Lesson 11 / 12
The audit trail as the spine
Every governed action lands in a tamper-evident, write-once trail secured by a hash chain. Key points:
- The trail is the same place deploys, approvals, access changes, and AI actions are recorded. At org scale this is what makes a cross-tenant question answerable: who did what, when, and under which policy.
- Design exports and retention so an oversight body gets something it can verify, scoped correctly by tenant. Cross-tenant reads are an operator capability, not a tenant one, and your design has to keep that line.
- Tenant isolation is enforced in the database with row-level security, not by application-layer filtering you have to trust. The boundary holds even if application code has a bug, and your governance design depends on that being true.