The Core Distinction
Reconstruction
Method
Infer from historical artifacts
Dependence
Requires interpretation
Over time
Degrades as systems evolve
Context
Assumes continuity of system state
Output
Historical approximation
Reproduction
Method
Mechanically reproduce from original inputs
Dependence
Deterministic
Over time
Identical regardless of elapsed time
Context
Frozen authority conditions
Output
Computational fact
The Illusion of Auditability
Most organizations believe they can reconstruct operational decisions because they retain logs.
This belief is understandable. Audit logs record events. They capture timestamps, actors, actions, and outcomes. They create a historical sequence that investigators can examine after the fact. For compliance, incident response, and forensic analysis, logs are indispensable.
But retaining a record of what happened is structurally different from being able to reproduce why a decision was authorized.
Logs depend on the systems that produced them. Those systems change. Workflows evolve. Policy versions rotate. Model providers update. Infrastructure configurations shift. The operational context that existed at the moment of a decision may no longer exist when someone attempts to reconstruct it.
Reconstruction from logs is an act of interpretation — assembling fragments of historical state to infer what likely occurred. It is inherently approximate, inherently dependent on assumptions about the state of systems that may have changed since the event.
This is not a failure of logging. It is a structural limitation of reconstruction as an approach to proof.
Reconstruction vs. Reproduction
The distinction is precise.
Reconstruction infers what happened from historical artifacts. It depends on interpretation, assumes continuity of context, and produces historical approximation. The further in time from the original event, the more assumptions are required. If the underlying systems have changed, reconstruction becomes progressively less reliable. Policies evolve. Models update. Workflows restructure.
Reproduction mechanically produces the identical outcome from the original inputs and conditions. It does not depend on interpretation. It does not assume anything about current system state. The original operational evidence and the original authorization conditions are preserved, and the evaluation is re-executed against them. The result is identical. Not similar. Not approximately equivalent. Computationally identical.
| Reconstruction | Reproduction | |
|---|---|---|
| Method | Infer from historical artifacts | Mechanically reproduce from original inputs |
| Dependence | Requires interpretation | Deterministic |
| Reliability over time | Degrades as systems evolve | Identical regardless of elapsed time |
| Context requirement | Assumes continuity of system state | Frozen authority conditions |
| Output | Historical approximation | Computational fact |
This is not a theoretical distinction. It determines whether an organization can prove that an authorization was valid — or merely argue that it probably was.
Provenance Dependency
The reliability of any post-hoc analysis depends on the integrity of the chain between the original event and the current reconstruction attempt.
In practice, that chain is fragile.
Evidence mutation. The operational data that informed the original decision may have been modified, archived, or deleted. Database migrations, retention policies, and system upgrades routinely alter historical data.
Dependency drift. The systems that produced the original evidence may have changed. API contracts evolve. Service boundaries shift. Data formats transform. The evidence that exists today may not be the evidence that existed at the moment of authorization.
Version discontinuity. The policies, models, and governance rules that governed the original decision may have been superseded. If the current policy version differs from the version active at the time of the decision, reconstruction using current rules produces a different outcome than the original — and there may be no reliable way to recover the original version.
Runtime evolution. The execution environment itself changes. Infrastructure updates, configuration changes, and operational modifications alter the conditions under which the original evaluation occurred.
Each of these dependencies introduces uncertainty into the reconstruction. Individually, each may seem manageable. Collectively, they compound. The further back in time the event occurred, the more dependencies have changed, and the less reliable reconstruction becomes.
Why Replay Changes the Nature of Proof
A replayable authorization is not a historical narrative. It is a reproducible computational fact.
The original operational evidence is preserved. The specific assertions that were evaluated remain intact. The original authorization conditions are preserved. The governing boundary remains intact. The evaluation is mechanically re-executed against those preserved inputs. The result is identical.
Same evidence. Same boundary. Same result.
This is not a stronger form of logging. It is a structurally different approach to proof. Logging records what happened and relies on reconstruction to interpret it later. Replay preserves the complete evaluation and reproduces it identically, independent of how the surrounding systems have evolved.
The distinction matters most precisely when proof is hardest. Time has passed. Systems have changed. The operational context of the original decision no longer exists. Reconstruction degrades as surrounding systems evolve. Replay remains stable because it does not depend on current system state.
Why This Matters Operationally
Consider four scenarios where proof of authorization is required.
Healthcare review. A clinical recommendation was authorized eighteen months ago. The EHR has been upgraded. The clinical decision support model has been replaced. The policy governing imaging authorization has been revised twice. A reviewer must determine whether the original authorization was valid under the conditions that existed at the time. Reconstruction requires recovering the original policy version, the original model output, and the original evidence state. Replay reproduces the evaluation from preserved inputs.
Financial authorization dispute. A high-value payment was authorized during a period that is now under regulatory review. The authorization rules have since been tightened. The question is not whether the payment would be authorized today, it would not, but whether it was authorized under the rules that existed at the time. Reconstruction requires recovering the historical ruleset. Replay evaluates against the preserved boundary.
Cybersecurity containment. An automated containment action was triggered during an incident. Post-incident review must determine whether the containment was authorized — not just whether it was triggered. The SOAR playbook has been updated. The detection rules have been modified. Reconstruction infers authorization from the historical event sequence. Replay reproduces the authorization evaluation.
Infrastructure outage. An automated infrastructure modification was authorized during a scaling event. The modification contributed to a cascading failure. Post-incident analysis must determine whether the modification was properly authorized — not just whether it was executed. The scaling policies have been revised. The operational thresholds have changed. Reconstruction approximates. Replay reproduces.
In each case, the question is the same: was the authorization valid at the time it was produced?
Logging preserves history. Replay preserves provability.