The one objection that closes deals. Append-only audit log, AI Generation Log, Decision Audit, Privacy Operation Audit, Compliance Pack Export, Retention & Legal Holds — six audit substrates threaded through every program and capability.
Every state transition on every entity captured forever. Vendor created, assessment opened, questionnaire dispatched, answer received, score drafted by AI, score overridden by reviewer, finding opened, finding mitigated, finding closed — each carries actor, timestamp, before-state, after-state, IP, and user agent. Indefinite retention by default. Legal holds pin entities against expiry.
Every AI-drafted score, every AI-authored questionnaire, every AI-extracted CUEC, every AI-derived data flow — captured with model name, model version, system message version, prompt path, full prompt, full response, and the resulting structured output. When the auditor asks "did a human review this," the log answers definitively. When the regulator asks "what did the AI actually say," the log answers verbatim.
Every reviewer action — verb (Accept, Override, Request More, Green-light, Red-flag), notes, signature, IP, user agent, and the findings opened as a result — captured separately from the entity log. Filterable by reviewer, by vendor, by framework, by time range. Exports as evidence for SOC 2 Type II readiness, FedRAMP SAR, or any other audit asking "did the human review."
Every classification confirmation, every flow auto-derivation, every DSAR search execution, every retention notification, every consent state change — captured separately. Privacy operations get their own audit substrate because the regulators asking about them aren't always the same ones asking about TPRM.
Single-archive bundle of Decision Audit, Finding Lifecycle, Score Override Report, AI Generation Log, User Activity Log, Privacy Operation Audit, and every assessment PDF for a date range. Manifest is signed for independent integrity verification — your auditor can verify the export hasn't been tampered with after generation. Exactly what 3PAOs need for the SAR package.
Indefinite retention by default. Tenant-configurable retention policies anchored to regulatory citations. Legal holds pin entities against expiry — when litigation or regulatory inquiry hits, the GRC team flips the hold flag and the data stays put until the hold lifts.
Compliance Pack Export is included in Pro and Enterprise.