Audit trail requirements for quantum-derived results
The inspector general's question is always the same: prove this quantum workload ran as approved, on validated hardware, in a known calibration state — and that the results you cite are the results it produced.
Why account API logs fail
IBM Quantum, IonQ, Amazon Braket, Rigetti, and Quantinuum emit account-level API logs — authentication events, job submission timestamps, billing records. They do not produce experiment-level records you can attribute to a named individual with tamper-evident integrity over the full transpile → execute → result chain.
Minimum audit record content
- Submitter identity with cryptographic signature (AU-10 non-repudiation)
- Canonical circuit hash and source format at submission time
- Backend identity, calibration snapshot, transpile chain at execution
- Result hash bound to execution record — not a separate unattested payload
- Append-only ledger pointer — no overwrite operations (AU-9)
Open schema: audit-record-schema.json