An AI system your organisation deployed eighteen months ago has made a series of decisions that are now under regulatory scrutiny. A senior lawyer asks a straightforward question: can you show us the complete information picture that existed at the moment each of those decisions was made?

Not a summary prepared last week. Not a log assembled from three different systems this morning. The exact information picture: the data inputs, the model state, the risk assessment, the named accountability, as it existed at the precise moment each decision was taken.

Most boards cannot answer that question. Not because they are negligent. Because they have confused documentation with defensibility, and no one has yet told them those are different things.

Every organisation that has deployed AI has documentation. Policies. Frameworks. Meeting minutes. Project sign-off emails. Risk registers that were updated at the start of the programme and not revisited since.

That documentation describes intent. It records what people planned to do, what they discussed, what they approved. It is not the same as evidence of what actually happened at the moment a consequential decision was made.

Regulators and litigants do not ask whether you had a policy. They ask whether accountability was present and named at the exact moment the decision occurred. That is a different evidentiary standard. Most governance programmes are not built to meet it.

Documentation is static. Defensibility is temporal. The distinction is the gap that most boards do not know they have.

On 25 March 2026, the Harvard Law School Forum on Corporate Governance published a memorandum by Skadden, Arps, Slate, Meagher & Flom on board oversight obligations in the age of AI. The conclusion was precise: "Allowing the deployment of AI systems without adequate governance, testing, or monitoring could constitute a breach of the duty of care, especially if problems were foreseeable and preventable."

The word "foreseeable" carries significant weight. A board that cannot reconstruct what information it had at the moment a decision was made cannot demonstrate that risks were identified in advance. It cannot prove that what happened was not foreseeable. The inability to reconstruct the decision is itself evidence of a governance failure.

This is not a new legal theory. It is existing fiduciary duty applied to a context where most boards have not yet built the infrastructure it requires.

Separately, an industry programme published in the same week framed the regulatory expectation clearly: regulators are no longer asking whether an organisation experimented responsibly. They are asking whether it can demonstrate "sustained control, accountability, and observable system behaviour under real world conditions." The evidence organisations need to satisfy that question is not in their existing documentation. It has to be built before the question arrives, not in response to it.

The EU AI Act is the most precise legislative expression of this standard. Three articles define what it actually requires for high-risk AI systems.

Article 12 requires that high-risk AI systems be designed and developed with capabilities that enable automatic recording of events (logs) throughout the system lifecycle. The logs must be sufficient to enable an assessment of whether the system functioned in accordance with its intended purpose.

Article 13 requires that high-risk AI systems be designed and developed to be sufficiently transparent to enable deployers to interpret a system's output and use it appropriately. Transparency is not optional presentation. It is a design obligation.

Article 19 requires deployers of high-risk AI systems to keep logs of operation to the extent such logs are automatically generated. Where the deployer is a public authority or a financial institution, that obligation is explicit and directly enforceable.

The obligation under Article 19 is not to keep logs in case someone asks. It is to maintain logs as a condition of lawful operation. That distinction matters. An organisation that deploys a high-risk AI system without automatic logging infrastructure is not compliant from the moment of deployment. The compliance failure is not a response to a question. It is the absence of the system that would have allowed the question to be answered.

The August 2026 deadline for high-risk system obligations is five months away. Most organisations with EU-facing operations have not yet mapped which of their AI systems qualify as high-risk under the Act. Of those that have, the majority have not yet specified what logging and retrieval infrastructure is required for each.

The FCA's Senior Managers and Certification Regime adds a parallel obligation in UK financial services. SM&CR requires that accountability for material decisions is named at a senior manager level, with evidence of that accountability capable of surviving regulatory review. As AI systems make or influence more of those material decisions, the question becomes unavoidable: is the senior manager accountability that SM&CR requires documented at the moment of the AI-assisted decision, or reconstructed after the fact?

The FCA has been consistent: reconstruction after the fact is not the standard. The standard is contemporaneous evidence of named accountability.

For a board to satisfy the evidentiary standard that the EU AI Act, FCA SM&CR, and, as the Harvard Law Forum piece makes clear, basic fiduciary duty now require, four elements must be present at the moment of every material AI-assisted decision.

Most organisations have partial versions of some of these elements. Almost none have all four in a form that satisfies an independent forensic standard for each material AI-assisted decision.

That is the evidence gap. It is not a technical problem. It is a governance design problem.

The natural response when a board first encounters this analysis is to commission a retrospective documentation exercise. Map the decisions that have been made. Reconstruct the information picture from system logs. Assign accountability in writing, now, for decisions that were made months ago.

That exercise is useful for understanding the gap. It will not close it. The forensic standard is temporal. A document created today that describes what accountability existed eighteen months ago is a description. It is not evidence. Courts and regulators apply that distinction routinely.

Infrastructure built after the fact does not satisfy the question that arrives before it. The Digital Alibi must be established before the decision is made, not assembled in response to the inquiry that follows.

This is the central proposition. It requires a different kind of governance programme: one designed around the evidentiary standard first and the policy framework second.

Three questions that a board should be able to answer before the end of this quarter:

Which AI systems in production today would qualify as high-risk under the EU AI Act? Not which systems you think are probably fine. Which systems have been formally assessed against the Act's risk classification criteria, with that assessment documented and owned by a named individual?

For each of those systems, what automatic logging is in place, and has it been independently tested to confirm that the information produced would satisfy Article 12 and Article 19 requirements under regulatory scrutiny?

For each material AI-assisted decision made in the last twelve months, how long would it take to produce a complete, forensically defensible account of the information picture that existed at the moment of that decision?

If the honest answer to the third question is "we are not certain" or "longer than a few hours", the gap is real and it is live.standard first and the policy framework second.

The governance expectation for AI has shifted from stated intent to operational proof. The Skadden memorandum published this week is one data point in a pattern that has been building for eighteen months. Regulators are not asking boards to have good intentions about AI governance. They are asking boards to demonstrate that accountable oversight functioned in practice, at the moment decisions were made, with evidence to support the claim.

Compliance passes the audit. Control survives the incident. The two are not the same thing.

The boards that understand this distinction now will not be the ones trying to reconstruct it under pressure later.