AffixIOAFFIXIO
Contact

Proof not log

Proof not log audit evidence

Audit packs built only from logs struggle under dispute. AffixIO signed allow or deny outcomes with Merkle references give auditors something they can re-check, beside whatever SIEM still collects.

Category Compliance and audit Updated 17 July 2026 Reading ~5 min
PROOF NOT LOGAUDIT PACKMERKLEML-DSA-65ALLOW/DENYSIEM

Definition

Proof not log means treating signed verification outcomes as primary audit evidence, with logs as complementary operational context.

Field note. Log archaeology does not prove a verify decision at the boundary. Issue proofs and attach Merkle refs to the record.

What goes in the pack

Business identifier, AffixIO allow or deny, Merkle reference, timestamp, circuit or policy version. Optional SIEM context for narrative. No document images at the verifier by default.

Use proof-not-log audit pages and the SIEM compare page in stakeholder briefings.

Roles

Security still owns monitoring. Compliance owns evidence standards. Engineering owns instrumentation so refs are always stored. AffixIO supplies the verification primitives.

Practice retrieval quarterly. An unread proof is theatre.

Verifier placement for proof-not-log evidence

Map proof-not-log evidence to a single verify endpoint even if multiple protocols feed the same checkout or tool surface. One permission layer reduces drift between AP2, UCP, and direct REST integrations.

Review deny rates weekly during pilot. Spikes often trace to policy drift or clock skew on expiry, not fraud.

Regulatory pressure

Screenshots and SIEM exports

When the only evidence is a log export, counterparties argue about completeness and authenticity. Signed decisions reduce that argument.

Authenticity doubts

Logs can be edited or selectively exported.

Missing decisions

You see traffic, not policy outcomes.

PII-heavy exports

Teams dump attributes into logs to reconstruct why access was granted.

Slow packs

Analysts spend days assembling weak evidence.

Merkle handoff

Proof-based audit evidence instead of log archaeology

Auditors asking for proof a gate fired should not receive gigabytes of application logs. Verify outcomes with Merkle-linked proofs give replayable evidence without raw log exports.

  1. Define pack schema

    Required AffixIO fields.

  2. Instrument verify paths

    Persist refs.

  3. Train analysts

    Retrieve and re-verify.

  4. Keep SIEM complementary

    Do not drop logging.

Before you commit

Readiness checks for proof-not-log evidence

  • Publish an evidence pack template.
  • Require Merkle refs on gated decisions.
  • Schedule quarterly retrieval drills.
  • Align with /compare/proof-not-log-vs-siem.
  • Remove PII dumps used only for reconstruction.

Quick clarifications

Questions on proof-not-log evidence

Does proof replace SIEM?

No. It complements logging.

Who re-verifies?

Auditors or tooling using Merkle and signature checks.

What if verify was never called?

There is no AffixIO proof. Fix the gate.

Where to read more?

/proof-not-log-audit/

Protocol notes

Pages that support proof-not-log evidence

Replace log exports with proof audit

Run verify with Merkle handoff in sandbox, then give your audit team a replay path without raw logs.