Nikhil Jathar: AvanSaber Co-founder, IEEE-USA advocate bridging AI innovation with accountable governance.
Most discussions of “AI auditability” in enterprise software program begin with the mistaken assumption: that audit is a downstream exercise, carried out on logs after the very fact, by individuals who arrive after the system has already produced its output.
In my very own work on ERPClaw, I needed to abandon that framing. An ERP system runs monetary workflows. The audit can not wait till after the AI generates code that touches a common ledger. By that time, the integrity violation has already occurred. So I attempted one thing completely different. I gave the AI a structure and a second AI whose solely job is to implement it.
The Downstream Audit Assumption And The place It Breaks
The present AI audit dialog in federal proposals, inside compliance frameworks and third-party tooling principally assumes auditability is log-based or submit hoc. In most enterprise contexts that sample is okay. The appliance retains operating on a hard and fast code path and the AI is bolted onto the aspect as a recommender, summarizer or chatbot. If the AI hallucinates, the appliance is unaffected; the audit catches the unhealthy advice.
For a small however rising class of enterprise methods, the belief breaks. Any system with nonnegotiable integrity guidelines, balanced books in finance, immutable journals in accounting, role-based entry boundaries and regulatory-mandated audit path completeness can not run a “wait and assessment” sample round an AI that’s allowed to change the system itself. The integrity guidelines have to carry through the AI’s operation, not be reconstructed afterward. ERP is the plain case. Healthcare information, authorized contracts and provide chain provenance face the identical constraint.
Encoding The Structure
The primary design alternative was what counts as an integrity rule. For ERPClaw, the principles are concrete: Each journal entry should sum to zero throughout accounts; posted entries can’t be deleted, solely reversed by a counter-entry; entry to monetary knowledge follows role-based boundaries that the system enforces on the database layer fairly than in utility code; the audit path captures each state change with out gaps; and domain-specific guidelines apply per ERPClaw business vertical, equivalent to HIPAA constraints within the HealthClaw module.
Every rule is encoded as a machine-evaluable invariant that runs at code-modification time, not at runtime. The implementation makes use of an AST-based static analyzer that examines proposed code for any violation of the invariants earlier than the code is allowed into the operating system. A developer or AI agent proposing a change that may let a journal entry be soft-deleted will get blocked on the check-in layer. The verify is automated and binary.
I selected the time period “structure” intentionally. The invariants are deliberately brief, named and laborious to amend. Adjustments to the structure itself require a separate assessment course of, distinct from common code adjustments, and so they carry precedence over some other rule within the system. The complete set of invariants is documented in USPTO Software Quantity 19/650,218, the place the patent language calls them “area integrity ensures.”
The Adversarial Audit Agent
The second design alternative was who enforces the structure. In a standard system, a deterministic static analyzer or a CI/CD gate would do it alone. In a system the place an AI agent can write or modify code at runtime, the enforcement layer has to wrap these deterministic checks with agentic reasoning.
We modeled the audit as a separate AI agent with one job: Detect violations of the structure. It makes use of the AST analyzer to learn proposed code, causes about whether or not the change violates an invariant and rejects it earlier than deployment. It runs alongside the technology agent and operates on each proposed change.
A key design alternative that shocked me: The audit agent doesn’t must be smarter than the technology agent. It must be specialised. The audit agent solely is aware of the integrity guidelines. It doesn’t know the enterprise logic or the person request. Specialization beats uncooked functionality for this function.
The audit agent isn’t a peer reviewer that may be talked into approving a marginal change. It’s structurally adversarial: Its incentive is to seek out violations. Technology that survives the audit is the one technology that ships. In manufacturing, this implies an AI can write or modify code inside a dwell ERP system with out breaking integrity, as a result of integrity is enforced contained in the structure, not as a downstream assessment.
What This Scales To And The place It Breaks
The sample scales to enterprise software program domains with a small variety of nonnegotiable integrity invariants. ERP qualifies. So do healthcare information administration, monetary reporting methods, authorized doc automation and provide chain provenance.
The sample doesn’t scale to domains the place “integrity” is contested or evolving. Generative content material, advertising and marketing automation and buyer help should not good matches. The principles are too delicate, and the audit agent has nothing crisp to implement in opposition to.
Essentially the most sincere limitation is that the structure itself is the bottleneck. If the integrity guidelines are mistaken, incomplete or contradictory, the audit agent enforces the mistaken factor exactly. Structure upkeep is its personal engineering apply, with greater assessment than common function adjustments.
The sample additionally provides latency and infrastructure price. The audit agent runs on each proposed change. For top-throughput AI workflows, the audit price needs to be tiered, with low cost deterministic checks operating all the time and costly non-deterministic checks operating selectively. That’s the architectural sample that TailTest, a separate product we constructed, formalizes.
Why This Issues Now
AI coverage in 2026 is being drafted with a downstream audit assumption baked in. That assumption will set the regulatory baseline for a way AI is deployed in enterprise methods for years.
For domains with laborious integrity constraints, the regulatory baseline that maps to the structure needs to be on the document earlier than coverage locks in. The constitution-governed sample is documented in our pending patent, deployed in ERPClaw and described publicly in items like this one. Architectural patterns that exist within the public document are simpler for regulators and engineers to succeed in than patterns that dwell solely in proprietary methods.
ERPClaw is open supply underneath the MIT license. Different engineers can construct on it, critique it or enhance it.
Forbes Technology Council is an invitation-only group for world-class CIOs, CTOs and expertise executives. Do I qualify?
:max_bytes(150000):strip_icc()/HDC-GettyImages-668641904-9179dc9fe60446d8b4d8a08fbffcf46d.jpg?w=600&resize=600,400&ssl=1 "What Happens When You Combine Turmeric and Black Pepper")
Recent Comments