Evidence by Design

In LR-201b we covered building the evidence chain — contemporaneous documentation, traceability, and retention. At the 301 level, evidence production is engineered into the system rather than layered on top of it. Evidence by design means that every compliance control automatically produces its own evidence artifact as a byproduct of operating. The quarterly risk assessment generates a timestamped report. The bias testing protocol produces a signed test log. The human oversight process creates a decision record. None of these require a separate evidence creation step.

1. Automated Evidence Generation For every control in the compliance matrix, engineer an evidence artifact that is produced automatically when the control operates. The artifact includes: what control operated, when, by whom, with what result, and to what standard. Automated generation eliminates the gap between "the control ran" and "we can prove the control ran." [CLEARED]: Evidence that generates itself cannot be forgotten.
2. Evidence Repository Architecture Centralize evidence in a structured repository organized by compliance framework, obligation, and time period. The repository supports querying — "show me all evidence for EU AI Act Article 9 from Q3 2026" — rather than searching. Structured storage enables retrieval in minutes. Unstructured storage enables retrieval in hours, if at all.
3. Retention Automation Different frameworks require different retention periods. Automate retention so evidence is kept for the required period and purged when the retention obligation expires. Over-retention creates data management burden and potential privacy liability. Under-retention creates compliance gaps. [RECOMMEND]: Map retention periods to the compliance matrix and automate both retention and purging.