AI Compliance Audit Trail Requirements

Every major AI compliance framework requires some form of audit trail. The specifics differ, but the core requirement is the same: you must be able to demonstrate what your AI system did, when, and why.

EU AI Act (Article 12)

Article 12 requires that high-risk AI systems "shall technically allow for the automatic recording of events (logs) over the lifetime of the system." The logs must include:

• The period of each use (start/end timestamps)
• The reference database against which input data was checked
• The input data for which the search led to a match
• The identification of natural persons involved in verification of results

For AI agents, this translates to: record every tool call with timestamp, input parameters, output, and the identity of any human reviewer involved. The records must span the system's entire operational life.

SOC 2

SOC 2 Type II audits evaluate security controls over time. Relevant trust service criteria for AI agents include:

• CC6.1: Logical and physical access controls (who accessed what)
• CC7.2: System monitoring (how you detect anomalies)
• CC8.1: Change management (how system changes are tracked)

Audit trails must demonstrate that access controls are enforced consistently, that monitoring is active and alerts are investigated, and that changes to the system are authorized and documented.

ISO 42001

ISO 42001 is the AI management system standard. It requires organizations to maintain records of AI system operation, including decision logs, performance monitoring data, and incident records.

What Your Audit Trail Needs

Across frameworks, the common requirements are:

Completeness. Every significant action must be recorded. For agents: every tool call, every policy evaluation, every approval decision, every error.

Integrity. Records must be tamper-evident. Hash-chained receipts provide this by linking each record cryptographically to the previous one. Any modification breaks the chain.

Accessibility. Records must be retrievable for audit purposes. Indexed by time, agent, user, action type. Exportable in standard formats.

Retention. Records must be kept for the required period. EU AI Act: system lifetime. SOC 2: typically one year minimum. Set your retention policy to the longest applicable requirement.

Immutability. Records should not be modifiable after creation. Append-only storage, write-only database permissions, or object storage with deletion protection.

Implementation

A practical audit trail for AI agents:

1. Generate a receipt for every action (tool call, policy decision, approval)
2. Hash-chain receipts for tamper evidence
3. Store in append-only storage with appropriate retention
4. Index for query access (by time, agent, user, action type)
5. Build verification tools that walk the chain and confirm integrity
6. Export capabilities for auditor review

Authensor generates hash-chained receipts automatically for every policy evaluation. The control plane stores receipts in PostgreSQL with configurable retention and exports receipts in standard formats for compliance reporting.

Do not wait until an audit to build this. Retroactive log generation is not possible and attempting it is a compliance violation in itself.