New ABN and GST lookups are live alongside PPSR. Read docs
Hoist AIAssets
Sign in / Sign up
HomeBlogAudit chain

How the audit chain works.

Dated technical note from 2026-05-15. This explains the product idea behind tamper-evident Evidence Packs; it is not a live implementation contract.

2026-05-15Updated 2026-06-06Technical history
Current framing. Hoist Assets gives AI agents Australian source evidence they can cite. The audit chain is one support mechanism: it helps show that an Evidence Pack has not changed since Hoist recorded it.

Why it exists

An agent can answer quickly, but a finance team still needs to know where the answer came from. If an agent says a company has a PPSR registration, the user should be able to inspect the source, timestamp, search target, and record identity later.

The Due Diligence Record is the human-readable artefact. The audit chain is the tamper-evident trail behind it.

What we record

Each source check creates a small entry with the time, source type, record ID, a fingerprint of the search target, a fingerprint of the Evidence Pack, and a link to the previous entry. It does not need the raw result body to prove that a recorded pack is the same pack later.

The customer-facing point is simple: if a record is edited after the fact, its fingerprint changes. The verification view can then say the record no longer matches what Hoist recorded.

How tamper-evidence works

Every entry includes a fingerprint of the entry before it. That makes a chain. Change one old entry and every later fingerprint stops lining up.

Hoist also records checkpoints outside the individual Evidence Pack. The exact storage details can change over time; the public promise is narrower than the machinery. A customer should be able to verify whether the Evidence Pack they have is the one Hoist recorded.

What it does not prove

  • It does not make the underlying source data correct. It only records what Hoist saw at the time.
  • It does not replace AFSA, ABR, ASIC, or any other source record.
  • It does not decide whether a finance team should proceed. Hoist provides evidence; the customer's decision remains theirs.
  • It is not a decentralised public ledger. It is a product control designed for auditability, not a crypto story.

How agents use it

Agents should not get vague "looks fine" answers. They should get source-backed answers with enough structure to cite: source name, timestamp, search target, record ID, risk flags, and the Evidence Pack identity.

That structure lets a user ask, "what did the agent rely on?" without replaying the whole job. It also makes bad citations easier to spot: if the answer cannot point back to a source-backed pack, it should not be treated as evidence.

What changed since this note

The implementation details moved out of the public blog. Current behaviour belongs in the product docs and Trust pages. This post stays because the product principle is still useful: Australian data for agents should be source-backed, inspectable, and boring to verify.

By the Hoist team. 2026-05-15. Updated 2026-06-06. Read the docs · Back to blog · Next post: AFSA terminology correction