Glossary
AI Traceability
The capacity to reconstruct why an AI system produced a specific output, using logged inputs, model version records, decision trails and human-override history sufficient for post-hoc audit.
Term: AI Traceability
AI traceability is the capacity to reconstruct why an AI system produced a specific output, using logged inputs, model version records, decision trails and human-override history sufficient for post-hoc audit.
Why it matters
Regulators and assurance standards now treat traceability as a baseline AI governance requirement. ISO 42001 clause 8.4 obliges organisations to maintain records of AI system behaviour, and EU AI Act Article 12 extends this to mandatory logging for high-risk AI systems. Without these records, an organisation cannot defend an AI decision after the fact, cannot investigate harm and cannot demonstrate compliance to an auditor or regulator.
Many UK organisations deploying AI lack the logging architecture to meet these obligations. The gap is rarely intent; it is that traceability needs to be designed into the system, not retrofitted under audit pressure.
How it works in practice
Audit-grade traceability rests on four classes of record: input data provenance (source, version, processing steps), model versioning (which model produced which output), timestamped decision logs for significant AI outputs and human-override records where staff overruled AI recommendations. Together these answer the question regulators and claimants will ask: what did the system do, when, on what basis and who intervened?
Traceability is the third dimension of QL Security’s CIA+EFT Framework, assessed during an AI Behaviour Verification review.
Want this in context?
See how this term fits into the broader programme of work.