advanta

HomeGlossaryGovernance

Framework

Governance

P4

Evidence Register

Audience

GC / CLORisk & ComplianceLegal OperationsCIO / CISO

DEFINITION

The catalogue maintained per AI system in use that records contemporaneous proof of governance: evaluation results, security attestations, data residency confirmations, model upgrade notices, and customer-impact assessments. The Evidence Register is updated on a quarterly cadence and on every material change, and is distinct from the Risk Register.

Detailed Explanation

The Evidence Register is the institutional artefact that catalogues, per AI system in use by the legal function, the contemporaneous proof of governance. It is distinct from the Risk Register: the Risk Register names what could go wrong; the Evidence Register holds what the function would produce when it does.

The distinction matters under stress. A Risk Register without an Evidence Register is a list of acknowledged risks with no demonstrated response capability. A function that has named a risk class does not, by virtue of naming it, demonstrate that it has the evidence to respond when the class triggers. The Evidence Register is what closes that gap.

What the Register contains

Per AI system: the latest evaluation results against the legal-specific benchmarks the function applied during selection; the most recent security attestations from the vendor (SOC 2, ISO 27001, sectoral certifications); the data residency confirmations and sub-processor inventory; the model upgrade notices the vendor has issued and the function’s impact assessments for each; customer-impact assessments if the system reaches client deliverables; the vendor exit-readiness documentation; the Defensibility Posture Statement that the system supports. Each entry is dated, sourced, and refreshable on demand.

The Register also catalogues function-side artefacts: the per-decision audit log samples that demonstrate decision traceability; the methodology documentation that articulates why the system was selected for the task; the workflow specifications for Tier 2 and above capabilities; the action-bounds documentation for Tier 3; the delegation-authority register for Tier 4. The Register is the evidence layer that supports the five Defensibility Elements operationally.

Cadence

The Evidence Register is not a one-time exercise. It is updated on a quarterly cadence and on every material change: model upgrades, vendor incidents, regulatory developments, internal policy changes. A Register that has not been refreshed in twelve months has degraded materially regardless of how complete it appeared at last refresh. Stale Evidence Registers are a quarterly drift audit finding.

The cadence discipline distinguishes institutional functions from functions that maintain the Register as a periodic audit-response exercise. Institutional functions refresh as material change occurs; periodic-response functions refresh when the next audit window approaches. The latter pattern leaves the function unable to respond to out-of-cycle inquiry, which is when the Register is most acutely tested.

Position in the Defensibility framework

The Evidence Register is the third of the five Defensibility Elements (D3). It pairs with Decision Traceability (D1, the per-decision record) and Methodology Transparency (D2, the why behind system selection) to constitute the evidential substrate any adversarial challenge will demand. Functions at the Defensible Maturity Band maintain the Register at quarterly cadence; functions at Foundational typically have no Register at all; functions at intermediate bands have partial Registers that surface in audit findings as material weaknesses.

For acquirers, the Evidence Register is the diligence target. An acquirer evaluating a target organisation’s AI exposure will request the Register early in diligence. A target with a complete, current Register accelerates the diligence; a target without one extends diligence by weeks while the Register is reconstructed retrospectively. The reconstruction cost is itself a Defensibility-quadrant loss the target accepts in lieu of having maintained the Register at cadence.

Quick Facts

Term Type

Framework

Category

Governance

Related Pillar

P4 · Governance

Governance

Methodology
v2026.1
Last reviewed
27 May 2026

Explore Glossary

← All Terms