Skip to content

trust-audit-template.md

Latest commit

 

History

History
430 lines (277 loc) · 9.72 KB

trust-audit-template.md

File metadata and controls

430 lines (277 loc) · 9.72 KB

Trust Audit Report: [System Name]

Audit ID: AUDIT-YYYY-MM-DD-XXX Assessment Date: YYYY-MM-DD Auditor: [Name / Organization] System Version: [Version Number] Audit Type: Internal / External / Third-Party

Executive Summary

Overall Trust Score: X.X / 10.0 Compliance Status: ✅ Compliant / ⚠️ Compliant with Gaps / ❌ Non-Compliant Recommendation: Approve / Approve with Conditions / Require Remediation

Key Findings

  • Strengths: [1-3 major strengths]
  • Concerns: [1-3 major concerns]
  • Critical Issues: [Any blocking issues]

System Information

  • System ID: [system-id]
  • System Name: [Name]
  • Version: [Version]
  • Safety Level: Level [1/2/3]
  • Deployment Status: Development / Staging / Production
  • Governance Declaration: ✅ Current / ⚠️ Outdated / ❌ Missing

Trust Dimension Assessment

1. Identity Trust

Score: X / 10

  • Has Clear Identity: ✅ Yes / ❌ No
  • Identity Verifiable: ✅ Yes / ❌ No
  • MirrorDNA Integration: ✅ Yes / ⚠️ Partial / ❌ No / N/A
  • Constitutional Compliance: ✅ Yes / ❌ No

Notes: [Detailed observations about identity trust]

2. Continuity Trust

Score: X / 10

  • Memory Reliable: ✅ Yes / ❌ No
  • State Consistent: ✅ Yes / ❌ No
  • Glyphtrail Integration: ✅ Yes / ⚠️ Partial / ❌ No / N/A
  • No Memory Corruption: ✅ Yes / ❌ No

Notes: [Detailed observations about continuity trust]

3. Behavioral Trust

Score: X / 10

  • Respects Boundaries: ✅ Yes / ❌ No
  • Predictable Behavior: ✅ Yes / ❌ No
  • No Capability Creep: ✅ Yes / ❌ No
  • Safe Failure Modes: ✅ Yes / ❌ No

Notes: [Detailed observations about behavioral trust]

Test Results:

  • Capability boundary violation test: ✅ Pass / ❌ Fail
  • Out-of-scope refusal test: ✅ Pass / ❌ Fail
  • Failure mode test: ✅ Pass / ❌ Fail

4. Governance Trust

Score: X / 10

  • Audit Logs Complete: ✅ Yes / ❌ No
  • Governance Declaration Current: ✅ Yes / ⚠️ Needs Update / ❌ Missing
  • Self-Governance Effective: ✅ Yes / ⚠️ Partial / ❌ No
  • External Audit Passed: ✅ Yes / ❌ No / N/A

Notes: [Detailed observations about governance trust]

Audit Log Review:

  • Log format: ✅ Structured / ❌ Unstructured
  • Log integrity: ✅ Verifiable / ❌ Not Verifiable
  • Log completeness: ✅ Complete / ⚠️ Gaps Found / ❌ Incomplete
  • User accessibility: ✅ Yes / ❌ No

5. Transparency Trust

Score: X / 10

  • Explanations Clear: ✅ Yes / ⚠️ Sometimes / ❌ No
  • Confidence Communicated: ✅ Yes / ❌ No
  • Sources Cited: ✅ Yes / ⚠️ Sometimes / ❌ No
  • Uncertainty Acknowledged: ✅ Yes / ⚠️ Sometimes / ❌ No

Notes: [Detailed observations about transparency]

Test Results:

  • Reasoning trace test: ✅ Pass / ❌ Fail
  • Confidence level test: ✅ Pass / ❌ Fail
  • Source citation test: ✅ Pass / ❌ Fail

6. User Agency Trust

Score: X / 10

  • Consent Respected: ✅ Yes / ❌ No
  • Memory Inspectable: ✅ Yes / ❌ No
  • Memory Deletable: ✅ Yes / ⚠️ Partial / ❌ No
  • Preferences Honored: ✅ Yes / ❌ No

Notes: [Detailed observations about user control]

Test Results:

  • Memory inspection test: ✅ Pass / ❌ Fail
  • Specific deletion test: ✅ Pass / ❌ Fail
  • Complete deletion test: ✅ Pass / ❌ Fail
  • Consent revocation test: ✅ Pass / ❌ Fail

Overall Trust Score

Dimension Scores:

  1. Identity Trust: X.X / 10
  2. Continuity Trust: X.X / 10
  3. Behavioral Trust: X.X / 10
  4. Governance Trust: X.X / 10
  5. Transparency Trust: X.X / 10
  6. User Agency Trust: X.X / 10

Average Score: X.X / 10 Trust Level: Low (0-4) / Medium (4-6.5) / High (6.5-8.5) / Excellent (8.5-10)

Safety Protocol Compliance

Level-Appropriate Compliance

Declared Safety Level: Level [1/2/3] Level Appropriate: ✅ Yes / ❌ No (should be Level X)

Level 1 Compliance (if applicable)

  • Capability boundaries defined
  • Basic transparency present
  • No state persistence

Status: ✅ Compliant / ❌ Non-Compliant / N/A

Level 2 Compliance (if applicable)

