When a public company restates earnings, regulators don’t ask whether the CFO is talented. They ask to see the workpapers. The spreadsheets, the source documents, the email thread where someone challenged the revenue-recognition assumption and someone else overrode them. The audit trail is the asset. The polished 10-K is downstream of it.
Knowledge work is about to face the same expectation, and most organizations are not ready for it.
For two years the AI conversation inside companies has been about adoption: which tools to license, which workflows to automate, how to measure productivity lift. Reasonable questions — for an earlier phase, the one where the strategic risk was moving too slowly. That phase is closing. The next phase carries a different risk, and it lands hardest on the firms that adopted fastest.
The risk is this. Over the next few years somebody — a regulator, an auditor, a plaintiff’s attorney, an acquirer in diligence, a board member who has been reading — is going to ask a knowledge-work organization to produce the audit trail behind a decision. Not the deck. Not the memo. The trail. Which model produced the underlying analysis, what prompts were used, what alternatives it considered, which sources it drew from, which version of the answer the human accepted, which they rejected, and on what basis. The firms that can produce that record will be in one position. The firms that cannot will be in another.
For most of professional history, no one needed to ask. The work product was sufficient evidence of the work. A good memo proved a good analyst the way a clean audit proved a careful auditor — the artifact carried the proof of the process inside it. That sufficiency is gone. A polished deliverable now tells you almost nothing about the judgment that produced it, because the same deliverable can be the output of expert reasoning or of a junior analyst accepting whatever the model returned. The artifact survived; its evidentiary value did not.
This is not purely hypothetical, and the direction is already visible in the one place that has written the rules down. The EU AI Act, in force since 2024 and now phasing in its high-risk obligations, points squarely this way: for systems it designates high-risk, its regime requires logging sufficient for traceability across the lifecycle (Article 12) and transparency sufficient for deployers to interpret and properly use outputs (Article 13). Those obligations do not reach ordinary knowledge work as such — the Act’s high-risk education and employment triggers are specific uses: evaluating learning outcomes, screening and evaluating job candidates, monitoring worker performance (Annex III). But the expectation underneath them — that consequential AI-assisted decisions need records that can be reconstructed, not merely outputs that can be inspected — is the kind that migrates outward. Supervisory pressure is already moving in this direction, especially around model risk, third-party technology risk, and AI governance. The same question is likely to surface in employment, professional-liability, fiduciary-duty, and diligence contexts. The first major case in which a firm cannot produce the trail behind a consequential AI-assisted decision will reset the standard for everyone.
Most firms could not produce that trail today, because the process and the artifact now live in different places. The final document, the spreadsheet, the strategy deck sit in document-management systems and shared drives. The reasoning that produced them sits in browser chat windows, on individual machines, in personal accounts, scattered across ChatGPT and Claude and Copilot and Gemini and whatever else the analyst happened to open that afternoon. Some of those logs expire under default settings. Some sit in personal accounts outside enterprise control. Some were never retained in any form a legal or compliance team could reconstruct. The provenance of the most consequential work a firm produced last quarter has, in many cases, already evaporated — and no one decided that on purpose.
The reflexive response is governance theater: a policy naming sanctioned tools, a training module everyone clicks through, a quarterly attestation. None of it produces an audit trail. It produces a defensive paper trail about the audit trail — and the difference becomes obvious the first time someone has to produce records under subpoena.
What’s needed is infrastructure: a system that captures, in structured form, how AI was used to produce work, retains it under defensible policy, and makes it queryable when someone asks. This is not a new category. It’s the category of financial audit trails, clinical documentation, legal-discovery preservation — record-keeping in any industry that has been audited before. What’s new is only that knowledge-work firms never needed this layer, because, again, the artifact used to be enough.
That means the problem is not only policy. It is representation: organizations need a common way to describe AI-assisted work before they can retain, audit, compare, or defend it. One emerging answer is a provenance-specification layer: a common way to record who used which AI system, for what task, with what inputs, what output, what human revisions, what final decision. My company works in this area and our team has published an open specification for learning provenance — but the argument doesn’t depend on any one vendor or taxonomy, and it shouldn’t. The conceptual move is identical in every domain: stop trying to certify the artifact; start documenting the process that produced it.
Three implications follow for firms that move now rather than later. Retention is first: default chat-tool settings are not defensible audit-retention policies, and which AI interactions count as records belongs to the same people who answer that for email and Slack. Structure is second: raw chat logs prove an audit trail could have existed; a real one captures who used which tool, on which task, under what authorization, producing what output, revised how by the human, accepted on what basis — a structure designed before the records accumulate, not reverse-engineered from a pile of transcripts after the subpoena lands. And it has to be built with worker consent and at the level of behavioral signal, not keystroke surveillance; a provenance layer that becomes a monitoring apparatus will fail on adoption and deserve to.
The third implication is the one that pays for the first two. Once you can see how AI is used inside the firm, you can see who uses it well and who uses it badly — and the spread is wider than executives assume. The Harvard–BCG field experiment of 758 consultants found that inside AI’s capability frontier, assistance lifted task completion about 12% and quality ratings about 40%; outside that frontier, AI-assisted consultants performed roughly 19 percentage points worse than colleagues working without it (Dell’Acqua et al., Organization Science, 2025). The gap between productive and counterproductive use sat inside the human’s judgment about which task was which — and that judgment, until now, was invisible, hidden inside artifacts that looked the same either way. The compliance case justifies the investment in seeing it. The talent-and-quality case pays for it.
In The Platinum Workforce I argued that professional value would increasingly rest on capabilities like risk aptitude, transdisciplinary synthesis, agentic management, and systems thinking. AI has since sharpened the harder question — not which capabilities matter, but how an organization knows where they actually exist. The finished work product no longer answers that. A defensible record of the process has to.
The firms that navigate the next phase well will not be the ones with the most sophisticated AI strategy. They will be the ones that saw early that AI strategy and records strategy are now the same strategy, and built accordingly. The cost of designing for it now is manageable. The cost of not having it the first time someone asks is not.
The audit trail question is coming. The firms that answer it early won’t just reduce compliance risk. They will know, for the first time, how judgment is actually being produced inside the organization.
Trond Arne Undheim, PhD, is founder of Yegii Inc. and the author of The Platinum Workforce (Anthem Press, 2025).
Disclosure: I am chief business officer at Answer Labs, Inc., whose team authored the open Standard Learning Provenance Taxonomy and develops proprietary provenance infrastructure built on it. I have a financial interest in its adoption.

