the visibility gapAI didn't just write more code. It erased the trail behind it.
When a developer typed a line, there was a commit, an author, a reviewer, a reason. Vibe coding dissolves that. A prompt produces a feature, you tweak it, an agent merges it, and three weeks later nobody can reconstruct who asked for it, what it was supposed to do, or whether anyone actually checked it. Enterprises now keep legal ownership of code they cannot explain — they own the system but can't demonstrate how responsibility was exercised. That's not a maintenance problem. It's a verifiability problem, and it's the part of vibe coding that turns into a liability the moment a regulator, an auditor or an incident review walks in.
- Prompts aren't logged, iterations aren't captured, merges happen with little visibility into origin.
- AI-generated code enters production faster than any team can govern it.
- 'We own it' is not the same as 'we can show how it got here.'
what an audit trail must holdProvenance, rationale, verification, approval — for every change.
A real audit trail for AI-built software isn't a log of model calls. It has to answer four questions for any change that reached production: what intent triggered it, what the agent actually did, what was checked before it landed, and who let it through. Most setups capture none of these — the code is the only artifact, and the code can't tell you why it exists. The Digital Native Method exists to put that record back. A Product Owner describes the intent on the live product, a Tech Lead encodes the rules once, agents implement inside that structure, and deterministic gates verify everything before it merges. The trail isn't bolted on afterward — it's how the work happens.
- Intent: the described outcome that started the change, attached to it.
- Action: the agent's diff, scoped to one task in an isolated branch.
- Verification: lint, types, tests and security gates — green, or it doesn't land.
- Approval: the Tech Lead's review, recorded before anything reaches prod.
where the record livesYour GitHub is the system of record — not a black box we hold.
Agentation never becomes the place your history lives. Every task an agent does is a branch, a commit with a conventional message, and a pull request in your own GitHub organisation. The intent that triggered it, the gate results, and the review all surface on that PR. That means your audit trail is exactly the trail your engineers, your security team and your auditors already trust — git history, blame, PR reviews, branch protection — not a proprietary dashboard you'd have to export under subpoena. If you leave Agentation tomorrow, the entire record stays, because it was never anywhere else.
- One task → one branch → one commit → one reviewable PR, every time.
- Conventional commits (feat/fix/scope) make history self-describing and greppable.
- Gate results and the originating intent live on the PR, next to the diff.
- Standard git blame answers 'who, what, why, when' for any line AI wrote.
the gates that make it defensibleA trail of unchecked changes isn't governance. The gates are.
Logging that something happened is worthless if nothing stopped the bad thing from happening. That's why the trail and the gates are the same structure. Before any change merges, deterministic checks run with zero AI judgment involved — lint, type-check, tests, secrets scan, lock-file drift. The Tech Lead encodes your architecture, conventions and company rules once, and every agent boots inside them; it cannot ship outside them. So the audit trail doesn't just say 'a change occurred' — it says 'this change passed your standards, here are the receipts.' That's the difference between a record you can defend in front of the EU AI Act or a SOC 2 auditor and a log that only proves you didn't look.
- Deterministic gates (lint, types, tests, security) run before review — no tokens, no opinion.
- Encoded rules mean agents can't merge outside your standards by design.
- The PR shows the proof, not just the change — auditable after the fact.
cocoricoSovereign on the tools, even when the models aren't ours.
Agentation is built by a French team. We're honest about it: nobody in Europe is sovereign on the frontier models yet — Claude and GPT are American. But the model is only the engine. With just a model you don't get much: no record, no gates, no GitHub flow, no governance. The orchestration around it — the tool that turns a raw model into traceable, verified, auditable software — is where sovereignty is actually winnable, and that's the part we own. Your code stays in your GitHub, the platform runs on EU infrastructure (Hetzner, Germany), data sits in the EU (Supabase), and the whole thing is built to be RGPD-compliant. We never see your code; we give you the trail that proves you don't have to take that on faith.
- Audit trail lives in your GitHub org, on your existing AI plan — we never read the code.
- Platform hosted in the EU (Hetzner, Germany); data in the EU (Supabase); RGPD by design.
- Sovereignty on the orchestration layer — the part that actually makes models useful.
FAQWhat is an AI coding audit trail?
It's a complete, reconstructable record of every change AI made to your software: the intent that triggered it, what the agent did, what automated checks ran before it merged, and who approved it. A useful trail answers 'how did this code get here?' for any line in production — not just 'a model was called at some timestamp.'
Doesn't git already give me an audit trail?
Git records commits, but vibe coding bypasses the discipline that made git auditable — prompts aren't logged, AI changes get merged with no recorded intent or review, and authorship blurs. Agentation restores that discipline: every agent task becomes one scoped branch, one conventional commit and one reviewed PR in your own GitHub, with the originating intent and gate results attached. So git becomes a real audit trail again, not a pile of opaque merges.
How does this help with the EU AI Act, SOC 2 or internal audits?
Defensibility needs two things: proof a change happened, and proof it was controlled. Agentation gives both. Deterministic gates (lint, types, tests, secrets) run before any merge, the Tech Lead's encoded rules mean agents can't ship outside your standards, and every approval is recorded on the PR. Auditors get receipts — passed checks and reviews next to the diff — rather than a log that only shows nobody looked.
Where is the audit trail stored — do you keep our history?
No. The record lives in your own GitHub organisation: branches, commits, PRs, reviews and blame. Agentation orchestrates the work but is never the system of record. If you left tomorrow, the entire trail stays with you because it was never anywhere else. The platform runs on EU infrastructure (Hetzner in Germany), data sits in the EU (Supabase), and we never see your code.
Is a French tool really 'sovereign' if it uses Claude or GPT?
We're upfront: Europe isn't sovereign on the frontier models, and we don't pretend to be. But a raw model produces nothing auditable on its own — the orchestration around it (the GitHub flow, the gates, the trail, the governance) is where the real leverage and the real sovereignty live. That layer is French-built, EU-hosted and RGPD-compliant, and it's the part that actually turns a model into software you can trust.