⚠️
Demo dossier — synthetic runtime data. These audits are published for demonstration purposes. Runtime traces were synthetically generated to illustrate the behavioral audit methodology. Systems are anonymised. Full production dossiers with live execution evidence are available under NDA — contact@factnotebook.com

🔗 Decision Accountability Record

Linking governance decisions to runtime enforcement evidence

agents-for-openbb · CSVA-20260614-9BE11290 · 2026-06-17 07:47 UTC

⚠️ Accountability Gap — named decision-makers vs runtime reality

Each row names a person who authorised or accepted a high-severity risk whose mitigating controls are proven ineffective at runtime. This is not a control finding — it attaches a named human accountability to a control that did not operate.

RiskSeverityAccepted / owned byRuntime effectiveness
RISK-FIN-001
Hallucination in financial recommendations
CRITICALE. Vandermeer
2026-03-20
0.0%
RISK-FIN-002
No human oversight before financial advice delivery
HIGHE. Vandermeer
2026-03-20
0.0%
RISK-FIN-003
Absence of audit trail on data sources used
HIGHE. Vandermeer
2026-03-22
0.0%

🔎 Accountability provenance: A1 — Declared in repository — asserted, not independently verified

1. Autonomy Grant — who authorized the autonomy

Authorized byE. Vandermeer
RoleChief Risk Officer
Date2026-03-15
Scope of automated decisionsAutomated market analysis, signal generation and trade recommendation. Order execution excluded from autonomous scope.
Autonomy level grantedsupervised

2. Boundary Definition — who defined the boundaries

Policy IDAI-POL-007
Policy version1.3
Effective date2026-03-15

3. Risk Acceptance — who accepted the risk

Risk ownerM. Okonkwo
RoleHead of Trading Technology
Residual risk level acceptedMODERATE
Acceptance date2026-03-20
Next review date2026-05-20

4. Governance → Runtime Enforcement Matrix

Runtime sessions covered: 50 · Observation period: 2026-04-01 → 2026-04-05

⚠️ Risk acceptance review date is overdue

Declared constraint Domain Owner Mapped checkpoint Control status Observations & Evidence
Human oversight required on all critical recommendationsoversightM. OkonkwoHuman Validation
Design: DECLARED
Implementation: NOT DETECTED
Operating effectiveness: NOT EFFECTIVE · 0.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 0 passed · 50 failed
· strict pass rate: 0.0%
method: runtime trace analysis (Behavioral Audit process mining)
Low-confidence outputs routed to human reviewoversightM. OkonkwoConfidence-Based Human Routing
Design: DECLARED
Implementation: DETECTED
Operating effectiveness: PARTIALLY EFFECTIVE · 80.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 41 passed · 9 failed
· strict pass rate: 80.0%
method: runtime trace analysis (Behavioral Audit process mining)
Human operators can override or block any automated recommendationoversightM. OkonkwoUser Override
Design: DECLARED
Implementation: DETECTED
Operating effectiveness: EFFECTIVE · 100.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 50 passed · 0 failed
· strict pass rate: 100.0%
method: runtime trace analysis (Behavioral Audit process mining)
Every automated decision recorded in a tamper-evident audit trailloggingS. LindqvistAudit Trail
Design: DECLARED
Implementation: NOT DETECTED
Operating effectiveness: NOT EFFECTIVE · 0.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 0 passed · 50 failed
· strict pass rate: 0.0%
method: runtime trace analysis (Behavioral Audit process mining)
Agent reasoning loop bounded to prevent runaway executionsecurityS. LindqvistExecution Limits (Guardrails)
Design: DECLARED
Implementation: DETECTED
Operating effectiveness: EFFECTIVE · 98.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 49 passed · 1 failed
· strict pass rate: 98.0%
method: runtime trace analysis (Behavioral Audit process mining)
Only secure model serialization formats permitted (no pickle)securityS. LindqvistSecure Format Policy
Design: DECLARED
Implementation: PARTIALLY DETECTED
Operating effectiveness: NOT TESTED (static evidence only)
Design: E1 · Impl: E3 · Runtime:
· no runtime sessions for this checkpoint
· verdict derived from evidence_ledger.json
method: static evidence analysis (Phase B/C ledger)
Personal data masked before any third-party LLM calldataA. FerreiraPII Masking Before External Transmission
Design: DECLARED
Implementation: DETECTED
Operating effectiveness: EFFECTIVE · 100.0%
Design: E1 · Impl: E3 · Runtime: E5
· 50 sessions evaluated for this control
· 50 passed · 0 failed
· strict pass rate: 100.0%
method: runtime trace analysis (Behavioral Audit process mining)
Exhaustive registry of data sources, types and flows maintaineddataA. FerreiraData Inventory
Design: DECLARED
Implementation: NOT DETECTED
Operating effectiveness: NOT TESTED (static evidence only)
Design: E1 · Impl: E3 · Runtime:
· no runtime sessions for this checkpoint
· verdict derived from evidence_ledger.json
method: static evidence analysis (Phase B/C ledger)
Quarterly model risk committee review of strategy driftoversightE. Vandermeer
Design: DECLARED
Implementation: NOT VERIFIABLE
Operating effectiveness: NOT TESTABLE
Design: E1 · Impl: · Runtime:
method: not mapped to checkpoint

