advanta

HomeModule LibraryGovernance

Module GOV-13 sigil: Governance pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module GOV-13. The Pillar geometry encodes Governance (Pillar 4); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SGOV-13
P4· L-G· Bands IntegratedOptimisedDefensible

· GOV-13

Evidence Register Architecture

Every Defensibility Posture Statement claim rests on an underlying evidence record — a signed minutes pack, a logged decision, an attested audit finding. The Evidence Register Architecture defines the canonical structure that holds those records: what evidence each Module is required to produce, how it is indexed, where it is stored, the retention obligation, and the chain-of-custody discipline. Without a deliberate Evidence Register, defensibility claims rely on the founder's memory and the firm cannot answer the regulator's evidence request inside the SLA. Methodology v2026.1.

strategic

·

Quarterly

·

4 hours first run per system; 1 hour quarterly refresh per system

Methodology v2026.1

Executive Summary

The Evidence Register is the operational substrate of the Defensibility posture. For each AI system the function operates, and for each of the nine canonical Risk Taxonomy 2026 classes, the register records the contemporaneous proof: what evidence exists, who holds it, when it was last verified, and its audit-readiness status. A populated, current register is the single most important governance artefact a function can produce for regulatory, adversarial discovery, or board-level scrutiny. It feeds directly into Defensibility Element 3 (Evidence framework) of the Defensibility Posture Statement. An empty cell in a high-severity class — Hallucination, Data leakage, Professional conduct exposure — is a material gap requiring immediate remediation, not a documentation note. This module provides the canonical 9×n template, the population guide, the quarterly refresh protocol, and the audit-readiness scoring rubric.

Defensibility Evidence Produced

The Evidence Register is itself the primary DPS-grade evidence artefact. It proves the function holds contemporaneous proof per AI system × per risk class — the definition of Defensibility Element 3 (Evidence framework). A signed, dated, current register satisfies the auditor's question across all 9 canonical Risk Taxonomy classes.

Elements:

Methodology transparencyEvidence framework

The operational problem

When the regulator, the board, or adversarial discovery asks the question — show me the evidence that your AI is defensible — the institutional answer is one of two things. Either the function produces a current, signed, indexed register that holds the contemporaneous proof per AI system and per risk class, or the function produces a narrative document that gestures at evidence held in fragmented places by named individuals who may or may not still be in role.

The first answer is a defensible institutional posture. The second is the founder’s memory dressed as governance.

The Evidence Register Architecture defines the canonical structure that turns the first answer from aspiration into operational practice. Without it, the Defensibility Posture Statement is a narrative built on a fragmented evidence base, and the Annual Audit cannot sample the function’s defensibility claims to any meaningful standard.

Legal AI OS Relevance

The Evidence Register Architecture sits at the intersection of Pillar P4 (Governance, Risk & Defensible AI) and the Governance Layer (Layer G). It produces evidence for two Defensibility Elements:

  • DE-2 Methodology transparency — the register’s own structure and population discipline evidence that the function operates a documented evidence methodology
  • DE-3 Evidence framework — the register is the evidence framework; a populated, current register is the substrate of DE-3 by definition

Anchoring to Bands 3, 4, and 5 (Integrated → Optimised → Defensible), the Module is the operational instrument that distinguishes a Band-3 function (governance integrated across the operating layers) from a Band-2 function (governance present but evidence fragmented). At Band 4 the register is operated at quarterly cadence with audit-readiness scoring. At Band 5 the register feeds an institutional Defensibility posture defensible to a regulator across all nine canonical Risk Taxonomy classes. Methodology v2026.1.

Pillar Alignment

Pillar 4 (Governance, Risk & Defensible AI) is the institutional capability that holds AI accountable through documented proof. Every other Pillar produces work; Pillar 4 produces evidence that the work was governed. The Evidence Register is the operational substrate where that evidence lives.

The Pillar 4 posture this Module advances: from defensibility-claim-without-substrate to one row per AI system × per Risk Taxonomy class, with named evidence holder, last-verified date, and audit-readiness score.

Operating Layer Impact

The Governance Layer (Layer G) is where institutional constraint operates. The Evidence Register is the Layer-G artefact that every other Layer feeds. Strategy Layer (S) decisions write into the register at the Concept-stage gate. Execution Layer (E) workflow runs write into it at the Operate-stage cadence. Measurement Layer (M) telemetry produces some of the records the register indexes. Optimisation Layer (O) variance decisions write into it at the quarterly refresh.

