Glossary

AI access lifecycle evidence

AI access lifecycle evidence is the auditable record of an organization's AI tool access decisions across their full lifecycle: the request, the approval, the grant, recertification, and reconciliation.

Use this glossary when a buyer, auditor, or platform owner asks what evidence is needed after AI access is approved.

Last updated: 2026-06-10

Canonical definition

AI access lifecycle evidence is the auditable record of an organization's AI tool access decisions across their full lifecycle: the request (who, which tool, what purpose), the approval (who decided, under what policy and risk level), the grant (duration and expiry), recertification (periodic re-review of continued need), and reconciliation (whether identity-provider group membership still matches the approved record).

Auditors and security reviewers request this evidence when assessing shadow-AI risk and AI governance controls.

Glossary entries

AI access lifecycle evidence

Definition: AI access lifecycle evidence is the auditable record of an organization's AI tool access decisions across their full lifecycle: the request, the approval, the grant, recertification, and reconciliation against the identity-provider group boundary.

Why auditors ask: Auditors and security reviewers ask for this evidence when they need to assess shadow-AI risk, prove that access was approved under policy, and verify that continued access was re-reviewed rather than left open indefinitely.

How it appears in JSM: In JSM, the lifecycle starts as a request and approval, but the durable evidence needs request fields, decision history, expiry, recertification review state, and configured-group drift checks tied to the same record.

Related page Related page Related page

Recertification

Definition: Recertification is a periodic re-review of whether a user still needs an existing AI tool access grant before it expires or continues.

Why auditors ask: Auditors ask for recertification evidence because an approval from months ago does not prove the access is still justified today.

How it appears in JSM: In JSM, a recertification review can be modeled as a review-before-expiry follow-up issue, but the evidence is stronger when the follow-up stays linked to the original request, approval, grant, and expiry state.

Related page Related page

Access drift

Definition: Access drift is the gap between the approval record and actual access evidence, such as an Okta or Microsoft Entra configured-group membership that no longer matches the approved grant.

Why auditors ask: Auditors ask about drift because tickets can say one thing while the identity provider says another. The mismatch is the control gap.

How it appears in JSM: In JSM, drift usually appears as manual reconciliation work unless an app checks the configured group and records approved-but-missing or observed-without-approval states.

Related page Related page

Evidence pack

Definition: An evidence pack is an exportable bundle of records that lets a reviewer inspect the request, approval, grant, recertification, drift-check, and audit-event history for an access control.

Why auditors ask: Auditors ask for evidence packs because screenshots, chat threads, and spreadsheets are hard to verify and easy to separate from the underlying decision workflow.

How it appears in JSM: In JSM, an evidence pack should preserve the request and issue context while adding lifecycle fields that native approvals do not package by default.

Related page Related page

Shadow AI

Definition: Shadow AI is AI tool use that happens outside the organization's approved request, review, security, procurement, or access-control process.

Why auditors ask: Auditors and security teams ask about shadow AI because untracked access can create data-handling, vendor-risk, and policy-enforcement gaps.

How it appears in JSM: In JSM, a requestable catalog and governed intake can reduce shadow AI, but lifecycle evidence is still needed after approval to show who retained access and why.

Related page Related page

How the terms relate

Term	Plain answer	AI Clearance scope
AI access lifecycle evidence	AI access lifecycle evidence is the auditable record of an organization's AI tool access decisions across their full lifecycle: the request, the approval, the grant, recertification, and reconciliation against the identity-provider group boundary.	Lifecycle record tied to JSM request, approval, grant, review, and evidence exports.
Recertification	Recertification is a periodic re-review of whether a user still needs an existing AI tool access grant before it expires or continues.	Lifecycle record tied to JSM request, approval, grant, review, and evidence exports.
Access drift	Access drift is the gap between the approval record and actual access evidence, such as an Okta or Microsoft Entra configured-group membership that no longer matches the approved grant.	Configured-group drift check inside the Okta or Entra group boundary.
Evidence pack	An evidence pack is an exportable bundle of records that lets a reviewer inspect the request, approval, grant, recertification, drift-check, and audit-event history for an access control.	Lifecycle record tied to JSM request, approval, grant, review, and evidence exports.
Shadow AI	Shadow AI is AI tool use that happens outside the organization's approved request, review, security, procurement, or access-control process.	Governed intake can reduce shadow AI, but AI Clearance does not monitor runtime AI usage.

FAQ

Is AI access lifecycle evidence a standard term?

It is a plain-language term for the full access evidence record: request, approval, grant, recertification, and reconciliation. ArdSaor uses it as the canonical name for this control evidence pattern.

Is this the same as access review evidence?

It overlaps with access review evidence, but it is narrower: AI tool access decisions and their lifecycle in JSM.

Does lifecycle evidence prove AI usage was safe?

No. It proves access decision evidence, not prompt content, model behavior, or legal compliance.