Three readers, one receipt
| Reader | Question they ask | What the receipt gives them |
|---|---|---|
| Security / compliance | Did governance controls actually run on this request? | The ordered checks list — budget, allowlist, guardrail, PII, upstream outcome — each a pass/fail, signed and chained so a check can’t be edited or deleted after the fact. |
| Finance | What did this request cost, and can I trust the number? | cost_usd, split by regular / cache-write / cache-read tokens, committed atomically against the same budget the request was checked against — not a reconciled export from a separate billing system. |
| Effectiveness | Did this governed spend produce accepted work? | The same request’s actor and session tie it to OUTCOMES — quality-gated accepted-work-per-dollar, sourced from real GitHub PR results, not a raw tokens-saved counter. |
Why regulation makes this demanded, not optional
The EU AI Act’s high-risk obligations (Art 12 — logging, Art 26 — deployer duties, Art 73 — incident reporting) describe artifacts that look like a request-path receipt: proof that a control ran, on a specific request, at a specific time, that can’t have been edited after the fact. A registry or catalog tool can only ask a customer to attest that this happened; a gateway that sits in the path and signs what it enforced already has the artifact as a byproduct of doing its job.Wardin produces audit-grade, Art-12-style runtime records for gateway-routed
traffic — not a compliance certification. No software makes an organization
“compliant”; SOC 2, ISO 27001, and HIPAA are audits Wardin doesn’t hold and can’t
confer on you. Framework-mapped control citations per check (e.g.
eu_ai_act:art_12,
nist_ai_rmf), long-term WORM retention beyond the hot analytics window, and a
one-click auditor export are in active development, not yet available. See
Signed Receipts for exactly what’s verifiable today.Where this shows up in the product
- The Request Path — the six-stage rail is the mechanism: where enforcement, metering, and evidence generation actually happen on every request.
- Signed Receipts — the receipt format, the hash chain, and how to verify one yourself.
- EVIDENCE (rail stage) — chain statistics and a sample verified receipt.
- OUTCOMES (rail stage) — the effectiveness reader’s view: accepted work per dollar.