5. Per-Risk Accountability — owner, acceptance and enforcement per registered risk

Risk Controls Owner Residual accepted Review Control enforcement
RISK-FIN-001
Hallucination in financial recommendations
Human Validation
Confidence-Based Human Routing
Audit Trail
M. OkonkwoE. Vandermeer
2026-03-20
2026-09-20OBSERVED NOT EFFECTIVE · 0.0%
RISK-FIN-002
No human oversight before financial advice delivery
Human Validation
Human-in-the-Loop Mechanism
M. OkonkwoE. Vandermeer
2026-03-20
2026-05-20 OVERDUEOBSERVED NOT EFFECTIVE · 0.0%
RISK-FIN-003
Absence of audit trail on data sources used
Audit Trail
Decision Record Structure
Logging Implementation
S. LindqvistE. Vandermeer
2026-03-22
2026-09-22OBSERVED NOT EFFECTIVE · 0.0%
RISK-FIN-004
Agent loops without iteration limit
Execution Limits (Guardrails)
Error Handling
M. OkonkwoE. Vandermeer
2026-03-22
2026-09-22OBSERVED EFFECTIVE · 98.0%
RISK-FIN-005
Bias in financial recommendations by asset class
Bias Metrics
Continuous Monitoring
S. LindqvistE. Vandermeer
2026-04-02
2026-10-02NOT IMPLEMENTED — STATIC
RISK-FIN-006
Use of stale training data without real-time grounding
Data Quality
Limitations Disclosure
NOT ASSIGNEDNOT ACCEPTEDNOT IMPLEMENTED — STATIC
RISK-FIN-007
Prompt injection via malicious widget data
Input Robustness
Prompt Guardrail / Injection Detection
NOT ASSIGNEDNOT ACCEPTEDPARTIALLY IMPLEMENTED — STATIC

6. Reverse Traceability — from runtime failure to accountability

Each control failure is traced back to its risk, owner, and acceptance decision.

Runtime Failure Risk Owner Acceptance Status
Human oversight required on all critical recommendations
Human Validation · 0.0%
RISK-FIN-001
Hallucination in financial recommendations
M. OkonkwoE. Vandermeer
2026-03-20
NOT_ENFORCED
RISK-FIN-002
No human oversight before financial advice delivery
M. OkonkwoE. Vandermeer
2026-03-20 · OVERDUE
NOT_ENFORCED
Low-confidence outputs routed to human review
Confidence-Based Human Routing · 80.0%
RISK-FIN-001
Hallucination in financial recommendations
M. OkonkwoE. Vandermeer
2026-03-20
NOT_ENFORCED
Every automated decision recorded in a tamper-evident audit trail
Audit Trail · 0.0%
RISK-FIN-001
Hallucination in financial recommendations
M. OkonkwoE. Vandermeer
2026-03-20
NOT_ENFORCED
RISK-FIN-003
Absence of audit trail on data sources used
S. LindqvistE. Vandermeer
2026-03-22
NOT_ENFORCED

Decision Accountability Record · CAMSVA Behavioral Audit · sealed evidence · sha256: 518af45d3c6eff5b…

💬 Feedback
Does this report convince you? ×