The Trajectory Is the Audit Object

Eight days. Two launches. One missing artifact.

On May 6, IBM launched Sovereign Core. Eight days earlier, Atos launched Sovereign Agentic Studios. Two of the world's largest IT firms shipped agentic AI governance offerings inside a single week. Neither produces the evidence object an auditor is about to ask for.

SR 11-7 was written around inputs, outputs, and a model card. An agent run produces something different. The trajectory is the audit object.

The model card was the answer to a different question.

The model card is a static artifact. Inputs, outputs, training data, intended use, known limitations. Twenty years of model risk methodology was built around it. Three lines of defense was built around it.

It is the right artifact for a static model that scores a transaction once and produces a number.

It is the wrong artifact for an agent run that calls a database, reads the result, modifies its own scratchpad, conditionally calls a second tool, branches into a different workflow, then commits a write.

Two different evidentiary objects. The model card is a description. The trajectory is a recording.

What the trajectory actually is.

An agent run produces a trajectory. A multi-step decision graph in which the model invokes tools, modifies its own state, and branches on intermediate results. The trajectory is what an examiner is going to read in three years.

Almost no one is shipping the multi-step record format yet. Most enterprise governance work is still at the integration phase. The closest analogues today are GenAI prompt-and-response logs. Those are flat conversation records, not the decision graph of an agent run.

What goes in the multi-step record format. Hash-chained record of every tool call. State vector before and after. The branch decision and what got rejected at each step. Replay against frozen model weights at the moment of the run.

None of that is in the SR 11-7 dossier today.

Agent assurance. Where the trajectory lives.

The harder problem is organizational. The trajectory cuts across three governance owners and lives nowhere by default.

Model risk owns the model card.
Cyber owns tool-call permissions.
Application teams own workflow logic.

Push tool-call sequence validation into model risk and you get procedural drift. Push it into cyber and the control sits in the wrong place. Push it into the application team and you have one line of defense, not three.

The trajectory needs its own home. Call it agent assurance. A new second-line function adjacent to model risk, with its own validation methodology. The firms that solve this first will probably do it by creating a new artifact owner inside the AI governance function.

None of this breaks three lines of defense. The artifact just needs a place to live.

The order that holds.

Architecture is half the answer. Implementation order is the other half.

The instinct, especially in regulated firms, is to stand up the artifact owner role first. It is the most visible structural change. The risk is that the role gets created before the schema exists, which leaves the artifact owner consuming logs that were never designed to capture trajectories.

The sequence that holds is schema first. Collection infrastructure second. Ownership third. Consumer integrations fourth.

Inverting that order is how most agent governance builds quietly degrade in year two, when the audit asks for evidence and the logs cannot produce it.

Platform intercept. The unsolved fight.

The technical question is where the substrate attaches.

Copilot Studio. Agentforce. Bedrock Agents. watsonx Orchestrate. None of them expose a clean attachment point for an external substrate to plug in. The intercept point is where the runtime governance has to sit, where every tool call has to flow through, where the trajectory has to be observed and signed.

That is where the standardization has to happen. Whether the standard comes from the platforms, from the regulators, or from the substrate vendors who get there first is the open question.

What is not open: the enterprise running Copilot Studio, Agentforce, and watsonx Orchestrate doesn't get to pick three substrates. They need one.

The substrate question.

IBM Sovereign Core runs on IBM stack. Atos Sovereign Agentic Studios runs on Atos stack. Both are vendor substrates tied to vendor cloud.

The thing the regulator needs is portable. The trajectory has to be readable in the regulator's format whether the underlying platform is Microsoft, Salesforce, Amazon, IBM, or none of the above. An audit primitive that lives inside one cloud is not a substrate. It is a feature.

What the top-three banks have built privately, what hyperscalers ship as platform features, what major SIs offer inside their consulting packages will all converge on the same problem in the next eighteen months. The trajectory is the audit object. Whoever owns it inside the bank determines who is on the hook when the examiner asks. Whoever ships it as a portable substrate determines what the rest of the market looks like.

What we are building.

Wayfinder Systems Group is building one answer to the substrate question. A runtime governance layer that sits above the platform and below the model, signs every decision and every learning event onto a tamper-evident chain at the moment it happens, and stays portable across whichever platform stack the enterprise is running. Patents held in The Wayfinder Trust. We call her Velma.