An audit trail is a record of actions the system takes and the access people have. It helps me trace what happened, when it happened, and who was responsible.

> data access (who accessed what, when).

> consent changes (opt-in/opt-out timestamps).

> model updates (version, date, purpose).

> output events (flags for risky or unsafe outputs).

> incident actions (containment, notifications, remedies).

"Governance roles”

• Stewardship Owner- Owns the policy and public communication.
  
  

• Privacy Lead- Approves data minimization, retention, and sharing controls.
  
  

• Clinical Safety Advisor (if applicable)- Defines escalation thresholds.
  
  

• Technical Owner- Manages model versioning and monitoring.
  
  

• Incident Manager- Coordinates response and user notification.

> A summary of what data categories I store.

> A record of consent choices (where feasible).

> An explanation of governance, ownership, and complaint routes.

I publish ownership clearly so accountability doesn’t disappear into “the system.” I assign named roles and document decisions across the AI lifecycle.