Regulated AI fails its first audit at the retrieval layer — not the model.

Most regulated-AI projects budget their risk in the wrong place. The model gets the scrutiny — which vendor, which eval, which guardrail — while the part that actually fails the audit ships as an afterthought: how a given output can be reconstructed, six months later, from the inputs that produced it. In regulated workloads that reconstruction is not a nice-to-have. It is the deliverable.

Audits fail at three seams, and they are always the same three. Prompt provenance: which exact prompt, template version, and system context produced this output? Retrieval lineage: which documents were retrieved, at which versions, and why those and not others? Output attestation: can you prove the answer was derived from the retrieved evidence rather than the model's parametric memory? A stack that can't answer all three under examination is not "mostly compliant". It is undocumented.

A better model closes none of those seams. A larger context window makes provenance harder, not easier, because more of the input becomes implicit. An agent with more autonomy makes lineage harder, because the path from question to answer stops being inspectable. The capabilities the field optimizes for — bigger context, more autonomy, more fluency — trade directly against auditability. Which means audit-trail design can't be retrofitted onto a system optimized for the opposite. It has to be a constraint from the first diagram.

The shape that survives an audit is a three-plane topology. A data plane carries the primary flow — ingest, retrieve, infer. A control plane holds orchestration, agent state, and configuration as first-class, versioned objects. A compliance plane runs alongside as a sidecar. An append-only ledger taps the other two planes and records signed, hash-chained events; it never sits inline in the data path. The compliance plane is the only one whose output the auditor reads. Designing it last means designing the system to lie to itself about what happened.

Concretely: a tax-compliance agent that prepares regulated filings runs as a typed-tool loop bounded at a fixed turn ceiling, not an open-ended chain — because an unbounded agent has no audit ceiling. Retrieval is scoped per filing period and the router rejects cross-period hits, because lineage that can pull from anywhere can't be reconstructed. Every emitted number is forced to cite and is re-validated against its source span before it lands, because output attestation is cheaper to enforce at write time than to prove after the fact. The result over eighteen months in production: zero hallucinated numerical fields. Not because the model is incapable of hallucinating — because the architecture never trusts it to.

The discipline transfers. LGPD, BCB 4.893, and the EU AI Act Art. 12 logging mandate all ask the same question in different words: show me how this decision was made, and prove the record wasn't edited after. The systems that answer cleanly are the ones where someone drew the compliance plane before they wrote the first prompt.