Sub-period audit reporting for sectional regulator reviews

Regulator reviews rarely cover the calendar year. They cover a section: a specific customer journey, a specific product line, a specific time window. Annual reports answer the wrong question and force second-line teams to retro-fit evidence to scope. Sub-period reporting inverts this: the report is generated to the regulator's scope, not the firm's reporting cycle.

Three forces make sub-period reporting necessary. Regulators increasingly conduct targeted reviews rather than holistic supervision. Firms operate dozens of agents across many journeys; an annual aggregate report obscures more than it reveals. And the operational evidence backing AI agent decisions is granular enough that arbitrary slicing is, finally, technically possible.

Sub-period scope is defined by three inputs: the agent or journey under review, the time window, and the policy framework being evidenced. Given those three, AgentAudit can generate the report deterministically — every line item is derived from a query against the audit trail, every query is recorded, and the report itself becomes an auditable artefact.

• Scope unit — agent, agent family, business unit, or named journey
• Time window — explicit start and end timestamps, with timezone
• Framework — one of FCA, ICO, MHRA, EU AI Act, ISO 42001, NIST AI RMF, UK AI Action Plan
• Confidentiality — sections may be redacted for regulator vs internal versions

Determinism matters. If two engineers generate the report twice with the same three inputs, they must get the same output. This is what lets the report be a defensible artefact rather than a snapshot of how someone happened to phrase a query that day.

We achieve determinism by treating report generation as a pure function of the audit trail and the input scope. The audit trail itself is append-only; reports run against a frozen snapshot of it. Cross-references to underlying evidence carry content-addressed hashes.

When a regulator challenges a line item, the firm must be able to point to the underlying evidence and show it has not been tampered with. AgentAudit records each line item with a cryptographic reference to the originating audit entry. Regulators can verify the integrity of the chain without trusting the platform — the verification procedure is published and the references resolve against the firm's own data store.

Suppose the FCA initiates a section review of a firm's customer-onboarding journey for the months of March and April. The journey uses an AI agent at three steps: eligibility pre-screen, suitability questionnaire, and product recommendation.

The firm scopes a sub-period report: scope = onboarding journey, window = 1 March to 30 April, framework = FCA Consumer Duty. The generated report enumerates, for each of the three agent-touched steps: customer-facing outcomes (with sample, redacted, transcripts), recorded rationale at decision time (provenance + rationale patterns), human review of flagged cases (review pattern), and behavioural drift vs the certified baseline (drift pattern).

A digital health firm operates a triage assistant. The MHRA requests a post-market surveillance summary for Q2. Scope = triage assistant; window = 1 April to 30 June; framework = MHRA post-market.

The report enumerates: traced incidents (telemetry events flagged as anomalous), human-clinician overrides of the agent's recommendation, drift in the agent's triage-category distribution, and any harness-detected regressions during the period. Every line carries a reference to the underlying audit entry; clinical safety officers can verify each one.

Sub-period reports surface evidence gaps as well as evidence. If the report cannot resolve a required line item, it says so explicitly — 'no rationale record for this decision class in this window' — rather than silently omitting it. The visible gap is itself useful: it is the basis for a remediation plan, presented to the regulator alongside the report.