The register itself does not operate the function — it records what the function operated. That recording discipline is what turns the function’s defensibility from claim into evidence.

Maturity Band Relevance

The Module strengthens the Defensibility lens of the Maturity Stack.

From Band

To Band

Defensibility-lens shift

3 — Integrated

4 — Optimised

Register exists → register is operated at quarterly cadence with audit-readiness scoring per row

4 — Optimised

5 — Defensible

Quarterly cadence → register feeds the institutional Defensibility posture; gap remediation enforced through the Governance Cadence

5 — Defensible

(sustaining)

Defensible posture durable across capability churn; annual external attestation possible

Functions below Band 3 typically build their first register from zero — 4 hours per system; the initial pass is a substantial undertaking and benefits from advisory. Band 3+ functions operate the quarterly refresh in 1 hour per system. Functions at Band 5 may have an external attester sample-audit the register annually.

Operational Outcomes

Operating the Architecture produces four institutional artefacts:

Artefact

Purpose

DPS evidence stream

Evidence Register — per AI system × per Risk Taxonomy class

The primary governance substrate; what evidence is held, by whom, when last verified

DE-2 + DE-3 (primary)

DPS Evidence Framework section input

The register’s structure feeds the Statement’s Element 3 directly

DE-3

Audit-readiness scoring summary

Each row scored against the audit-readiness rubric: held, indexed, verified-within-window, retention-compliant

DE-3

Gap remediation list with named owners and target dates

Empty cells in high-severity classes (1, 2, 6, 7) become standing remediation items in the Governance Cadence (GOV-15)

DE-2 + DE-3

Records are retained per the regulatory limitation period for the longest-running applicable jurisdiction, plus the full lifecycle of the AI system.

Defensibility and Governance Considerations

The Module produces evidence for DE-2 (Methodology transparency) and DE-3 (Evidence framework). The DE-3 production is canonical — the Evidence Register is the evidence framework at operational scale.

All nine Risk Taxonomy 2026 classes are covered by the register. The classes whose empty cells carry highest severity:

Class

Why an empty cell here is material

Class 1 — Hallucination

If the function cannot show evidence of hallucination controls per system, the regulator’s first question has no answer

Class 2 — Data leakage

Empty cell here is a structural failure of vendor data protection (DAT-03) — block until populated

Class 6 — Shadow AI

Empty cell here means the function does not know what is being used; block until reconciled with the AI BoM

Class 7 — Professional conduct exposure

Empty cell here is structural exposure under ABA Model Rule 5.3 — block until supervisor accountability documented

Empty cells in Class 1, 2, 6, or 7 are publication blockers for the Defensibility Posture Statement. The Governance Cadence treats them as standing remediation items until populated.

For Agentic Tier (Tier 3 + Tier 4) capability, the register requires:

  • A row per capability per class
  • A linkage to the Delegation-Authority Register (GOV-14) entry for the capability
  • A linkage to the Materiality Calibration (GOV-16) row for each in-scope decision type
  • The Evidence Register’s autonomous-action audit record per the Agentic Governance Charter (GOV-08)

The editorial-independence attestation applies — the Module makes no vendor-specific evidence-platform recommendations.

Institutional Use Cases

Use case 1 — A 200-lawyer in-house function at Band 3. The function had three AI systems and a narrative DPS. Standing up the Evidence Register produced 27 rows (3 × 9 classes); seven cells were empty on first population; four of those seven were Class 1 or 2. The Governance Cadence treated the four as immediate remediation; within two quarters all 27 cells were populated with verified evidence. The DPS Evidence Framework section moved from narrative to row-by-row defensible.

Use case 2 — A 14-partner firm at Band 4 adding Agentic Tier capability. The new Tier-3 capability triggered nine new rows (one per Risk Class). Three rows required new evidence streams that did not exist before: Class 9 (Accountability dilution) was satisfied by the Delegation-Authority Register entry (GOV-14); Class 1 was satisfied by the autonomous-action audit record per GOV-08; Class 8 (Professional conduct) required a new supervisor-attestation cadence. The capability did not deploy until all three streams were operational and the rows populated.

Use case 3 — A global energy GC office at Band 5. The function holds 18 capabilities × 9 classes = 162 rows. External attestation samples 18 rows per year (one per capability) and reports findings to the Audit Committee. The audit-readiness scoring rubric is the basis for the sampling and the score-trend over time is itself board-reported governance evidence.

