Supporting position

Audit trails don’t create accountability.

Build provenance (SLSA) attests where and how an artefact was produced; it does not attribute the decision. Accountability needs a decision-and-attribution trail engineered above the pipeline.

Conventional wisdom

Build provenance (SLSA) gives us an audit trail, so we’re covered.

Our position

Knowing how something was built is not the same as knowing who decided it.

Why we believe it

Provenance attests how an artefact was produced; it does not attribute the decision. Accountability needs a decision-and-attribution trail engineered above the pipeline.

What we’ve observed

01EU AI Act Articles 12 and 14 make a queryable decision log and human oversight a requirement for high-risk systems.

slsa.dev
artificialintelligenceact.eu