Compliance Guide
AI Audit Trails
Implementing compliant logging for AI systems.
· 4 min read
Audit trails are essential for AI compliance, incident investigation, and demonstrating due diligence to regulators.
What to Log
- Timestamp: When the interaction occurred
- Identity: User, session, or API key
- Model: Which model and version
- Input/Output: Or secure hashes for sensitive data
- Classifications: Risk scores and detection results
- Actions: Any guardrail triggers or blocks
Retention Requirements
- HIPAA: 6 years minimum
- Finance: 5-7 years typically
- SOC2: 1 year minimum
- GDPR: As long as necessary, with deletion rights
Immutability
Audit logs must be tamper-proof:
- Append-only storage
- Cryptographic hashing
- Access controls
- Regular integrity verification
What should audit trails include?
Key elements: timestamp, user/session ID, model used, input (or hash), output, classification results, any guardrail actions, latency, and token usage. For compliance, ensure immutability and appropriate retention.
How long to retain logs?
Depends on your industry. Healthcare (HIPAA): 6 years. Finance: 5-7 years. General SOC2: typically 1 year minimum. Check your specific regulatory requirements and err on the side of longer retention.
Immutable audit logs built-in
Compliance-ready logging with SOC2, GDPR, HIPAA reports.
Start Free — 10K events/month