Bricolage AI
Back to Resources
Article

Why Your AI Research Won't Pass Compliance Review, And What Actually Does

Most enterprise AI tools generate content that looks authoritative but cannot be audited. Here is why that matters, and how to close the gap before a regulator does.

A compliance professional reviewing research documentation at a clean desk

Every compliance team has encountered the same problem. An analyst produces a research memo using an AI tool. The memo looks thorough. It has headers, sections, and confident assertions. Then someone asks: where did this come from? The analyst opens the tool and finds, nothing. No sources. No timestamps. No record of what the model saw or ignored. The memo is polished and unverifiable in equal measure.

This is not a failure of the analyst. It is a structural feature of most AI research tools. They are optimized to produce output that reads well, not output that holds up to scrutiny.

The question regulators actually ask

Regulated industries, financial services, healthcare, legal, government contracting, do not ask whether an AI tool is accurate. Accuracy is table stakes and cannot be confirmed without a paper trail anyway. The questions they ask are different:

  • Can you show me the sources this conclusion rests on?
  • Can you prove the document was not changed after the research was done?
  • Can I replicate this methodology independently?

Generic AI chat tools answer none of these questions. They produce text. The text may be correct. It may be useful. But it is epistemically inert, it cannot prove anything about itself.

"The compliance question is not 'is this right?' It is 'can we stand behind this if someone challenges it?'" says Holly Corbett, Chief Strategy Officer at Bricolage AI. "Those are different standards, and most AI tools only address the first one."

Why provenance is a technical problem, not a process problem

The instinct in many organizations is to add process around AI tools, require analysts to manually log their sources, add a citation review step, have a senior person sign off. This works until volume scales. It also introduces a new risk: the provenance record was created after the fact, which means it can be altered after the fact.

Audit-ready research requires provenance captured during the work, not reconstructed afterward. The record needs to be tamper-evident.

"We built Bricolage around a simple constraint: if you can't prove where something came from, it doesn't count," says Chris Connors, Chief Technology Officer at Bricolage AI. "Every claim in a Bricolage output is traced to the source document or URL it came from. Every run is sealed with a cryptographically signed audit receipt. Change a single entry and the signature breaks. That's not a feature, it's the foundation of the whole system."

The cryptographic approach, a Merkle root over the full activity log, signed with an Ed25519 key, means any third party can verify the output independently, against a public key they control. No trust in Bricolage required.

Three things that separate audit-ready AI research from the alternative

1. Inline citations, not appended references. A citation at the bottom of a document does not prove a specific sentence came from that source. Inline citations, where every claim is traceable to the exact passage, do. This is the standard peer review uses and the standard any serious audit should require.

2. A tamper-evident run record. The sources used, the methodology applied, the timestamps, all of it needs to be captured during the research, not reconstructed afterward. A cryptographic seal over the activity log makes the record tamper-evident: if anything changes, the signature no longer verifies.

3. Third-party verifiability. The gold standard is a verification process your auditors or clients can run themselves, against a key they control. This removes the need to trust the vendor's word about what happened.

The cost of getting this wrong

The compliance cost of an unverifiable AI research output is not always immediate. Often it surfaces later, in a client challenge, a regulatory inquiry, or a replication request. By then, the original run is gone, the model version has changed, and the analyst who ran it has moved on.

"We see this pattern consistently," says Holly Corbett. "Organizations adopt AI tools to move faster, and they do move faster, until they need to defend the work. Then the speed advantage disappears in a compliance remediation effort that costs more than the time saved."

The alternative is research that is built to be questioned from the start. That means capturing provenance as the work happens, not scrambling to reconstruct it when someone asks.

What this looks like in practice

A Bricolage research run produces three things alongside the deliverable: a full provenance log of every source examined, a citation layer where every claim in the output is linked to the source it came from, and a signed audit receipt that seals the whole record.

The deliverable can be handed to a client, a board, or a regulator. The audit receipt can be verified by anyone with the public key. The methodology can be replicated by anyone with access to the same sources.

That is the standard audit-ready research has always required. Bricolage is the first AI system designed to meet it at scale.

Bricolage AI delivers autonomous research with cryptographically verifiable audit trails. Learn more at bricolageai.com.