On a gray Tuesday morning, the audit seemed routine. A stack of binders sat on the table, the compliance officer was confident, and the regulator’s tone was cordial. Then came the question that changed everything.
“Can you prove that unauthorized access never occurred?”
The compliance officer smiled, gestured toward the screen, and ran a log search. Nothing appeared. “See? No anomalies.”
The regulator didn’t smile. “Absence of logs isn’t proof of absence.”
The silence that followed wasn’t just uncomfortable. It was existential. In that moment, the organization realized that years of expensive compliance programs had built them dashboards, reports, and controls — but not actual proof. They could demonstrate what happened. They could not prove what didn’t.
This is evidentiary debt: The hidden liability that accumulates when organizations cannot demonstrate, with certainty, that negative events never occurred. Like financial debt, it compounds silently until regulators, litigators, or markets call it in. Three very different sectors have already learned the hard way that evidentiary debt is real.
Erica Curry’s column on “decision debt” published last month rightly highlighted how unresolved choices corrode compliance programs. Evidentiary debt is, arguably, a parallel crisis that deserves equal attention.
Evidentiary debt accumulates when organizations cannot produce reliable proof of what did not happen. Dashboards and closure rates may look polished, but when regulators or courts ask, “Can you demonstrate that a trade never occurred, or that data never crossed a boundary?” The answer is often little more than an assertion. Logs can be incomplete, deletions ambiguous, and attestations self-serving.
About the Author
Charles Thomas, retired military officer and independent researcher, is the author of ”The Blind Spot: Home to the Pattern that Shapes Organizations.” His current work focuses on dealing with “evidentiary debt,” the gap between regulatory expectations and what organizations can actually prove.
History offers sobering lessons
The pattern repeats across industries. Merrill Lynch paid millions in fines not for proven wash trades but for surveillance blind spots that made proving their absence impossible. Healthcare organizations face HIPAA breach notifications whenever maintenance windows create logging gaps — uncertainty itself becomes liability. Microsoft acknowledges that certain cloud services escape EU boundaries, leaving customers unable to prove their data residency promises.
In each case, organizations made assertions about what didn’t happen that they couldn’t substantiate. That gap between claim and proof is evidentiary debt. These aren’t isolated incidents - they’re symptoms of a systemic blind spot boards must address.
Speaking the board’s language
When you bring this problem to the boardroom, don’t lead with control frameworks or audit logs. Lead with money and reputation. Those are the currencies boards understand.
Boards will ask: “We spend $20 million a year on compliance — why can’t we prove compliance?” The answer is uncomfortable: most compliance investments track activity, not inactivity. Logs report what happened. They can’t show what never happened.
Regulators are evolving: from controls to proofs
The compliance profession has long been conditioned to “show the controls.” Did you have a policy? A log? A dashboard? That era is ending. Regulators are moving from policy inspection to proof inspection, increasingly demanding evidence that controls were effective and that certain risks did not materialize.
- The EU’s General Data Protection Regulation (GDPR) presumes breach unless firms can demonstrate low risk — often requiring proof that certain data was not compromised
- Food and Drug Administration (FDA) guidance on Artificial Intelligence (AI) in drug research emphasizes bias testing and credible evidence that models are not skewed.
- EU AI Act requires high-risk systems to use high-quality data and prove that protected variables do not introduce bias.
These shifts signal a future where regulators demand proofs of absence, not just controls of presence. While explicit requirements for proofs of absence aren’t yet codified, regulators are asking increasingly uncomfortable questions. “Show us your controls” is becoming “prove your controls worked.”
“We investigated and found nothing,” is facing skepticism.
Every transaction, every data transfer, every algorithmic decision where you cannot definitively prove what didn’t happen represents a potential liability. When something goes wrong—a breach, a discrimination claim, a trading scandal—the inability to prove negatives can transform a manageable incident into catastrophic liability.
Pro-active organizations can prepare. Those who wait will face the same silence that fell across that audit table.
The lawyers will decide if some preemptive disclosure acknowledging the evidentiary gaps is the right move before the regulator points them out. The admission may sting, but it builds credibility. At the very least, be prepared to say, “We’ve mapped our blind spots and are working to close them,” rather than to be caught off guard when the question arises.
Monday Morning Questions
How do you start the conversation in practical terms? Ask some questions.
- To your CISO: “How would we prove no data left our jurisdiction last year?”
- To your Legal team: “What evidence would we need to defend against a claim that unauthorized access occurred?”
