15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

MCP Server Audit Logging: Receipt Chains and Compliance

February 1, 202615 Research Lab

mcp-safetycompliancetools

Every tool call an AI agent makes should produce an audit record. For MCP deployments, this means logging the full lifecycle of each interaction: what tool was called, with what parameters, by which agent and user, what was returned, and what happened next.

What to Log

Each audit record should capture:

Timestamp in UTC with millisecond precision
Agent identity which agent initiated the call
User identity on whose behalf the agent is acting
Tool name and server the specific tool and MCP server involved
Parameters the full parameter payload sent to the tool
Policy evaluation result whether the call was allowed, denied, or sent for approval
Approval decision if human review was triggered, who approved/denied and when
Tool response what the server returned
Outcome what the agent did with the response

Receipt Chains

A receipt chain links audit records cryptographically. Each receipt includes the SHA-256 hash of the previous receipt, creating an append-only chain where tampering with any record invalidates all subsequent records.

Receipt N:
  action: "call tool search_files"
  params: { pattern: "*.csv" }
  decision: "allow"
  prev_hash: "a4f2c8..." (hash of Receipt N-1)
  hash: "7b3d1e..." (hash of this receipt)

If anyone modifies Receipt N, its hash changes, and Receipt N+1's prev_hash no longer matches. The chain breaks at the point of tampering.

This is not blockchain. It is a simple hash chain that provides tamper evidence without consensus mechanisms, mining, or distributed ledgers. It runs in a single process with microsecond overhead.

Authensor generates receipt chains automatically for every action that passes through its policy engine.

Compliance Applications

EU AI Act Article 12 requires logging for high-risk AI systems. Hash-chained receipts meet the record-keeping requirements with a verifiable integrity guarantee.

SOC 2 audit requirements include evidence of access controls and change management. Receipt chains provide cryptographic proof that the audit trail has not been modified.

Internal governance benefits from receipts during incident investigation. When an agent does something unexpected, you can trace the exact sequence of tool calls, policy decisions, and approval outcomes.

Storage and Retention

Store receipts in an append-only data store. PostgreSQL with write-only permissions works. Object storage (S3, GCS) with versioning enabled works. The key property is that records cannot be modified or deleted by the application.

Retention periods depend on your compliance requirements. EU AI Act suggests keeping records for the lifetime of the system. SOC 2 typically requires one year minimum. Set your retention policy before going to production.

Querying Receipts

Receipt chains are optimized for integrity verification, not querying. Build indexes alongside the chain for operational queries: by agent, by user, by tool, by time range, by decision outcome. The chain provides integrity. The indexes provide usability.