Audit is cryptographic. Dashboards are not.
A distinction that sounds pedantic and turns out to be the entire ballgame.
A dashboard shows you what your system did. The data on the dashboard is read from your operational logs, your application database, your event store. The trust anchor is the operator: you trust the system to have logged honestly and to display the logs accurately. For most operational use cases, this is fine. The team needs to know what shipped, what broke, and what the queue depth looks like. A dashboard answers those questions.
Audit is a different question. Audit is what a regulator, an internal investigator, an external counterparty, or a court asks six months after an incident, when the question is not "what did the system do" but "what cannot later be denied that the system did." The trust anchor for that question cannot be the operator, because the operator is the entity under investigation, and asking the operator to demonstrate that they did or did not do something is the inquiry, not the answer.
For audit to be useful, the trail has to be cryptographically anchored to a moment in time, signed in a way that cannot be retroactively rewritten, and verifiable by any third party without the operator's cooperation. None of these properties are produced by a dashboard. All of them are required for an audit trail to survive the proceedings it exists for.
This distinction is going to destroy several AI compliance programs over the next two years. The teams running them have built dashboards. They are calling the dashboards audit. The dashboards are not audit. The first time it matters, the failure will be public.
A dashboard is a trust extension. An audit is a trust replacement. The first asks you to believe the operator. The second makes the operator unnecessary to the question.
What dashboards do, and what they do not
A typical AI deployment dashboard, today, shows: requests per minute, latency percentiles, error rates, top users by volume, top tools invoked, and a feed of recent interactions. The data lands on the dashboard via the operational logging pipeline: application logs are written to a log aggregator, indexed, and queried by the dashboard backend.
This is fine. Operations teams need this. The product manager needs this. The compliance officer, looking at it for compliance purposes, also gets a view that feels comprehensive. They can see what happened. They can drill in. They can export a report.
What they cannot do is answer the regulator's question.
Were these logs modified after they were written? The application code wrote the logs. The application code can rewrite them. The application database holds them in tables that the operator's database administrator can edit. Whether the logs reflect what happened is a property of the operator's good faith and the operator's process discipline, not a property of the data itself.
Were these logs complete? Application logging is opt-in per code path. The code path that did the consequential action might or might not have logged. If it did not log, there is no record. The regulator has no way to confirm completeness without auditing the code itself, which is a much harder review than reading a chain.
Were these logs written at the time of the action, or constructed afterward? Most application logs include a timestamp written by the application. The application can write any timestamp it wants. Without an external time anchor (a cryptographic timestamp from a trusted clock authority), the timestamps prove nothing. They are claims about when something happened, not evidence.
Can a third party verify these logs without the operator's cooperation? No. The logs are in the operator's database. The third party needs the operator's cooperation to read them, and the operator's good faith to believe the read. This is the structure of self-attestation, which courts and regulators have been declining to accept for a hundred years.
These four properties are what cryptographic audit provides and dashboards do not. The properties are not nice-to-haves. They are what makes audit different from observability.
What cryptographic audit looks like
A cryptographic audit chain has four properties.
Each entry is signed at the moment of the event, by a key bound to a verifiable identity. The signature is a commitment by the signer to the contents of the entry. The contents cannot be modified later without breaking the signature. The signer cannot disclaim the signature later without disclaiming the key, which is verifiable separately.
Each entry is hash-linked to the previous entry. Modifying any entry, even one written years ago, breaks the hash chain forward. The chain's integrity is observable end-to-end by anyone who has the chain. There is no point in the chain where an entry could be silently inserted, modified, or removed without detection.
The chain is verifiable without the operator. The verifier reads the chain, checks each signature against the public key, walks the hash links, and produces a result. The verifier does not need the operator's database, the operator's logs, or the operator's cooperation. If the verifier produces "valid," the chain is valid. If "invalid," the chain has been tampered with at some point.
The chain references external time anchors. Each entry includes a timestamp from a clock authority outside the operator's control. The clock authority can be a public timestamping service, a regulator-run service, or a federation of authorities. The timestamp is what makes the entry's claim about its moment in time independent of the operator's claim.
