When the auditor asks what your AI did last quarter, "we have a policy" is not an answer. Policies describe intent; audits want evidence. Here's how to generate it as the work happens — not assemble it the week the audit lands.
The real question
Most organisations don't have an AI policy gap — they have an evidence gap. The acceptable-use policy is signed, the tool register exists. Then internal audit asks a specific question: show us the control path for this one AI-drafted email. Which model, whose account, who approved the send? A footnote saying "AI was used" fails that test, and reconstructing it from vendor dashboards and mailbox forensics takes weeks. In one 2026 survey, 78% of executives doubted they could pass an independent AI audit within 90 days. The fix isn't more policy — it's evidence designed in from the start.

How to do it
Log at the platform layer, not in each team's notebook. Route every AI request through one place that records usage, cost, and logs per model, per key, and per endpoint. That one decision turns "what did AI do here?" from an interview exercise into a query.
Then make activity attributable to named people. A log that says a key did something is half an answer — auditors ask who. Carry user identity on the trace, and give everyone a self-service view of their own usage: oversight reads as a shared record, not surveillance.
Finally, require a recorded human approval on consequential outbound actions: who saw the draft, what they approved, when it was sent — with a disclosure footer on the output itself, so the recipient knows too.

What this looks like
In Pebble, this looks like: internal audit picks one AI-drafted customer email and asks for its control path. The administrator opens the Usage and Logs dashboards and pulls the request — which model handled it, under which key, through which endpoint, at what cost, derived from configured pricing. The trace names the account manager; attribution by email or full name is an admin setting, not a forensics project. The email itself was drafted in chat, edited, and sent through the account manager's own Microsoft 365 mailbox only after they approved the send — with the AI-disclosure footer on the message the customer received. One output, one control path, in minutes.
Why this holds up in a regulated business
- Usage and Logs dashboards record usage, cost, and logs per model, key, MCP server, and endpoint, with per-organisation request attribution.
- Traces attribute activity by user email or full name — an admin-configurable setting.
- Every user gets a self-service usage page; logged costs derive from configured pricing.
- AI-drafted email sends only after the user approves the action, through the user's own connected Microsoft 365 mailbox, with the AI-disclosure footer preserved on the message.
- Deployed across US, Europe and Australia.
Two honest limits: observability covers AI model traffic — we don't claim one federated view of every capability's activity — and logs work at model, key, server and endpoint level, not field-level document lineage.
Where to start
Pick one consequential workflow — customer email is the obvious candidate — and run it end to end: request logged, cost attributed, user named, approval recorded, disclosure on the output. Hand that single control path to your internal auditor before they ask. Make your AI auditable from the first request.
Pebble Powered AI.


