Requirements and constraints- Functional: capture complete provenance for every automated loan denial: input features, model version + weights hash, preprocessing, feature transformations, decision path (scores, rule hits, SHAP/Counterfactuals), business rules, timestamp, tenant/user IDs, decision owner, downstream actions.- Non‑functional: tamper-evident, queryable for audits, low latency for decisioning, GDPR/right-to-be-forgotten compliance, retention/archival policies, role-based access.High-level architectureDecisioning Service -> Provenance Recorder -> Provenance Store (hot) + Immutable Audit Ledger -> Archive (cold) -> Auditor/UI/Report API- Decisioning Service: orchestrates preprocessing, model inference, and postprocessing. Emits structured provenance events synchronously (for immediate audit) and asynchronously (batch).- Provenance Recorder: lightweight library/microservice that collects event envelope, signs it (HMAC or asymmetric), and writes to hot store and append-only ledger (blockchain-like or cloud object + manifest).- Provenance Store (hot): searchable DB (e.g., document DB like PostgreSQL JSONB or Elasticsearch) for quick queries and UI.- Immutable Audit Ledger: append-only blob store with Merkle-tree manifests (e.g., S3 with object versioning + manifest files; or permissioned ledger like Hyperledger) for tamper-evidence.- Archive: cold storage (S3 Glacier) with index pointers in store.- Access / Governance: IAM, attribute-based access control, audit logs, encryption at rest/in transit.Provenance event schema (example JSON stored in JSONB column)json
{
"decision_id":"uuid",
"applicant_id":"hashed_id",
"timestamp":"2025-01-15T12:34:56Z",
"trigger":"auto_pipeline_v3",
"inputs": {"raw":{"income":"...","ssn_masked":"..."},"ingestion_id":"..."},
"preprocessing": [{"step":"impute_age","params":{...},"code_hash":"sha256:..."}],
"features": {"dti":0.45,"credit_score":620},
"model": {"name":"creditModel","version":"1.4.2","weights_hash":"sha256:...","container_image":"repo/credit:1.4.2"},
"inference": {"score":0.23,"threshold":0.5,"explanation":{"shap":[...],"top_features":[{"f":"dti","v":0.12}]},
"rules": [{"id":"R-12","matched":true,"reason":"recent delinquency"}],
"decision":"deny",
"actor":"automated",
"signed_by":"provenance-service",
"signature":"base64..."
}
Storage schema ideas- PostgreSQL JSONB table decisions_provenance(id UUID PK, decision_time timestamptz, applicant_id_hash text, model_name text, model_version text, decision text, metadata jsonb, ledger_pointer text);- Elasticsearch index for fast filtering by applicant, decision, time, features used.- S3 bucket for full immutable event blobs and model artifacts; manifest files with Merkle root stored in ledger DB.- Ledger: append-only table ledger_entries(seq BIGSERIAL, decision_id UUID, s3_path text, merkle_hash text, signed_by text, timestamp).Retention, archival, and deletion policy- Hot-store retention: keep full provenance in DB + ES for 2 years (configurable per regulation).- Immutable ledger: keep manifests and object versions for legal minimum (e.g., 7 years) in immutable storage (WORM/Compliance mode). Use object versioning and retention locks.- Cold archive: move raw blobs >90 days to Glacier-equivalent; keep index pointers in DB.- Deletion/GDPR: to honor erasure, store only hashed PII in provenance; raw PII kept only in encrypted vault with stricter retention and separate audit. Erasure request triggers: remove PII from hot DB (redact) and write an append-only redaction entry to ledger (retaining evidence of deletion while not revealing PII).- Versioned retention per jurisdiction/tenant: per-tenant policy metadata to implement different retention durations.Explainability and surfacing- Synchronous UI returns human-readable denial rationale: top 3 contributing features, score, which rule triggered, references to model version and policy document links.- Deep audit UI: full provenance JSON, SHAP distributions, counterfactual suggestions (what minimal changes would flip decision), ability to replay decision by loading stored model artifact (weights hash) into sandboxed environment.- API for auditors: /audit/decision/{id} returns signed provenance blob plus ledger proof (Merkle path). Provide downloadable zip with model, preprocessing code hash, and explanation artifacts.- Alerting: detect drift or repeated similar denials and surface to compliance team.Security and integrity- Sign all provenance events (service keys rotated) and store signatures in ledger.- Encrypt PII; store applicant IDs as salted hashes in searchable indexes.- Role-based access and fine-grained logging for any access to provenance data.- Regular integrity checks: recompute Merkle roots and validate ledger signatures; scheduled attestations.Operational considerations and trade-offs- Latency: synchronous writes add latency—use fast writes to hot DB + async append to ledger; but ensure synchronous signing for legal proof.- Storage cost vs query performance: keep denormalized indexes for common queries, archive raw blobs.- Reproducibility: store model artifact, dependencies (container image), and preprocessing code hashes to enable exact replay.- Testing: add end-to-end tests that validate provenance completeness and replayability.This design provides tamper-evident, auditable provenance, human-facing explanations for customers, and full forensic artifacts for regulators while balancing latency and storage costs.