Part of the AI Governance & Security series
The AI Governance & Security Series
★ Start here (the story), then read Parts 1–7 in order.
| # | Post | Read |
|---|---|---|
| ★ | AI Sorcery: Don’t Be the Apprentice | Read |
| 1 | The Ledger Question | Read |
| 2 | Can You Prove What Your AI Did to the Books Last Night? (you are here) | — |
| 3 | The Boundary a Local AI Model Won’t Give You | Read |
| 4 | What Quantum Computing Does to Your AI Audit Trail | Read |
| 5 | Something You Know, Have, or Are | Read |
| 6 | Lock the Front Door: Secure Your QuickBooks Login | Read |
| 7 | The Back Door: Who Can Reach Into Your Books | Read |
Can You Prove What Your AI Did to the Books Last Night?
Here’s a question worth sitting with. An AI agent touched your financial records last night — categorized transactions, drafted an invoice, maybe reconciled an account. Can you prove exactly what it decided, when, what data it used, who authorized it, and that the record hasn’t been altered since?
If the answer is no, you don’t have AI governance. You have AI activity. The gap between the two stays invisible right up until an auditor, a lender, an insurance carrier, or a fraud investigator asks the question — and then it’s the only thing that matters.
I keep coming back to the Sorcerer’s Apprentice for this. The apprentice didn’t fail because the magic was weak. He failed because he started the brooms before anyone defined what done looked like, and built no way to stop them. An ungoverned agent in a financial workflow is the same story with better tooling: it works all night, and nobody can say working on what, under whose authority, with what proof.
When owners go looking for the fix, they usually get sold a word — blockchain — that turns out to be four different technologies wearing one label. (I wrote about that untangling separately; the short version is that most businesses need none of them.) The more useful move is to skip the technology entirely at first and name the trust property that’s actually missing. There are only four that matter for AI-touched books.
Non-repudiation — proving who authorized an action in a way they can’t later deny. Tamper-evidence — being able to detect if any past record was changed after the fact. Multi-party consensus — only relevant when independent organizations must share one ledger with no trusted referee, which most businesses never need. And queryability — because your auditor and your CFO need answers in SQL and a spreadsheet, not a blockchain explorer.
Name the missing property, then apply the smallest mechanism that supplies it. For a single business, that turns out to be unglamorous and affordable.
An append-only ledger gives you the first two. Every AI decision lands as a permanent row — who, what, when — carrying a cryptographic hash that chains it to the record before it. Alter any historical row and the chain breaks visibly. Tampering isn’t prevented by a policy nobody reads; it’s exposed by arithmetic. And unlike a blockchain, a hash-chained table is fast, cheap, and readable by any accountant.
Policy as code handles authorization. The rules for what the AI may do aren’t in a binder — they’re executable, and every action passes through a gate before it runs. The gate’s allow/deny decision gets logged too, so an auditor can replay any past decision against the exact policy that governed it. Compliance stops being an assertion and becomes a thing you can re-run.
Key management keeps the signing keys in a dedicated vault — never in the application, never in the agent’s reach. No single system holds both the records and the keys that vouch for them. It’s the century-old segregation-of-duties principle auditors already trust, pointed at a new actor.
The human approval gate is where this gets concrete. High-stakes actions — a payment over a threshold, a vendor change, anything moving money — can’t execute until an authorized person decides. And the approval that counts is a physical one: a hardware key tap, not a click. A tap can’t be phished, lifted from a password breach, or faked by a voice on the phone. (The why-a-physical-key argument is its own piece.) The CFO who taps and the CFO who clicks look identical until a fraud investigation, where only one of them can prove it was really them.
And observability ties it off: every prompt, output, model version, and decision logged and timestamped. Treat the prompt and the output like journal entries — immutable, reconcilable, evidence.
None of that is speculative or expensive. It’s buildable now, at owner-operator scale, and it happens to line up with two clocks that are already running.
The regulatory one is closest. The EU AI Act’s transparency obligations took effect in August 2026, and even a business with zero EU exposure feels it downstream — the Act is becoming the template US auditors, lenders, and insurers reach for when they decide what “reasonable care” looks like. The practical version: your year-end auditor is about to start asking whether AI touched the books and how you can prove what it did. That question is arriving in current audits, not future ones.
The second clock is slower but unforgiving. Financial records live in a seven-plus-year retention window, and the cryptography that signs them today has a shelf life — adversaries are already harvesting encrypted data to decrypt once the tools catch up. Records created now will still be in retention when that day comes. Sizing your hash functions and planning your key strategy for algorithm migration isn’t paranoia; it’s just not having to rebuild the whole trust layer in a few years. (The quantum piece of this deserves its own explanation — the short version is that your ledger’s integrity holds up far better than its signatures do.)
The reason to build this before you need it is boring and decisive: you can’t retroactively create an audit trail. A business that runs agents ungoverned for two years and then meets an audit question has to reconstruct history it never recorded — which is usually impossible, and always more expensive than having recorded it. The trust layer is cheap going in and priceless the day someone asks you to prove something.
The AI doesn’t need to be feared. It needs a stop condition, an approval gate, and a record of what the brooms were doing. Requirements first, technology second, and a receipt for every claim.
This is the governance layer beneath our method — the part that proves what the AI did, not just what it can do.



