Audit-Ready Dossier

An audit-ready dossier is the complete record of an AI system's security review state at a given point in time. 'Audit-ready' means: structured, dated, signed, and queryable. 'Dossier' means: composed of multiple artefacts that compose into a single coherent record, not a single document.

The dossier composes: the system intake (what was reviewed); the threat register (what risks were identified); the control plan (what controls were specified, with their lifecycle gates and evidence); the evidence pack (the actual evidence artefacts referenced by the control plan); the disposition memo (the AI Committee's decision); and the re-assessment log (when triggers fired and what changes followed).

Versioning matters. Each disposition is a snapshot. When the system changes or a trigger fires, the next dossier version is produced — the previous version is retained. The retained version chain is itself an evidence trail: it shows that the system was reviewed at each point of change, not just once at launch.

Audit-readiness is about queryability, not format. An auditor asking 'show me the security review that authorised this system into production on 2026-04-12' should be able to find the specific disposition memo version dated that date. An auditor asking 'what controls are in place for OWASP LLM06 sensitive information disclosure' should be able to find every control row tagged to that risk category across systems.

An audit-ready dossier supports compliance evidence — for ISO 42001 clause 8.5 (operational records) and clause 9.1 (monitoring), for EU AI Act Article 9 risk records and Article 11 technical documentation, for GDPR Article 35 (DPIA) where the AI system processes personal data. It does not certify compliance with any of those frameworks.