VerdifaX

Sample audit response

When a regulator, auditor, or counterparty asks "show me how this AI decision was made," the response template below is what you send. Adapt to the specific framework and tone, but the structural elements are the same.

The scenario

A health-insurance plan uses an AI system to assist with prior-authorization decisions. A patient files a complaint after a denial. The state insurance regulator opens a data request: produce evidence of how the AI evaluated the case.

What to include in the response

1. Cover letter (1 page)

Identify the system, the decision, the date, the patient (or de-identified surrogate), and the regulator's reference number. Conclude with: "Cryptographic evidence of this decision is provided as Exhibit A. The decision is independently verifiable using the procedure in Section 3."

2. Exhibit A — Verdifax audit report

Fetch the PDF for the run:

curl -s https://your-orchestrator/runs/{id}/report.pdf \
  -H "X-Verdifax-Key: vfx_..." \
  -o exhibit-A-verdifax-audit.pdf

The PDF contains:

  • The Verdifax wordmark and run number
  • Date and duration of the decision
  • The full sealed ManifestHash
  • Run metadata (program id, route id, payload hash, status)
  • All 18 sealed manifest fields
  • The six DKEC kernel execution IDs
  • Regulatory-mapping section (EU AI Act / HIPAA / SOX, as relevant)
  • Verification statement
  • QR code linking to the run detail view

3. Section 3 — Independent verification procedure

This is the part that makes the evidence chain credible. Include verbatim:

The cryptographic seal in Exhibit A may be independently verified by any party in possession of the original input. Verification does not require access to our systems, our databases, or our staff.

Procedure:

  1. Install the Verdifax SDK: pip install verdifax
  2. Reconstruct the canonical input as documented in [the original program registration].
  3. Run: 
    import verdifax
ok = verdifax.verify(
    manifest_hash="<hash from Exhibit A>",
    payload="<reconstructed canonical input>",
    program_id="<from Exhibit A>",
    route_id="<from Exhibit A>",
    registry_record_hash="<from Exhibit A>",
)
assert ok is True
  4. If ok is True, the recorded decision is consistent with the inputs and the registered program. Tampering would invalidate the seal.

4. Honest scope statement

Include this paragraph verbatim:

The cryptographic seal proves that the recorded run occurred as described and is byte-for-byte reproducible from the same inputs. It does not certify that the AI system's recommendation was clinically or substantively correct — that determination remains a question of professional judgment and is addressed in [other governance documentation, attached as Exhibit B].

This honesty is the credibility move. Regulators see overstated cryptographic claims constantly; precise scoping reads as serious work.

5. Optional — third-party attestation

If you have an external auditor that has independently verified the same hash, include their letter. This converts your evidence chain from "we say so" to "we say so, and an independent firm with reputational stake confirms."

The pattern, abstracted

Every audit response, regardless of regulatory framework, follows the same shape:

  1. Identify the specific decision under review
  2. Provide the Verdifax PDF as primary evidence
  3. Document the independent-verification procedure
  4. Scope what the cryptographic claim covers and does not cover
  5. Optional third-party verification letter

Continue