One record flows end to end — published once, versioned automatically, retrieved by API, and exported as audit evidence. Here is what happens, in order.
An AI provider publishes one schema-validated disclosure — intended purpose, risk class, training data lineage, conformity assessment — instead of answering the same questionnaire for every deployer.
Each edit is indexed, timestamped, and tamper-evident. Auditors get a full change history — what was disclosed, when, and by whom — without chasing PDF revisions.
Deployer organisations pull the records they depend on into existing GRC or procurement tooling — one API call per record, machine-readable, no spreadsheets.
When a risk class, conformity status, or training-data field changes, a signed webhook propagates the update instantly. No stale PDFs sitting in an inbox.
At audit time, export structured, versioned evidence for every subscribed provider. "The provider said it was compliant" becomes a record with identity, attestation, and a timestamp.
Every disclosure record is reachable in one call; every material change emits a signed webhook.