Skip to Content
Training AcademyAuditor Track

Auditor Track

Audience: Internal and external auditors, CISO reviewers
Goal: Independently verify AI governance evidence for a regulated enterprise client
Estimated time: ~2 hours across 6 modules

Who can use this
Available to
Auditor
Not available to
AdministratorDeveloperGovernance EngineerCompliance OfficerBusiness Owner

This track is for Auditors accessing a client’s VeriProof instance. If you are an Administrator, see the Administrator Track instead for full platform configuration and management.

Track overview

Independence note. If you are an external auditor reviewing a client’s VeriProof instance, you should be accessing the portal via a guest auditor share link provided by the client — not with a full-access account. This track is designed for that context.

ModuleTitleTime
1The VeriProof governance data model20 min
2Navigating the auditor portal view20 min
3Session review: Time Machine decision replay20 min
4Blockchain verification25 min
5Evidence pack contents and standards20 min
6Governance scoring methodology and limitations15 min

Module 1 — The VeriProof governance data model

Goal: Understand what data VeriProof captures, where it comes from, and what the chain-of-custody looks like from SDK call to blockchain anchor.

Key concepts:

  • Session — a single AI interaction (one user request → response)
  • Step — a sub-event within a session (LLM call, tool call, retrieval, etc.)
  • Governance attribute — structured metadata about the AI decision (classification, oversight required, regulatory scope)
  • Declared vs. inferredGovernanceInferredMask identifies which attributes came from the SDK directly vs. were inferred by the VeriProof platform from other signals. Declared attributes are stronger evidence.
  • Merkle anchoring — a Merkle tree of span hashes is computed each batch cycle and the root is written to Solana as a memo transaction. This makes the data tamper-evident: any modification to a span changes its hash, which cascades to the root.

Self-assessment:

  • I can describe what a VeriProof session contains
  • I understand the difference between declared and inferred governance attributes
  • I understand at a conceptual level how Merkle anchoring proves tamper-evidence

Module 2 — Navigating the auditor portal view

Goal: Become familiar with the portal surfaces available to an auditor guest account and how to navigate them.

Read:

Available in auditor guest view (read-only):

  • Applications list with governance scores
  • Compliance Center with control mapping
  • Session list and Time Machine replay
  • Evidence Packs
  • Blockchain verification panel

Not available in auditor guest view:

  • Alert rule configuration
  • SDK health management
  • User and role management
  • Billing

Self-assessment:

  • I can navigate to the applications list and identify which applications are in scope
  • I can read the governance score and understand what it measures
  • I know where to find the control mapping for a specific framework

Module 3 — Session review: Time Machine decision replay

Goal: Use the Time Machine to reconstruct and verify individual AI decisions.

Read:

What Time Machine provides:

  • Full multi-step trace replay with decision pathway visualization
  • Input/output reconstruction (if content capture was enabled)
  • Governance attribute values at each step (declared vs. inferred)
  • Anomaly flags and rule evaluations
  • Comparison across multiple sessions with similar characteristics

Audit sampling approach:

  1. Use the Sessions page to filter by application, time range, and classification
  2. Apply statistical sampling (random or risk-stratified) to select sessions for review
  3. Open each selected session in Time Machine
  4. For each session: verify classification is appropriate, confirm oversight requirements were met, check for anomaly flags

Self-assessment:

  • I can open a session in Time Machine and understand the decision pathway
  • I can verify whether a session’s classification matches the declared risk level
  • I understand what an anomaly flag means in the context of an audit finding

Module 4 — Blockchain verification

Goal: Independently verify the tamper-evidence of an Evidence Pack using the open-source veriproof-verify CLI.

Read:

Verification steps:

  1. Download the Evidence Pack from the client’s portal (or receive it from the client)
  2. Download veriproof-verify from github.com/veriproof/veriproof-verify 
  3. Run: veriproof-verify <evidence-pack.zip>
  4. The tool will:
    • Recompute the Merkle tree from the included session data
    • Fetch the Merkle root from the Solana transaction ID in the pack
    • Compare the two roots
    • Output: VERIFIED (roots match) or TAMPERED (roots differ) + which spans changed

The tool does not require a VeriProof account or network access to the VeriProof platform. It communicates only with the Solana RPC endpoint to read the memo transaction.

What this proves:

  • The session data included in the Evidence Pack has not been modified since the Merkle root was anchored on Solana
  • The anchoring timestamp on Solana is independently verifiable (Solana is a public blockchain)
  • Important limitation: This proves the data was not modified after anchoring. It does not prove the data was accurate at the time of capture — that requires SDK code review.

Self-assessment:

  • I have run veriproof-verify successfully against a test Evidence Pack
  • I understand what a VERIFIED result means and what it does not mean
  • I know how to interpret a TAMPERED result and what the likely explanations are

Module 5 — Evidence pack contents and standards

Goal: Know exactly what is in an Evidence Pack and how to use it as audit evidence.

Read:

Evidence Pack contents checklist:

SectionWhat it containsAudit use
Signed PDFGovernance score, control mapping, anomaly summary, session statisticsPrimary audit deliverable
JSON-LDMachine-readable linked data with full governance attribute valuesGRC tool ingestion, structured evidence
SPDX manifestList of all session IDs included in this packEvidence scope definition
Merkle rootHash of all included sessionsInput to tamper-evidence verification
Solana TX IDTransaction containing the Merkle root on-chainBlockchain proof reference
Verifier outputOutput of veriproof-verify run at time of pack generationIndependent verification artifact
Control mappingPer-control evidence citationsFramework-specific audit evidence

Self-assessment:

  • I have reviewed all sections of a sample Evidence Pack
  • I can map each Evidence Pack section to the corresponding audit requirement
  • I know which sections to cite in an audit management system vs. which are supplementary

Module 6 — Governance scoring methodology and limitations

Goal: Understand how VeriProof calculates governance scores — and be able to explain the methodology to a skeptical auditor or regulator.

Transparency requirements:

  • Governance scores are a leading indicator, not a compliance certification
  • A governance score of 100 does not mean the AI system is compliant with any specific regulation — it means the data is fully captured and consistently structured
  • Scores can drop if the SDK is misconfigured — a drop does not necessarily mean a compliance violation, but it requires investigation

Score components (simplified):

  1. Attribute completeness — % of sessions with all required governance attributes set
  2. Schema compliance — % of attributes that conform to the declared schema (enum values, data types)
  3. Behavioral consistency — anomaly rate across sessions (high anomaly rates reduce the score)

What the score does NOT measure:

  • Whether the AI system’s outputs are fair, accurate, or unbiased
  • Whether the declared classification matches the actual risk level of the AI system
  • Whether the controls the attributes reference are actually implemented

Self-assessment:

  • I can explain to a regulator what a governance score measures and its limitations
  • I understand that a high score requires developer action to maintain, not just configuration
  • I can identify the three score components and describe what would cause each one to drop

Request your certificate

Once you have completed all 6 module self-assessments, request your Auditor Track completion certificate. This certificate is valid for 12 months.

Last updated on
Business Owner TrackCompletion Certificates