Hadrian

Guides

Audit trail requirements for AI-assisted lending decisions

An audit trail for an AI-assisted credit decision must capture: the AI tool's output (score, recommendation, or flag), the inputs that produced it, the human reviewer's action and timestamp, the final decision and specific reasons, and the adverse action notice if applicable — retained for at least 25 months for consumer credit. The record must support reconstruction of the decision without relying on the model itself.

What the audit trail must contain

A defensible audit trail for an AI-assisted credit decision requires more than logging the final outcome. The record must capture: (1) the specific AI output relied upon (the score, recommendation, flag, or analysis produced), (2) the inputs or documents that drove that output, (3) the identity and timestamp of the human reviewer who reviewed the AI output, (4) the reviewer's action (approved as recommended, overridden, escalated), (5) the final decision with the specific reasons that support an adverse action notice if applicable, and (6) any adverse action notice sent and the date it was sent.

The record must be sufficient to reconstruct the decision without querying the model again — because models are updated, replaced, or retired, and the model version that made a recommendation in 2025 may not exist when an examiner reviews the file in 2027. Immutability matters: a record that can be edited after the fact provides no audit assurance. Timestamps and tamper-evidence are table stakes.

Emerging regulatory expectations for AI governance

Regulatory expectations for AI audit trails are hardening across multiple frameworks in 2026. Fannie Mae Lender Letter LL-2026-04, effective August 6, 2026, requires sellers and servicers to maintain audit records sufficient to demonstrate human oversight of AI-assisted decisions in covered workflows. The EU AI Act's high-risk AI provisions — enforcement beginning August 2, 2026 for lenders with EU exposure — require technical documentation, logging, and human oversight for AI systems used in creditworthiness assessment. Colorado's AI Act (SB 189, enforcement effective January 1, 2027) requires documentation of consequential decisions made with algorithmic tools for Colorado consumers.

Last verified: 2026-06-16. Regulatory timelines and requirements may change. Verify current status and applicability to your specific programs with qualified counsel before the respective effective dates.

How Hadrian implements AI audit trails

Hadrian writes every case event — including AI tool outputs, the documents they were based on, and each reviewer action — to a tamper-evident audit ledger. The evidence graph links each decision to the specific inputs reviewed, so the record is self-contained and does not depend on re-running the model. The operator-gated AI trust dial lets operators define which AI recommendations require human sign-off before the case can advance, enforcing the human oversight checkpoint in the workflow rather than relying on reviewer discipline alone.

Hadrian provides the infrastructure to record and retain AI audit trails; it does not assess whether any specific AI tool is appropriate for a given lending use case, or whether any specific audit record satisfies the requirements of a particular regulator or examination. Those determinations are the operator's responsibility, and should be reviewed with qualified compliance counsel.

FAQ

Audit trail requirements for AI lending decisions — common questions

What is the difference between an audit log and an audit trail?

An audit log is a chronological record of system events (who did what, when). An audit trail is a broader chain of evidence linking a decision back through every input, intermediate step, and human action that contributed to it. For AI lending decisions, an audit trail is what's needed — a log of logins and clicks is not sufficient to reconstruct why a credit decision was made.

Can the AI model itself explain the decision, or do we need a separate record?

The model cannot serve as its own audit trail. Models are updated or retired; the specific version, parameters, and inputs at the time of a decision must be captured in the case record. For ECOA compliance, the record must support specific adverse action reasons that are accurate to the actual decision — which requires capturing the specific output and inputs at decision time, not relying on the model to reproduce them later.

Related

Fannie Mae LL-2026-04 readiness Reg B record retention requirements Regulation B (Reg B)

The institution around the intelligence

See Hadrian run your case lifecycle — intake to close, every decision audited.

Governance-native case processing for lenders and regulated teams.

Book a live demo

This guide describes general audit trail practices and emerging regulatory expectations as of 2026-06-16. Regulatory requirements for AI governance in lending are evolving; the effective dates and scope of rules referenced here (Fannie Mae LL-2026-04, EU AI Act, Colorado SB 189) should be verified against current official sources. This is educational information only — not legal advice. Engage qualified compliance counsel to assess your specific obligations.