These four properties produce a record that survives the regulator's scrutiny. The operator's good faith is not in the trust path. The court's question becomes "is this chain valid," which is a cryptographic question with a deterministic answer, not a credibility question with a hand-waving answer.
Why VOAF was built this way
VOAF, the Verifiable Output Audit Format, is the spec we wrote for cryptographic audit of AI agent activity. The format implements all four properties above. The reference verifier, vigil-verify, runs locally and produces a deterministic verification result.
We built VOAF this way for one reason. The first time an AI agent compromise is litigated, the question is going to be "what does the audit trail show." Operators that hold their audit trail in application logs are going to have a hard moment, because the logs will be challenged, the operator's process discipline will be challenged, and the operator's relationship to the data will be the entire dispute. Operators that hold their audit in a cryptographic chain will hand the chain to the verifier, the verifier will produce "valid," and the dispute will be about what the chain says, not about whether the chain can be trusted.
The first set of operators is in for a bad time. The second set is not. We want our customers in the second set.
This is also why VOAF is open. A proprietary format that requires Vigil's cooperation to verify is a format that the operator cannot fully escape from us. An open format, with an open verifier, is a format the operator owns. They can verify their own chain. They can hand the chain to a regulator who verifies it independently. They can outlive Vigil, if it comes to that.
The McKinsey lesson, briefly
The McKinsey Lilli post covers the breach in detail. The audit-versus-dashboard angle is worth surfacing here.
The forensic conclusion that emerged from the Lilli incident was that no client data had been accessed by unauthorized parties. The conclusion was published by McKinsey, supported by a third-party forensics firm McKinsey selected, based on the data that McKinsey held.
I have no reason to doubt the conclusion. I also have no way to verify it, and neither does anyone outside of McKinsey's chosen forensics partner. The audit was performed by the operator on the operator's own data. The trust anchor is McKinsey's good faith.
If Lilli had run a cryptographic chain, every configuration change would be recorded with a signed entry at the moment of change. The forensic question would not be whether McKinsey acted in good faith. It would be whether the chain shows any unauthorized configuration change in the affected window. Either it does, or it does not. The answer is observable to any party with access to the chain, not just to the operator.
This is the difference. The current state in enterprise AI is "trust the operator." The state we should be moving toward is "trust the chain, the operator does not need to be in the trust path."
What this means for buyers
A few specific things to ask.
Is your AI platform's audit trail cryptographic? If the answer is "we have application logs," you are buying observability, not audit. The vendor may call it audit. It is not audit.
Can the audit trail be verified without the vendor's cooperation? If the answer is no, the audit is a vendor-trust dependency. Acceptable for low-stakes deployments, unacceptable for regulated ones.
What is the time anchor on the audit entries? If the answer is "the application's local clock," the timestamps are claims, not evidence. A cryptographic timestamp from a third-party service is what produces evidence.
What happens to the audit trail if the vendor goes out of business? If the answer is "we are not sure" or "you would need to migrate," the audit trail is held hostage to the vendor's continued operation. An open format with an open verifier survives the vendor.
These four questions filter the AI platforms that have taken audit seriously from the ones that have not. The unfiltered list is most of the market. The filtered list is small.
The arc
Audit is upstream of compliance. Compliance is upstream of regulatory acceptance. Regulatory acceptance is upstream of the AI deployment scope your enterprise is allowed to operate in. The chain runs through audit. If the audit is observability dressed up, the chain breaks under scrutiny. The deployment scope contracts. The enterprise loses the AI program it invested in.
This sounds dramatic. It is the structure of every adjacent industry that went through compliance maturation in the previous fifty years. AI is on the same arc.
The teams that get this right early have a structural advantage. The teams that mistake dashboards for audit will discover, expensively, that the two are not the same.
The fix is not retroactive. You cannot cryptographically sign log entries that were written without signatures. You can, starting today, write new entries to a chain that holds all four properties above. The earlier you start, the longer your verifiable history is when the question is asked.
We started at v0. The chain is in production. The verifier is open. The format is published.
The bar is set.