Recommended Stakeholders

RACI role

Stakeholders

Owner

Legal Operations Lead

Approvers

General Counsel · Risk and Compliance

Contributors

AI Task Force · Engineering / IT

Informed

Board · Audit Committee · CIO / CISO

The Legal Operations Lead operates the register; the AI Task Force (STR-07) is the standing forum where empty cells and audit-readiness deltas are reviewed; the GC signs the quarterly DPS Evidence Framework section update.

Implementation Complexity

Dimension

Specification

First run per system

4 hours

Quarterly refresh per system

1 hour

Cross-team dependencies

IT (evidence holder identification) · Risk (class assessment) · Procurement (vendor evidence streams)

Self-serve viability

Partial — first run benefits from advisory; quarterly refresh is self-serve

Advisory recommendation

Programme Design for functions building the register from zero across more than 5 capabilities; Strategic Retainer for functions operating Tier 3+ capability at scale

The Module is methodology-versioned (v2026.1); each row’s last verified date and audit-readiness score are themselves the operating telemetry.

Inputs

Input

Source

AI system list

Capability Portfolio (SUS-10)

Risk Taxonomy 2026 class exposure map per system

GOV-04 + per-system risk assessment

Previous Evidence Register (quarterly refresh)

Self

Audit findings and close-call reports

Internal audit + GOV-05 incident records

Vendor AI BoM with evidence-stream attestations

VEN-07

Framework — the 9×n Register

Register structure

The canonical structure is a matrix: one row per AI system per Risk Taxonomy class. For n AI systems, the register is 9n rows.

Column

Content

Source

System

Canonical name from Capability Portfolio

SUS-10

Class

One of the nine Risk Taxonomy 2026 classes

Risk Taxonomy canon

Evidence held

One-line description of the proof record (e.g., “Quarterly hallucination eval result, GOV-09 protocol”)

Operational

Evidence holder

Named individual or system

RACI

Storage location

Canonical store with retention compliance

IT

Last verified

Date

Operational

Audit-readiness score

0–4 per scoring rubric

Audit-readiness rubric

Next review

Date

Operational

Gap status

Open / In remediation / Closed

Operational

Linked artefacts

Evidence Register entry IDs from related Modules

Cross-ref

Audit-readiness scoring rubric

Score

Criterion

0

No evidence held

1

Evidence claimed but not located on demand

2

Evidence located but not within retention SLA

3

Evidence located, within SLA, indexed

4

Evidence located, within SLA, indexed, sampled-attested within the quarter

Score-3 is the publication floor for the DPS Evidence Framework section. Score-4 is the institutional-grade target.

Population sequence

Step

Activity

Output

1

Capability Portfolio confirms in-scope system list

n systems × 9 classes = n × 9 rows

2

For each system, identify the evidence stream per class

First-pass evidence held / not-held flag

3

For each held-evidence cell, name the holder, storage, last-verified date

Populated rows

4

Apply the audit-readiness scoring rubric per row

Score per row

5

Identify all gaps (score 0 or 1) and route to remediation list

Gap list with owners

6

Identify Class 1/2/6/7 gaps and escalate to next Governance Cadence

Standing remediation agenda

Quarterly refresh discipline

Activity

Cadence

Output

Per-row last-verified date refresh

Quarterly

Updated dates

Per-row audit-readiness re-score

Quarterly

Score delta

New-capability rows added

On capability deployment

New rows

Decommissioned-capability rows archived

On capability sunset

Archive entries with retention-clock continuation

Gap remediation status update

Quarterly

Gap-list delta

Class 1/2/6/7 gap escalation

Quarterly

DPS publication block until cleared

Worked Example

A 200-lawyer in-house function at Band 3 stands up the register across the canonical 4-hours-per-system initial pass.

Activity

Output

Hour 1 — System 1 (contract review tool): identify evidence streams per class

9 cells populated; 2 gaps (Class 1, Class 6)

Hour 2 — System 1: name holders, storage, last-verified per held cell

Rows scored 2–3

Hour 3 — Systems 2 + 3 baseline (research-augmentation, eDiscovery): same pattern

18 additional cells; 5 additional gaps

Hour 4 — Audit-readiness scoring across all 27 rows; gap list compiled

First Evidence Register v1.0

Class 1 gap (System 1) routed to GOV-09 (Eval Harness) for remediation in the next quarter. Class 6 gap (System 1) routed to the AI Task Force for AI BoM reconciliation. By quarter 2 both gaps populated, scored 3, and the DPS Evidence Framework section published with row-by-row defensible evidence.