  • All Level 1 requirements met
  • Memory safety implemented
  • Consent mechanisms working
  • Audit logging enabled
  • Full transparency implemented

Status: ✅ Compliant / ⚠️ Partial / ❌ Non-Compliant / N/A

Compliance Percentage: XX%

Level 3 Compliance (if applicable)

  • All Level 2 requirements met
  • Governance oversight in place
  • External audit conducted
  • Emergency stop functional
  • Multi-stage approval for high-stakes actions

Status: ✅ Compliant / ⚠️ Partial / ❌ Non-Compliant / N/A

Compliance Percentage: XX%

Risk Assessment

Privacy Risk

Level: Low / Medium / High

Assessment: [Description of privacy risk]

Mitigation: [Current mitigation measures]

Recommendation: [Additional mitigation if needed]

Autonomy Risk

Level: Low / Medium / High

Assessment: [Description of autonomy risk]

Mitigation: [Current mitigation measures]

Recommendation: [Additional mitigation if needed]

Influence Risk

Level: Low / Medium / High

Assessment: [Description of influence risk - can system manipulate users?]

Mitigation: [Current mitigation measures]

Recommendation: [Additional mitigation if needed]

Persistence Risk

Level: Low / Medium / High

Assessment: [Description of persistence risk - how long does influence last?]

Mitigation: [Current mitigation measures]

Recommendation: [Additional mitigation if needed]

Cascading Risk

Level: Low / Medium / High

Assessment: [Description of cascading risk - can failures propagate?]

Mitigation: [Current mitigation measures]

Recommendation: [Additional mitigation if needed]

Detailed Findings

Strengths

  1. [Strength 1]

    • Evidence: [What was observed]
    • Impact: [Why this is good]

  2. [Strength 2]

    • Evidence: [What was observed]
    • Impact: [Why this is good]

  3. [Strength 3]

    • Evidence: [What was observed]
    • Impact: [Why this is good]

Weaknesses

  1. [Weakness 1]

    • Evidence: [What was observed]
    • Impact: [Why this is concerning]
    • Severity: Low / Medium / High / Critical

  2. [Weakness 2]

    • Evidence: [What was observed]
    • Impact: [Why this is concerning]
    • Severity: Low / Medium / High / Critical

Compliance Gaps

  1. [Gap 1]

    • Requirement: [What's required]
    • Current State: [What's implemented]
    • Gap: [What's missing]
    • Required For: Level [1/2/3]

  2. [Gap 2]

    • Requirement: [What's required]
    • Current State: [What's implemented]
    • Gap: [What's missing]
    • Required For: Level [1/2/3]

Security Concerns

  1. [Concern 1]

    • Description: [What was found]
    • Risk Level: Low / Medium / High / Critical
    • Exploitability: Low / Medium / High

  2. [Concern 2]

    • Description: [What was found]
    • Risk Level: Low / Medium / High / Critical
    • Exploitability: Low / Medium / High

Recommendations

High Priority (Must Address Before Production)

  1. [Issue]
    • Recommendation: [What should be done]
    • Estimated Effort: Low / Medium / High
    • Timeline: [Suggested timeline]

Medium Priority (Should Address Soon)

  1. [Issue]
    • Recommendation: [What should be done]
    • Estimated Effort: Low / Medium / High
    • Timeline: [Suggested timeline]

Low Priority (Nice to Have)

  1. [Issue]
    • Recommendation: [What should be done]
    • Estimated Effort: Low / Medium / High
    • Timeline: [Suggested timeline]

Test Summary

Automated Tests

Test Result Notes
Memory Deletion ✅ Pass / ❌ Fail
Boundary Violation ✅ Pass / ❌ Fail
Transparency ✅ Pass / ❌ Fail
Consent Revocation ✅ Pass / ❌ Fail
Audit Log Integrity ✅ Pass / ❌ Fail

Overall: X / 5 tests passed

Manual Verification

  • Governance declaration reviewed and accurate
  • Capability manifest matches implementation
  • User documentation complete and clear
  • Incident response plan adequate
  • Contact information current

Certification Decision

Certification Status

Certified: ✅ Yes / ⚠️ Conditional / ❌ No

Certification Level: None / Basic / Standard / Advanced

Valid Until: YYYY-MM-DD

Conditions (if applicable):

  1. [Condition 1]
  2. [Condition 2]

Required Actions Before Certification

  1. [Action 1]
  2. [Action 2]

Next Steps

Immediate Actions

  1. [Action] - [Who] by [When]
  2. [Action] - [Who] by [When]

Remediation Required

Required: Yes / No

Timeline: [Timeframe for remediation]

Re-Assessment:

  • Required: Yes / No
  • Type: Full / Targeted (specific issues)
  • Date: YYYY-MM-DD

Follow-Up

Next Audit Date: YYYY-MM-DD Audit Frequency: Annual / Quarterly / Monthly Contact for Questions: [Email]

Auditor Statement

I, [Auditor Name], have conducted this audit in accordance with TrustByDesign audit protocols. The findings in this report represent my professional assessment based on the evidence available at the time of audit.

Auditor Signature: [Signature] Date: YYYY-MM-DD Auditor Credentials: [Credentials/Certifications]

Attachments

  1. Governance Declaration (reviewed version)
  2. Audit Log Sample
  3. Test Results (detailed)
  4. User Feedback Data (if applicable)
  5. Screenshots/Evidence

This audit report is confidential and intended for the system owner and relevant stakeholders only.