Explainable. Auditable. Accountable.

Share
Explainable. Auditable. Accountable.

Explainable. Auditable. Accountable. They're not the same thing.

Most people use them interchangeably. That's the problem.

I've had this conversation with a lot of organisations lately. They show me their AI system. They point to the dashboard that explains why the model made a decision. They say: we're covered.

They're not covered. They're one-third covered.

Here's the distinction I keep having to make.

Explainable is a property of the model. It can show its working. Here's the feature weighting. Here's why this output and not another. It's built into the system at the point of design. Most modern AI vendors offer this. Some do it well. It matters.

But explainability is about a single moment. It tells you what the system did. It doesn't tell you whether the system behaved consistently over time, whether the boundaries held, whether the exceptions were handled properly.

Auditable is different. It's about evidence. A documented record — test results, validation logs, change history, exception reports — that can be independently reviewed by someone who wasn't involved in building the thing. It proves the system did what it claimed to do, not just once, but across conditions, across time, across edge cases.

Explainable systems are built. Auditable systems are governed. That's the gap most organisations aren't bridging.

And then there's the third one. The one that actually scares people.

Accountable means a named person owns the outcome. Not the algorithm. Not the vendor. Not "the team." A specific human being who, if the system causes harm, stands in front of a regulator and answers for it. Under SMCR in the UK, this isn't hypothetical — it's the direction of travel, and it's coming faster than most organisations have prepared for.

The DPO analogy is useful here. Before GDPR, data protection was everyone's vague responsibility. After GDPR, it belonged to a named individual with defined duties and real exposure. AI governance is on the same trajectory. The custodian role doesn't exist yet, formally. But it will.

The gap between explainable and auditable is where regulatory exposure lives right now. Most organisations haven't crossed it. The gap between auditable and accountable is where the next wave of liability will emerge.

Three words. Three very different things. Worth knowing which one you actually have.