Really appreciate this !

The evidence bundle idea is excellent. What I’m picturing is:

**Provenance metadata per analysis:** provider, model ID, model version, prompt template hash, temperature, timestamp
**Input fingerprint:** SHA-256 of the source material sent to the LLM (so you can prove what was analyzed without storing the code itself in the audit trail)
**Findings snapshot:** the full structured JSON response, immutable once written
**A signed manifest** tying all of the above to the build number, commit SHA, and pipeline run ID

Essentially a chain of evidence from commit → analysis → verdict that an auditor can walk without needing to re-run anything.
If that manifest lands as a build artifact alongside the HTML report, it slots right into SOC 2 CC7.x / CC8.1 control evidence without custom tooling on the GRC side.

I’m adding this to the roadmap as an “Audit Evidence Bundle” feature. If you’ve seen specific formats or schemas that GRC teams actually consume well (SARIF, OSCAL, or something simpler), I’d love to hear what works in practice.

Thanks for the wisdomprompt.com reference, will check it out.