The decision trail is becoming law.
Across jurisdictions, one expectation is converging into law: that an organization can produce the trail behind a consequential decision — who decided, on what basis, with what oversight, kept on the record. This brief helps any organization assess its readiness against a common, vendor-neutral reference.
Informational, not legal advice. Obligations vary by jurisdiction, sector, and role; counsel should confirm what applies to a given organization. Regulatory dates move — plan to the direction, not to a single date. Readiness brief v0.1.
A decision is assured when five things are true — and provable.
The trail is the artifact those five properties produce. It is not a binder of policies written afterward; it is the contemporaneous record of the decision itself.
Complete
Reviewed across every relevant domain — not whichever reviewers were free.
Consistent
The same standard applied as it would be on any other day.
Grounded
Each material claim points to evidence a third party could check.
Governed
The rules that must not break were enforced, not left to vigilance.
On the record
What was decided, why, what was weighed, and what was rejected — captured at the moment of decision and retained.
The trail is moving from good practice to legal expectation.
The point is not any single statute. It is the direction — uneven, but unmistakable. The most explicit codification is the European Union Artificial Intelligence Act (EU AI Act); alongside it sit the General Data Protection Regulation (GDPR) and United States rules already in force — the Equal Credit Opportunity Act (ECOA) and Regulation B with Consumer Financial Protection Bureau (CFPB) guidance, and supervisory guidance SR 11-7.
| Regime | What it requires | When |
|---|---|---|
| EU AI Act | For high-risk systems: technical documentation (Article 11), automatic event logging (Article 12), human oversight (Article 14), deployer log retention (Article 26). | High-risk (Annex III) duties apply 2 December 2027 under the 2026 Digital Omnibus — deferred from 2 August 2026; provisional until formal adoption. |
| GDPR | Limits on a solely automated decision with significant effect (Article 22); meaningful information about the logic involved (Article 15(1)(h)); the controller must demonstrate compliance (Article 5(2)). | In force. |
| United States — credit | Specific, accurate reasons for an adverse action; a complex or "black-box" model is not an exemption (CFPB Circular 2022-03). | In force. |
| United States — bank models | Model documentation a third party can follow, independent validation, and governance (supervisory guidance SR 11-7). | In force. |
Sources: Council of the European Union (7 May 2026) · EU AI Act · CFPB Circular 2022-03.
Assess readiness with the Decision Assurance Levels.
Not every decision warrants the same rigor. The Decision Assurance Levels (DAL) grade a decision A through E by what happens if it is wrong, and set what the trail must contain at each level.
- Levels rise with consequence and irreversibility — a one-way door warrants more of the trail than a two-way door.
- Where the consequence and a system's earned autonomy disagree, the lower governs; the default is to classify up.
- The level is set by policy before the decision, not negotiated after the outcome is known.
Assessed this way, the question is not a binary "compliant or not." It is where the trail runs thin, and for which decisions that thinness matters most.
What an organization can do now.
Independent of any product or vendor.
- Inventory the consequential decisions — the ones a regulator, a board, or a successor would later ask about.
- Level them by consequence and reversibility, and write the leveling rule down.
- Capture at the moment of decision — the basis, the options, the dissent — because reconstruction from memory is the exact failure mode the law targets.
- Separate outcome from decision — keep an outcome record that calibrates judgment over time without re-grading a sound decision by its luck.
- Make the trail retrievable — a record no one can find in time is, for practical purposes, no record.
Readiness is a capability, not a certificate. No framework or tool makes an organization compliant on its own. The Decision Assurance Levels give a common yardstick; meeting them is the work.
Get ready on the standard, not under a fire drill.
The Decision Assurance Levels are open and freely usable, even in draft. Use them to assess your readiness today, and help shape the specification as it moves toward v1.0.