Why Deterministic Evidence
Beats Screenshots
Any developer can screenshot a passing test. Auditors know this. Enterprise procurement knows this. Deterministic compliance evidence is reproducible, cryptographically verifiable, and court-defensible — screenshots are not.
Same input → Same output → Same SHA-256 hash. Every time. Provably.
How Most Teams Collect Compliance Evidence (And Why It Fails)
When your enterprise customer, insurance underwriter, or regulator asks for proof, these are the four ways manual evidence lets you down.
Screenshots lie
A screenshot of a passing test is indistinguishable from a doctored screenshot. Auditors know this. Enterprise procurement teams know this. A screenshot proves nothing except that someone knew how to press Print Screen.
Manual evidence can't be reproduced
If your auditor asks "can you run that test again?", the answer for manual evidence is always "we'll have to do the whole thing again manually." That's a red flag. Deterministic evidence can be re-run instantly — same input, same output, same hash.
Spreadsheets aren't audit trails
A compliance spreadsheet that anyone with edit access can modify is not evidence — it's an assertion. SOC 2 Type II and ISO 27001 auditors require evidence of controls operating continuously, not a document saying they do.
Stale evidence expires
AI models change, prompts change, deployments change. Evidence collected six months ago about a system that has since been updated tells auditors nothing about today's risk posture. Continuous deterministic scans produce a timestamped chain of evidence.
What "Deterministic" Actually Means
Four technical properties that make HAIEC evidence trusted by auditors, accepted by legal teams, and defensible in regulatory proceedings.
How it works
Every scan is run with identical engine versions, rule sets, and parameters. The output hash is the same unless the code actually changed.
Why auditors trust it
Auditors can verify a scan was not selectively run to produce favorable results.
How it works
SHA-256 hashing of scan inputs, rule versions, and outputs. Any modification to evidence after creation produces a hash mismatch.
Why auditors trust it
Evidence cannot be backdated or altered without detection. Chain of custody is provable.
How it works
PostgreSQL triggers block UPDATE and DELETE on compliance evidence tables at the database level — no application code can bypass this.
Why auditors trust it
Even a compromised admin account cannot alter past evidence. Auditors value this over application-level controls.
How it works
Every scan output records the exact rule version and engine version used. You can prove what rules existed at any point in time.
Why auditors trust it
Demonstrates continuous testing against known-good rule sets, not ad-hoc one-time checks.
Who Will Ask for This Evidence
These are real conversations AI companies have. Screenshot-based evidence fails every single one.
"Show us your SOC 2 Type II report with AI-specific controls testing."
→ Reproducible evidence of continuous testing, not one-time scans.
"What proof do you have that your AI system was tested for prompt injection before deployment?"
→ Timestamped, immutable scan records with rule-level detail.
"Provide documentation of all AI security assessments conducted in the past 24 months."
→ Court-defensible audit trail — screenshots rejected.
"Demonstrate that your high-risk AI system was tested for robustness per Article 15."
→ Verifiable testing record with methodology documentation.
HAIEC Proprietary Technology
MARPP — Database-Level Evidence Immutability
Most compliance tools protect evidence at the application layer — a bug or a compromised admin account can still alter records. HAIEC's MARPP protocol (Metadata-Anchored Retention & Proof Protocol) enforces immutability at the PostgreSQL database level using triggers that block UPDATE and DELETE operations on evidence tables. No application code can bypass this. Auditors trust database constraints more than application-level controls.
Learn how MARPP worksBefore and After: Your Next SOC 2 Audit
Without Deterministic Evidence
- Auditor asks to re-run a test → "We'll need several days"
- Evidence collection takes 3-4 weeks of manual work
- Auditor questions screenshot authenticity
- Finding: "Insufficient evidence" for CC7.2 monitoring
- Remediation period extended → audit cost doubles
- Procurement deal stalled — customer waiting on SOC 2
With HAIEC Deterministic Evidence
- Auditor asks to re-run a test → done in 60 seconds
- Evidence package auto-generated from continuous scans
- SHA-256 hash proves evidence hasn't been modified
- CC7.2 covered with timestamped AI monitoring records
- Audit observation period runs without interruption
- Deal closes — SOC 2 delivered within agreed timeline
Common Questions
What is deterministic compliance evidence?
Deterministic means the same scan inputs always produce the same outputs. Given the same code, same rules, and same environment, the scan result is identical and verifiable. This means evidence cannot be cherry-picked — it reflects the true state of the system at that moment.
Why do auditors reject screenshots as compliance evidence?
Screenshots are trivially forgeable and cannot be independently verified. A screenshot of a passing test cannot be distinguished from an edited screenshot. Professional auditors — particularly for SOC 2 Type II and ISO 27001 — require evidence that has a verifiable chain of custody.
How does HAIEC make evidence tamper-proof?
Two layers: (1) SHA-256 hashing of all scan outputs links inputs to outputs — any change breaks the hash. (2) MARPP protocol enforces immutability at the PostgreSQL database level using triggers — not application code that could be bypassed.
Does this work for AI-specific security testing?
Yes — this is specifically designed for AI systems. Our 91-rule static scanner and 22-category runtime tester produce deterministic evidence for prompt injection testing, credential exposure, data leakage, and more. Each finding includes the exact rule version, input payload hash, and result — all immutable.
Is deterministic evidence accepted for EU AI Act compliance?
EU AI Act Article 15 requires high-risk AI systems to be tested for robustness and cybersecurity. Deterministic evidence of adversarial testing (prompt injection, input validation, output integrity) directly satisfies this requirement with verifiable methodology documentation.
Stop Collecting Evidence Manually
Every scan HAIEC runs produces cryptographically verifiable, immutable evidence. Start free — no credit card.