, every artifact hash, and the bundle's own Merkle root) with no live connection to KLA. This page is for compliance, risk, and audit officers building an evidence file, and for the platform operators who export and share it.

The Evidence Room consumes the output of the Evidence-by-Default pipeline: OpenTelemetry spans flow into the KLA Collector (which redacts personally identifiable information, or PII), then into the ImmuDB append-only cryptographic ledger. Each exported bundle is sealed with hashes and signatures so that any later tampering with the bundle's contents is detectable offline.

Sealed Evidence Bundles

A Sealed Evidence Bundle is the core export object: a self-contained .zip packaging everything needed to reconstruct and prove a slice of agent history.

Contents What it proves
Signed JSON records The exact agent actions, tool calls, and costs that occurred
Lineage Records The full step-by-step trace of each governed run
Policy state Which policy pack was active and the decision it returned: allow, warn, require_approval, or block
Decision Desk outcomes Any human approval or Escalation that resolved a require_approval decision
Merkle proofs & ledger anchor The bundle's own artifact Merkle root, plus the immudb ledger anchor and its retained proof for this manifest
🛡️ Important

A Lineage Record is KLA's name for one end-to-end trace of an agent run. Bundling a Lineage Record with its policy decision and Decision Desk outcome produces a complete, defensible story for a single run in one file.

Independent Verification

This is the point of the Evidence Room: most of the verification runs offline, without trusting KLA's live systems. An auditor verifies the SEK and TEK signatures, confirms every artifact's hash and size, and recomputes the bundle's own Merkle root, entirely on their own laptop, with no network access required. The bundle also carries the immudb ledger anchor and an OpenTimestamps Bitcoin receipt for this manifest; offline, the verifier confirms these are present and bind to the manifest (full ledger-inclusion and on-chain confirmation require the ledger's signed state and the Bitcoin chain, respectively).

kla evidence verify \
  --bundle evidence-room_acme-prod_exp_9f2c_v1.zip \
  --out ./report

The verifier confirms the SEK and TEK signatures, recomputes the bundle's own Merkle root, and checks that the immudb ledger anchor and OpenTimestamps receipt bind to this manifest, then writes a verification-report.json and a human-readable HTML report. Exit code 0 means every offline check passed.

flowchart LR
  A["Agent activity"] --> B["KLA Collector<br/>PII redaction"]
  B --> C["ImmuDB ledger<br/>Merkle proofs"]
  C --> D["Sealed Evidence Bundle"]
  D --> E["Auditor verifies offline"]

Export Jobs and Secure Share Links

Evidence sets can span months of activity, so exports run as asynchronous jobs. You define the scope (a date range, an agent, or a single Lineage Record), queue the export, and monitor it to completion without holding a session open.

curl -X POST https://api.kla.digital/v1/evidence.export \
  -H "Authorization: Bearer $KLA_ACCESS_TOKEN" \
  -H "x-tenant-id: acme-prod" \
  -d '{"agent":"refund-approver","from":"2026-01-01","to":"2026-03-31"}'

When the bundle is ready, generate a secure share link: a time-limited, access-scoped download URL you can send to an external regulator or auditor without provisioning them a KLA account. The recipient downloads the bundle and verifies it with the steps above.

đź’ˇ Tip

Share links are scoped and expiring. Set the shortest window that fits the auditor's review schedule, and the link self-revokes when it lapses.

Control Mapping and Control Packs

Raw evidence answers what happened. Auditors also need to know which requirement it satisfies. Control Mapping ties individual governance signals (a policy decision, an approval, a redaction event) to specific clauses in a compliance framework.

A Control Pack is a compliance-oriented export: a Sealed Evidence Bundle organized around a framework rather than a time range. KLA ships mappings for common regimes:

  • EU AI Act, Annex IV: technical documentation requirements for high-risk AI systems, mapped to your agents' instructions, policy controls, and audit trail.
  • SOC 2: change management, access control, and monitoring criteria, evidenced by Releases, Decision Desk records, and continuous Lineage.

A Control Pack lets you respond to an EU AI Act technical-documentation request or a SOC 2 Type II review with one verifiable file instead of a folder of screenshots. Use the Lineage Explorer to investigate a specific run, then export it straight into the Evidence Room as part of the pack.

Evidence Room | Developer Docs | KLA Control Plane