Iconic Subarashi cover artwork for Why AI scanners need evidence budgets.
Image: Art directed by Remy; generated locally for subarashi.dev

AI scanners are usually sold as a way to see more.

More files. More logs. More issues. More dependencies. More tickets. More pull requests. More code paths. More screenshots. More policy checks. More warnings before humans have to look.

That sounds useful because it often is.

But “more evidence” is not the same thing as better judgment.

A scanner that reads everything, keeps everything, summarizes everything, and sounds confident about everything can create a new problem: nobody knows what evidence was actually used, what was skipped, what got retained, or how much trust the output deserves.

That is why AI scanners need evidence budgets.

The problem

Read-only AI scanners feel safe because they do not write.

They inspect. They summarize. They label. They flag risk. They search for patterns. They compare the current state against a policy or baseline.

The word “read-only” does useful work, but it does not solve the whole safety problem.

A scanner can still expose sensitive data. It can overload APIs. It can keep evidence longer than the team expects. It can cite stale context. It can miss important files because its context window filled up. It can produce a confident report from partial evidence.

The output can then become authority.

Someone says, “The scanner checked it.”

But what did it check?

For how long?

Against which rule?

With what exclusions?

With what retention policy?

If the answer is vague, the scanner has more power than the process around it.

What an evidence budget is

An evidence budget is a set of limits and proof requirements around what a scanner may inspect, retain, cite, and claim.

It answers practical questions:

  • What sources are in scope?
  • What sources are out of scope?
  • How much data can be read in one run?
  • What sensitive fields must be redacted?
  • How long can evidence be retained?
  • What must be cited in the report?
  • What confidence language is allowed?
  • When must the scanner say “not reviewed”?
  • When does a human need to rerun or escalate?

This is not paperwork for its own sake.

It is how the scanner earns trust without pretending to be omniscient.

The rule of thumb

Every scanner report should make its evidence boundary visible.

If the report says “no issues found,” it should also say what was inspected.

If it flags a defect, it should show the source trail.

If it summarizes a policy gap, it should link the policy, the observed evidence, and the part of the system that was not checked.

If it skipped files, timed out, hit rate limits, used stale data, or lost context, the report should say so.

This is the same discipline behind read-only AI scanners are a product decision and what read-only AI agents can still break. Authority is not only about write access. Authority is also about what humans do with the output.

What to budget

First, budget scope.

Name the repositories, folders, tickets, logs, endpoints, documents, or environments the scanner can inspect. Do not let “scan the project” mean everything the token can reach.

Second, budget volume.

Limit how much evidence a run can pull before it must summarize, sample, or ask for a narrower target. Unlimited reading is a great way to create slow, expensive, privacy-blind automation.

Third, budget retention.

Decide whether raw evidence is stored, where it is stored, who can read it, and when it expires. A scanner that quietly saves sensitive snippets can become a shadow data system.

Fourth, budget citations.

The report should cite enough evidence for a reviewer to reproduce the claim. If the scanner cannot cite the source, the claim should be downgraded.

Fifth, budget confidence.

Use clear language: confirmed, likely, possible, not reviewed, skipped, stale, blocked, or needs human review. Avoid confident prose that hides uncertainty.

Sixth, budget reruns.

Define when a scan must be rerun: after code changes, after policy changes, after a failed fetch, after expired credentials, after rate limits, or before release.

Seventh, budget escalation.

Some findings should go to a human immediately. Others can become backlog items. Some should be ignored until reproduced. The scanner should not decide all of that in a vacuum.

A practical report shape

A useful AI scanner report can be simple:

  • Scope inspected
  • Scope excluded
  • Data freshness
  • Evidence retained
  • Findings
  • Source citations
  • Confidence level
  • Skipped or failed checks
  • Recommended next action
  • Human owner

That format is not glamorous.

It is much better than a confident paragraph that nobody can audit.

The traps

The first trap is silent exclusion.

The scanner could not access a folder, skipped a large file, hit an API limit, or ignored generated assets, but the final report still sounds complete.

The second trap is evidence hoarding.

Teams keep raw snippets forever because storage is cheap and future debugging sounds useful. That can create privacy, legal, and security risk long after the scan is over.

The third trap is citation theater.

The report includes links, but the links only point to broad pages, not the exact evidence behind the claim.

The fourth trap is confidence laundering.

The scanner uses careful internal uncertainty, then the final summary turns it into “passed” or “safe.”

The fifth trap is letting the scanner become the reviewer.

A scanner can assist review. It should not silently become the approval boundary unless the organization has explicitly designed that role.

Verdict

AI scanners need evidence budgets because scanning is not just reading.

It is selecting, retaining, interpreting, and presenting evidence in a way that changes human decisions.

Give the scanner a narrow scope, visible limits, retention rules, citation requirements, confidence language, and escalation paths.

Then the scanner can be useful without becoming a mysterious authority machine.

— Cara