C11
Layer 3 - Observability & Forensics
Verifiable Audit Ledger
Hash-chained, tamper-evident audit ledger with WORM retention. Every policy decision, tool call, and side effect is committed with a verifiable chain head.
Why
- Mutable logs are not defensible. Compromised workloads can erase evidence.
What
- A tamper-evident ledger that: hash chains events
- signs ledger commits
- stores outputs in immutable retention
How
- ledger service computes event_hash and prev_event_hash
- store ledger head pointers in immutable storage
- periodically run integrity checks and produce verification reports
Evidence
- integrity reports and hash chain validation
- immutable retention configuration proof
- completeness checks: expected events vs observed events
Failure modes
- relying on standard logs only
- no cryptographic linkage between events
- retention policies that purge needed evidence
- Toxic Immutable Data: Storing PII/PHI in WORM storage creates a compliance deadlock (cannot delete vs. must delete).
Mitigation: Implement Crypto-Shredding. Encrypt sensitive payload snapshots with ephemeral keys managed in a separate KMS. To comply with deletion requests, destroy the key, leaving the immutable ledger entry intact but unreadable.
NIST AI RMF alignment
C11 maps to MEASURE and GOVERN. See the framework paper for the specific subcontrol mappings.
ISO/IEC alignment
C11 maps to ISO/IEC 27001 and ISO/IEC 27037. Typical evidence: see the Evidence section above.