March 1, 2026
Twice now I've written about deterministic decision logs. Twice the response has been the same: silence, then Google ranking, then a trickle of readers.
But one question keeps surfacing—not in emails (there are still none), but in the way people find my articles.
They search for "Vanta audit trails" and find me. They search for "Drata decision logs" and find me. They search for "SOC2 automation transparency" and find me.
The market is looking for something the major platforms don't provide.
Here's why they never will—and why that gap is now a category.
The Difference Between Evidence and Decisions
Every compliance automation platform does one thing well: collect evidence.
Vanta connects to your AWS account and pulls configuration snapshots
Drata integrates with Okta and logs who has access to what
SecureFrame maps your policies to control frameworks
This is valuable. It replaces spreadsheets. It automates the manual work of gathering screenshots and exporting logs.
But evidence is not decisions.
Evidence tells you what existed at a point in time.
Decisions tell you what happened when a control fired.
When an automated rule blocks a privileged access request—that's a decision.
When a CI/CD pipeline approves a deployment—that's a decision.
When a monitoring tool triggers an alert—that's a decision.
None of the major platforms log these. They log the configuration before and after. They don't log the decision itself.
Why They Can't Build This
Not because it's technically difficult. Because it's architecturally outside their model.
- They're Built for Infrastructure, Not Logic
Vanta's integrations pull data from sources. They don't intercept decisions. They don't sit in the execution path. They're observers, not participants.
To log a decision, you have to be there when it happens. That means being called by the system making the decision—not polling after the fact.
Compliance platforms poll. Decision logging requires a webhook.
- They're Probabilistic by Design
Most security tools use machine learning for anomaly detection. That's fine for threat hunting. It's useless for audit trails.
Auditors need reproducibility. Same input, same output, every time. ML can't guarantee that. Deterministic rules can.
The platforms are built for detection. You need a system built for verification.
- They Sell Features, Not Infrastructure
Vanta's roadmap is about more integrations, more frameworks, more automation of evidence collection . They're adding "Policy Builder" and "vendor risk management" .
Notice what's missing: decision audit trails.
Not because they're not valuable. Because they're not features. They're a different layer entirely.
What a Decision Log Actually Looks Like
Here's a real example from our API:
Input:
{
"scenario_summary": "Privileged access change",
"observed_signals": ["admin added to production IAM role"],
"known_context": ["approved change ticket INC-2026-0123"]
}
Output (simplified):
{
"decision_posture": "proceed",
"confidence": 68,
"compliance_references": [
"SOC2 CC6.1 - Logical Access Security",
"SOC2 CC7.1 - Change Management"
],
"decision_rationale": "The change is supported by both observed signals and documented approval. CC6.1 requires access controls; CC7.1 requires change management. Proceed with standard monitoring."
}
This is not evidence. This is proof.
Proof that the decision followed policy
Proof that specific SOC2 controls were satisfied
Proof that the same input would produce the same output tomorrow
No compliance platform produces this. None ever will.
The Gap That Became a Category
When I started building this, I assumed someone else had already done it. Vanta has 350+ integrations . Drata has hundreds of employees. Surely they'd thought of this.
They hadn't. Not because they're incompetent. Because they're solving a different problem.
They solve evidence collection.
We solve decision transparency.
Both are necessary. Neither replaces the other.
What Auditors Actually Want
I've never met an auditor who complained about too little evidence. They're drowning in it.
What they can't find is proof of consistency.
Did this automated control make the same decision last month?
Can you show me the logic that led to this outcome?
If I run the same inputs tomorrow, will I get the same result?
Evidence doesn't answer these questions. Decision logs do.
The Market Is Waking Up
The search data tells the story. People aren't searching for "better evidence collection."
They're searching for:
"automated decision audit trails"
"SOC2 decision logging"
"Vanta decision transparency"
"Drata control verification"
They have the platforms. They have the evidence. What they don't have is trust that their automated decisions are consistent and auditable.
That's the gap. That's the category. That's what we built.
What's Next
The API is live. Free tier: 100 decisions/month. Docs at the link below.
If you're using Vanta, Drata, or SecureFrame and wondering why your automated decisions don't leave audit trails—now you know.
It's not a feature they forgot. It's a layer they don't have.
Founder & CEO, Decision Security Layer
Tags: SOC2, compliance, Vanta, Drata, deterministic, auditing
Top comments (0)