The Discipline of Immutable Evidence

How XVICA treats audit-grade evidence as an architectural property, and why immutability is the cheapest insurance regulated infrastructure can buy.

In regulated infrastructure, the failures that hurt aren't usually the ones that page someone overnight. They're the ones a regulator finds six months later, when they ask a question your system can't answer.

The first instinct is usually logging. Logging helps, but it isn't enough by itself. Logs tend to be append-only by convention rather than by enforcement, mutable by anyone with sufficient privilege, and rarely signed. One determined operator, or one careless deploy, can quietly render them useless. Examination evidence has to survive both of those.

Evidence as a property of the system

We treat audit-grade evidence as part of the architecture, not as something the ops team is expected to bolt on later. A transaction isn't finished until its journal entry is written to an event-sourced ledger you can rebuild from a hash chain. A control evaluation isn't "performed" until the rule version, the inputs, the decision, and the reviewer metadata are written into a record that nobody can edit afterwards. You can supersede that record with a new one. You cannot go back and change the original.

Most of the cost of doing this lands upfront, in design and review. The payoff arrives the next time someone asks a hard question and the answer is already on disk where it has been for two years.

What this looks like in practice

A few patterns recur across our regulatory and compliance engines.

Hash-chained journals are the foundation. Every write commits a hash of the prior entry, so tamper detection is a property of the data structure itself rather than something a background job has to remember to verify on a schedule.

Control records are signed at write time, with the signing key's rotation history kept in the same journal as the records it signed. The point isn't just to prove "this evaluation happened" — it's to prove which key signed it, and to be able to walk back through the chain of custody on that key without leaving the journal.

Examination exports come out of a deterministic query, not a person assembling spreadsheets the week before the regulator visits. Rerun the same query a year later and you should get the same evidence back, byte for byte where it matters.

None of this is novel. The hard part is refusing to cut any of it from scope when the deadline gets tight, and that's a cultural problem more than a technical one.

Filed under

AuditEvent SourcingRegulatory
End

Discuss in your context

Discuss the architecture and operational concerns this article raises with our engineering team.

Talk to sales

Continue reading

All insights →

  1. 01 · Architecture

    Five invariants of a correct double-entry ledger

    Five invariants every double-entry ledger has to enforce at write time, with a reference implementation in Go and the named tests that pin each one down.

  2. 02 · Settlement

    Idempotency and Exactly-Once Settlement

    Why idempotency keys are necessary but not sufficient for exactly-once settlement, and the patterns that close the gap across retries and partial failures.