Common Failure Modes

Failure mode

Detection signal

Recovery

Register exists but not refreshed

Last-verified dates older than the quarterly cadence

Bind refresh to the Governance Cadence; require Chair sign-off

Evidence holder named but not in role

Cell named “Legal Operations Manager” with no specific individual; turnover loses the audit trail

Name individuals + role; transition entries on departure

Audit-readiness scores stale

Scores from last quarter applied this quarter without re-evaluation

Quarterly re-score is mandatory; binary attestation per row

Gap remediation slips

Class 1/2/6/7 gap open beyond two quarters

Escalate to GC + Audit Committee; treat as DPS publication block

Storage retention non-compliant

Evidence claimed held but retention window lapsed

Standing IT check on retention vendor configuration

New capability not added to register

AI BoM has system n+1 but register still has n × 9 rows

Bind register addition to the Capability Portfolio (SUS-10) refresh

External attestation finding ignored

Audit finding flagged but not actioned by next Governance Cadence

Bind attestation findings to standing remediation list

Edge Cases

The Module does not apply when:

  • The function operates no AI capability — no AI BoM, no systems, no register rows. Run STR-07 + GOV-02 first; the Register activates when the first capability deploys.
  • The function operates under a parent organisation’s enterprise-wide Evidence Register — the Module produces sub-rows that feed the parent’s enterprise register; the function’s own register is the sub-extract.
  • The function operates AI capability in a jurisdiction whose regulator mandates an alternative evidence-register structure — the structure adapts; the discipline remains.
  • The function is at Band 1 or 2 — the Module is premature; build Bands 1-2 through CHG-01 + GOV-01/02/03 first, then deploy the Evidence Register at the Band 3 transition.

Operational Signals

gov-13.evidence-coverage

Defensibility Posture Statement

Proportion of expected DE records present and current in the Register — DE-3 Evidence framework record.

Quarterly

gov-13.retrieval-sla

Annual Legal AI OS Index

Evidence retrieval time against external request SLA feeds the Annual Legal AI OS Index defensibility signal.

per-engagement

gov-13.retention-currency

Console

Evidence records past retention obligation for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • Head of Legal Operations

Approvers

  • General Counsel
  • Risk & Compliance

Contributors

  • AI Task Force
  • Engineering / IT

Informed

  • Board
  • Audit Committee
  • CIO / CISO

Inputs · Outputs

Inputs

  • · AI system list from Capability Portfolio (SUS-10)
  • · Risk Taxonomy 2026 class exposure map (GOV-04)
  • · Previous Evidence Register (for quarterly refresh)
  • · Audit findings and close-call reports
  • · Vendor AI BoM (VEN-07)

Outputs

  • · Evidence Register (per AI system × per class) — primary governance artefact
  • · DPS input: Evidence Framework element (Defensibility Element 3)
  • · Audit-readiness scoring summary
  • · Gap remediation list with named owners and target dates

Diagnostic Relevance

Running the Evidence Register Architecture strengthens the Defensibility lens — expected Band progression: Integrated → Optimised.

Confidence: high

Key Takeaways

  • Complete one row per AI system × per Risk Taxonomy 2026 class (9 classes × n systems)

  • Record contemporaneous proof: what evidence is held, who holds it, when last verified

  • Refresh quarterly and at every Governance Cadence review

  • Feed the Evidence Framework element of the Defensibility Posture Statement directly

  • Flag gaps: empty cells in Class 1 (Hallucination), Class 2 (Data leakage), or Class 6 (Professional conduct) trigger immediate remediation

  • Retain for the full lifecycle of the AI system plus the applicable regulatory limitation period

Run this Module via advisory

This Module is operated within Advanta advisory engagements. Methodology v2026.1.

View Engagement Models

Targeting

Audience

GC / CLOLegal OperationsRisk & Compliance

Strengthens

Defensibility lens

Module Details

Format
Module
Difficulty
Advanced
Pillar
P4
Owner
Head of Legal Operations
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

IntegratedOptimisedDefensible

Where this Module lives

The Evidence Register is the storage spine underneath the DPS. Every Module that produces a DE-1–DE-5 record writes into the Register, and the Annual Audit (SUS-05) samples from it. The Register itself produces DE-2 (Methodology transparency) and DE-3 (Evidence framework) records. Without it, the DPS is a narrative document over a fragmented evidence base.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.