Verify without reconstructing.
For the CRO, model risk officer, and head of internal audit. The Control Plane gives second- and third-line functions a sealed execution record they can sample, test, and challenge — not a narrative reassembled from screenshots, log fragments, and human explanations.
Second and third line shouldn’t have to reconstruct what AI did.
Model risk and internal audit operate against the same fundamental ask: tell us, with evidence, exactly what the model did under what controls — then let us sample, test, and challenge that record. For traditional analytical models, the record is the model itself plus its inputs. For agentic AI, the model is one component of a workflow that calls tools, reads context, makes decisions, and writes effects.
The only record of what happened is whatever the firm chose to log. Second- and third-line review then has to reconstruct execution from screenshots, fragmented logs, and human explanations. The reconstruction takes weeks, costs in effort, and is hard to defend when a regulator pushes.
The Control Plane fixes the fundamental input. Every governed AI action seals to an append-only event stream. Second- and third-line review starts from a verifiable record, not an interpretation of one.
Outcomes the buyer can underwrite.
- SR 11-7 testable
- Sample any AI-assisted decision; pull the EAC; replay the workflow; bit-for-bit reproduction. Model risk review becomes evidence-based, not interpretation-based.
- Three-lines-of-defense ready
- Second-line MRM and third-line internal audit each get the same sealed record. The first-line owner shows the same evidence to both without separate reconstructions.
- Examiner-defensible
- When a supervisor pushes on what the AI did during a specific period, the answer is a replay, not a narrative. Audit cycles compress.
Properties second and third line can challenge.
Pre-action policy enforcement, recorded.
Every governed AI action is gated by policy at the runtime, and the gate decision — allow or deny, with the rule that fired — is sealed into the event stream. MRM samples the policy as code; audit samples the actual decisions taken.
Replay reproduces the result.
Any governed workflow can be re-run from its sealed inputs. The replay produces the same downstream effects. Internal audit can test specific decisions; MRM can test model behavior under named conditions.
Evidence chain verifiable independently.
EACs are signed; the Key Registry records the issuing key per period. Historical decisions remain verifiable years later — even if the firm rotates models, swaps providers, or changes the workflow.
Distinct from compliance.
Compliance evidence answers “did the workflow follow the policy.” MRM and audit evidence answer “was the policy correct, and is the model still behaving as intended.” The Control Plane produces both from one sealed record — but the two are different uses of it.
Six day-14 jobs MRM and internal audit ship.
Sample 30 AI-assisted decisions for SR 11-7 review.
Pull EACs by workflow type and period. Replay each. Compare result to recorded outcome. Document conformance — mechanically, not narratively.
Test three-lines-of-defense separation.
Confirm policy authoring (1L), policy enforcement (runtime), and policy testing (2L / 3L) are operationally distinct. The Control Plane separates them structurally.
Issue an internal audit finding with replay evidence.
Cite the EAC; attach the replay. The finding stands on bit-for-bit reproduction, not on narrative reconstruction.
Walk a supervisor through a contested AI-assisted decision.
Pull the EAC. Show the policy that fired. Replay the workflow. The supervisor reviews the same evidence MRM and audit reviewed — in the same form.
Sign off on a model-update plan.
MRM reviews what changes. Replay confirms historical decisions remain verifiable under the new model’s revocation period. Sign-off becomes mechanical.
Complete a regulator’s books-and-records request without reconstruction.
Filter the event stream by request period. Package the EACs. The packet is the answer.
Bring us the model you can’t fully explain.
We’ll walk through how the runtime would have produced an evidence record an MRM reviewer or internal auditor could sign off on — and what that does to your audit cycle.