The defense attorney will ask. Can you answer?
"Understand this, I mean to arrive at the truth. The truth, however ugly in itself, is always curious and beautiful to seekers after it." — Agatha Christie, The Murder of Roger Ackroyd (Hercule Poirot)
AI-generated reports are now mandatory disclosure. The audit trail that proves compliance is not optional — it is the difference between admissible and inadmissible.
California Penal Code (PC) Section 13663, effective January 1, 2026, requires law enforcement agencies to disclose when AI was used to generate or assist in generating police reports — and to maintain provenance records that document what the system did. Most agencies have a disclosure policy. Almost none have the infrastructure to support it. These are not the same thing.
1. The Compliance Gap
Having a policy is not the same as having evidence.
California PC 13663, effective January 1, 2026, makes AI-assisted police reports a disclosure and provenance problem. Agencies must be prepared to disclose AI use and support that disclosure with records that explain what the system did, how it was used, and who reviewed the result.
Most agencies implemented disclosure policies in advance of the compliance date. Fewer implemented the logging and provenance infrastructure those policies depend on. The gap between the two is where liability accumulates.
When a defense attorney requests the AI audit trail during discovery, a policy document is not a response. The record either exists or it does not.
2. The Regulatory Landscape
No federal standard exists. The most detailed operational requirements are already in effect at the state level.
California SB 524 (PC 13663), signed in October 2025 and effective January 1, 2026, established the most operationally detailed requirements for AI-assisted police reports enacted by any jurisdiction to date. Every AI-assisted report must carry per-page disclosure identifying the specific AI program used. Officers must sign certifying they reviewed the content and attest that the facts are accurate. All AI-generated drafts must be retained for as long as the final report exists. The AI system must maintain an audit trail recording who used the tool, what video or audio footage was used in generation, and who made edits.
No comparable federal operational framework currently exists for AI-assisted police reports. Current federal policy preserves state authority to regulate government use of AI, including law enforcement. California is therefore not waiting for a federal standard before requiring agencies to establish the records needed to support AI-assisted policing.
For agencies in any jurisdiction, the underlying operational question does not change with the regulatory landscape. The question is whether the records exist to reconstruct what the AI did and who reviewed it. A disclosure requirement does not create those records. Only the infrastructure that captures and retains them does.
3. The Chain of Custody Problem
The same standard that applies to physical evidence applies to AI-generated reports.
Chain of custody is a legal concept, not a technology one. For physical evidence, it answers: who had this, when, and what was done to it. For AI-generated reports, it answers: which model produced this, under what configuration, with what inputs, at what time, and who authorized it for submission.
If any link in that chain is missing, the chain does not hold. A report that cannot be reconstructed is a report that can be contested — in suppression hearings, in trials, and on appeal.
The technical infrastructure to establish that chain has to be built before the report is generated. It cannot be reconstructed after the fact.
4. The Courtroom Test
Discovery does not care when you built the infrastructure. It cares whether it exists.
In criminal proceedings, discovery requests for AI-generated reports are no longer hypothetical. Defense attorneys are requesting model versions, prompt logs, configuration snapshots, and reviewer records. Courts are beginning to evaluate what disclosure actually requires.
The agencies that will be in the most defensible position are those with immutable, timestamped records for every AI-assisted report — not because they anticipated litigation, but because they built the infrastructure to support the workflow correctly from the start.
The question in the courtroom will not be whether you followed your policy. It will be whether you can prove what the system did.
The governing doctrine changes. The assurance architecture does not.
Offshore engineering decisions made under DNV-RP-C205 and law enforcement decisions made under California Penal Code § 13663 operate in different domains under different governing frameworks. The assurance requirement is the same class of problem: consequential decisions must be reconstructable, the evidence supporting them must be qualified, and the decision record must withstand independent scrutiny. Nautilus builds this infrastructure for offshore engineering. The same assurance architecture applies here.
5. What Nautilus Provides
The provenance infrastructure layer. Not a checkbox.
Nautilus is not a reporting tool. It is the infrastructure layer beneath the workflow — the system that captures, versions, and retains the artifacts that make each AI-assisted report auditable:
- Model version and configuration at time of generation
- Input data and parameters used
- Timestamped generation and review records
- Reviewer identity and authorization chain
- Immutable audit trail from generation to submission
When the record is requested, it exists. When the trail is questioned, it can be reconstructed. When the decision is reviewed, the evidence is there.
6. Why "Compliance Checkbox" Is Not Enough
PC 13663 requires disclosure. A court requires defensibility. These are different bars.
A disclosure policy satisfies the statute. It does not satisfy the evidentiary standard.
Telling a court that your agency disclosed AI use in the report is the beginning of the inquiry, not the end of it. The follow-on questions — what model, what version, what configuration, what review process — require a record that exists before those questions are asked.
Agencies that treat PC 13663 compliance as a documentation exercise have solved the wrong problem. Compliance is not the outcome. Defensibility is.
7. Why Chiefs and Sheriffs Cannot Operate Without This
Once you understand the exposure, you cannot unsee it.
One contested AI-generated report. One suppression motion granted. One verdict overturned on appeal because the AI audit trail could not be produced in discovery.
The liability does not fall on the vendor. It falls on the agency that deployed the tool and the commander who authorized the workflow. When the record does not exist, the command decision that allowed the gap is the one under review.
Every chief and sheriff who has seen this question framed correctly has had the same response: we need the infrastructure, not the policy.
AI-generated police reports are already in courts. The question is not whether your agency uses AI — it is whether you can reconstruct, under oath, exactly what the system did, what inputs it received, and who reviewed it before submission. Agencies that cannot answer that question are carrying liability they have not yet accounted for. California has established the most operationally detailed provenance requirements for AI-assisted police reports enacted to date. Other jurisdictions are watching.
Bring us one operational workflow whose decisions matter. We'll identify where decision admissibility is lost.
Request an assurance review →