- To your CFO: “How much are we spending on insurance for risks we can’t actually disprove?”
- To your CCO: “When regulators ask for proof of non-occurrence, what’s our answer?”
- To your CEO: “Are we pricing compliance risk based on what we can prove, or what we claim?”
These are the questions that generate discussion and open the ledger for viewing. The longer they remain unanswered, the more evidentiary debt accrues.
Time for a Task Force?
Smart organizations won’t wait for regulatory mandates. They’ll convene cross-functional task forces now. It wouldn’t be a technology project, but rather a strategic initiative with board visibility.
The task force needs cross-enterprise expertise:
- Compliance – to map regulatory requirements and identify where “proof of absence” expectations are emerging
- Legal – to assess exposure and define what evidence will stand up in court
- Technology – to develop and/or evaluate proof mechanisms
- Finance – to quantify the financial risk and build ROI models for remediation
- Internal Audit – to test if current controls actually produce defensible proof
The committee’s first mandate is to inventory evidentiary debt across the enterprise. Subsequent mandates will be to pilot proof mechanisms in high-risk areas and ultimately build the business case for systematic deployment.
The Heat Map Approach
A heat map makes evidentiary debt visual and visceral. Showing where the organization claims negatives, it cannot prove transforms risk into boardroom urgency.
Consider how fictional Acme Bank approached this challenge. Their task force spent three months cataloging every negative assertion the bank made—to regulators, customers, and markets. They classified evidence quality using traffic-light simplicity:
- Green: Mathematical proof exists
- Yellow: Strong circumstantial evidence with minor gaps
- Red: Pure attestation without supporting evidence
Their map bled red. Anti-money laundering controls? Yellow, mostly. Data residency promises? Deep red. Proof that algorithms weren’t discriminating? Red across entire business lines.
But heat maps alone don’t move boards to action. The Task Force translated evidentiary gaps into financial terms and presented two scenarios to their board:
Status quo (Procedural trust):
- Compliance spend: $20 million/year
- Insurance premiums: $15 million/year
- Average legal costs: $8 million/year
- Incident exposure: Unlimited and unknowable
With proof infrastructure (Verifiable evidence):
- Compliance spend: $26 million/year (+30% for proof systems)
- Insurance premiums: $9 million/year (-40% with demonstrable controls)
- Legal costs: $3.2 million/year (-60% through faster resolution)
- Incident exposure: Bounded and insurable
The numbers told the tale: $6 million in additional compliance investment could save $9.8 million annually, while transforming unlimited exposure into manageable risk. Furthermore, it would enable Acme Bank to win the security-conscious enterprise clients who increasingly demand verifiable compliance.
Acme Bank didn’t attempt enterprise-wide transformation overnight. Their task force recommended three pilot programs in high-risk, high-value areas. Each pilot would test different proof mechanisms, measure cost-effectiveness, and build organizational capability. Only after proving the concept would they scale across the enterprise.
A potential ‘first mover’ advantage
History suggests the rewards favor first movers. When the Sarbanes-Oxley Act (SOX) emerged in 2002, companies that built robust controls early became acquisition platforms. When GDPR arrived, organizations with mature privacy programs won enterprise contracts while others scrambled.
Evidentiary debt will follow the same pattern. Organizations that build proof infrastructures now will:
- Shape regulatory standards
- Negotiate better insurance terms and credit terms
- Win contracts requiring demonstrated compliance
- Acquire competitors drowning in red-coded risk
Emerging technologies: Necessary but Insufficient
Courts have already adapted to novel digital proof — from electronic signatures to blockchain records. Organizations are investing in tamper-evident logging and immutable ledgers, making their records harder to dispute. These advances are valuable for proving what happened. It’s like upgrading from a handwritten diary to a tamper-proof diary — more credible, but still only recording what was written, not what wasn’t.
And they don’t solve the harder problem: proving what didn’t. Even perfect, cryptographically secured logs remain silent on non-events.
The next evolution requires systems that generate provable evidence of absence — showing that certain states never existed, paths were never accessible, or data was irreversibly destroyed. Until then, organizations are building stronger records of presence while evidentiary debt for absence continues to mount — a liability regulators and litigators are beginning to notice.
Evidentiary debt already exists on your balance sheet—undenominated but real. Organizations that map it, measure it, and address it will shape the standards others must follow. Those waiting for mandates will pay far more, in money and reputation.
When the regulator asks, ”Can you prove it never happened?” The answer cannot be silence.
No comments yet