The open decision-record standard
A TDR (Transformation Decision Record) records the organisational judgement that authorised an action: who decided, under what authority, within which limits, accepting which risks, and what evidence must prove the decision remained valid in operation. The format is open. The questions below are the ones we are asked most.
Adjacent records prove adjacent things. None of them proves judgement.
Proves permission was given. It does not record why the organisation believed the action it permits was legitimate.
Prove who or what is acting. A verified actor with a credential is a who, not a may.
Proves what happened. It cannot say why the organisation chose that mandate, threshold or escalation path.
Proves why the organisation believed the action was legitimate, bounded and evidenced, and who accepted the risk.
Consent proves permission. Identity proves the actor. A runtime log proves what happened. A decision record proves why the organisation believed the action was legitimate. You need all four, and they must join.
Is this not just an audit log with extra steps? No. An audit log is assembled by the system after the event and proves execution. A decision record is made by accountable humans before and during the event, and proves judgement: the options considered, what each foreclosed, the limits set, the risks accepted, and the evidence the decision demands of the systems that execute it. Runtime logs become evidence attached to the decision record. They do not replace it.
How is this different from consent and identity standards? They are the substrate, and we build on them, not against them. Consent and claims infrastructure proves what was permitted; identity and federation prove who is acting. The decision record binds that substrate to organisational judgement: which named human delegated the authority, for what purpose, within what limits, revocable how.
Does this slow delivery down? The judgement already happens; it is currently captured in slides and meeting minutes that decay. Recording it as a structured decision at the moment it is made costs minutes. Reconstructing it eighteen months later for a regulator, an auditor or an incident review costs weeks, and sometimes it simply cannot be done.
"Did the agent stay inside its mandate?" stops being one hard question and becomes three checkable ones, run against the same records.
Is this agent authorised at all? Under which mandate, granted by whom, for what purpose, within which limits, until when?
Is each action still inside those limits? Amounts, counterparties, frequency, hours, delegation depth: checked per action, not per quarter.
Did reality match what was authorised? Did the evidence the decision demanded actually get produced, and does any divergence trace back to the decision that owns it?
The connective tissue is an append-only history of decisions and actions: every action carries the mandate that legitimised it, so the after-the-fact question becomes a lookup, not an investigation. None of this works while the mandate lives in plain English. The mandate must be data; the plain-English judgement lives in the decision record that authorised it, and the two are linked.
Proving the design is possible now. Proving the trustworthiness of an implementation is continuous work in production: complete telemetry, deterministic enforcement, resilience, security and scale. Separating those two problems is the point.
The standard is open: the format is given away so the discipline can spread; the value is in the connected memory an institution builds with it.