Announcement4-week governed pilot: move one real workflow into controlled production
KLA Digital Logo
KLA Digital
Documentation Menu
KLA Documentation
Product Modules

Evidence Room

Export cryptographically Sealed Evidence Bundles and Control Packs that auditors can verify independently, with no trust in KLA required.

3 min read689 words

The Evidence Room (/evidence-room) is where governed agent activity becomes audit-ready proof. It compiles signed records, execution lineage, and policy state into portable, tamper-evident artifacts you can hand to an external auditor, and that the auditor can verify on their own laptop, offline, without ever trusting KLA. This page is for compliance, risk, and audit officers building an evidence file, and for the platform operators who export and share it.

The Evidence Room consumes the output of the Evidence-by-Default pipeline: OpenTelemetry spans flow into the KLA Collector (which redacts personally identifiable information, or PII), then into the ImmuDB cryptographic ledger that produces Merkle proofs: mathematical fingerprints that make any later tampering detectable.

Sealed Evidence Bundles

A Sealed Evidence Bundle is the core export object: a self-contained .zip packaging everything needed to reconstruct and prove a slice of agent history.

Contents What it proves
Signed JSON records The exact agent actions, tool calls, and costs that occurred
Lineage Records The full step-by-step trace of each governed run
Policy state Which policy pack was active and the decision it returned: allow, warn, require_approval, or block
Decision Desk outcomes Any human approval or Escalation that resolved a require_approval decision
Merkle proofs Cryptographic anchoring back to a published ledger root hash
🛡️ Important
A **Lineage Record** is KLA's name for one end-to-end trace of an agent run. Bundling a Lineage Record with its policy decision and Decision Desk outcome produces a complete, defensible story for a single run in one file.

Independent Verification

This is the point of the Evidence Room: verification does not depend on trusting KLA. An auditor recomputes the Merkle proofs inside a bundle against the published root hash and confirms the evidence is authentic and unmodified entirely on their own. All checks run offline, with no network access required.

kla evidence verify \
  --bundle evidence-room_acme-prod_exp_9f2c_v1.zip \
  --out ./report

The verifier confirms signatures, recomputes the Merkle root, and validates the ledger anchor, then writes a verification-report.json and a human-readable HTML report. Exit code 0 means the bundle is Sealed and trustworthy.

flowchart LR
  A["Agent activity"] --> B["KLA Collector<br/>PII redaction"]
  B --> C["ImmuDB ledger<br/>Merkle proofs"]
  C --> D["Sealed Evidence Bundle"]
  D --> E["Auditor verifies offline"]

Export Jobs and Secure Share Links

Evidence sets can span months of activity, so exports run as asynchronous jobs. You define the scope (a date range, an agent, or a single Lineage Record), queue the export, and monitor it to completion without holding a session open.

curl -X POST https://api.kla.digital/v1/evidence.export \
  -H "Authorization: Bearer $KLA_ACCESS_TOKEN" \
  -H "x-tenant-id: acme-prod" \
  -d '{"agent":"refund-approver","from":"2026-01-01","to":"2026-03-31"}'

When the bundle is ready, generate a secure share link: a time-limited, access-scoped download URL you can send to an external regulator or auditor without provisioning them a KLA account. The recipient downloads the bundle and verifies it with the steps above.

đź’ˇ Tip
Share links are scoped and expiring. Set the shortest window that fits the auditor's review schedule, and the link self-revokes when it lapses.

Control Mapping and Control Packs

Raw evidence answers what happened. Auditors also need to know which requirement it satisfies. Control Mapping ties individual governance signals (a policy decision, an approval, a redaction event) to specific clauses in a compliance framework.

A Control Pack is a compliance-oriented export: a Sealed Evidence Bundle organized around a framework rather than a time range. KLA ships mappings for common regimes:

  • EU AI Act, Annex IV: technical documentation requirements for high-risk AI systems, mapped to your agents' instructions, policy controls, and audit trail.
  • SOC 2: change management, access control, and monitoring criteria, evidenced by Releases, Decision Desk records, and continuous Lineage.

A Control Pack lets you respond to an EU AI Act technical-documentation request or a SOC 2 Type II review with one verifiable file instead of a folder of screenshots. Use the Lineage Explorer to investigate a specific run, then export it straight into the Evidence Room as part of the pack.

PreviousAssurance Center
NextGovern an Agent End-to-End
Evidence Room | Developer Docs | KLA Control Plane