What an auditor will ask. What Comply already logs.
A controls review wants three things: did the policy exist at the time, did the system enforce it, and can you prove neither was tampered with after the fact.
What governed this request, who approved it, and what came back?
Identify the caller and authority used.
Show the system, action, endpoint, and fields.
Explain allow, deny, hold, redact, or mask.
Include chain verification results.
Reviewer-ready context with request details, policy outcome, and chain verification.
Did the policy exist at the time?
Every policy carries versioned state. Governance manifests export the policy, role, principle, integration, and classification state that applied during a selected window.
The evidence: a scoped Governance Manifest for the audit window.
Did the system enforce the policy?
Pre-request decisions, post-response decisions, human approvals and denials, classification changes, and consequential policy events write to the audit log with actor, action, target, request details, outcome, policy version, and timestamp.
The evidence: filtered audit log exports for the window under review.
Can you prove the audit log was not rewritten?
The hash chain verifies against persisted audit state. Tamper with a historical entry and verification identifies the chain break.
The evidence: a chain verification result shipped alongside the exported log.
Compliance frameworks the architecture supports
Tamper-evident logging, least-privilege enforcement, role-aware access, human approval for consequential actions, and exportable evidence packets support SOX, HIPAA, GDPR, and SOC 2 controls reviews. Specific contractual commitments belong in executed customer agreements.