AI Audit Trail

A complete AI audit trail records the full chain of events for each interaction: the user identity and role, the input query, the retrieval results and the sources they came from, the model and configuration used, the output generated, and the timestamp. For workflow pipelines, it also records every step in the pipeline — what triggered it, what each stage processed, where human review occurred, and what the final outcome was.

This is categorically different from a basic application log. An application log tells you that something happened. An audit trail tells you what happened, who was involved, what data was accessed, and what decision was made — in a format that supports a compliance review or a dispute investigation.

Regulators in financial services, healthcare, and public sector are increasingly requiring that AI decisions be explainable and auditable. "The AI said so" is not a defensible answer to a compliance inquiry. An audit trail provides the evidence layer: this user, at this time, asked this question, the system retrieved these sources, and produced this response.

For organisations under GDPR, the audit trail also enables data subject access requests — if an employee or customer asks what data was used to produce a decision that affected them, the audit trail provides the answer.

Not all logging is audit-grade. Governance-grade audit trails require immutability (records cannot be altered after the fact), completeness (every interaction is recorded, not sampled), retrievability (the records can be queried and surfaced for a specific user, date range, or interaction type), and retention (records are kept for the required duration under applicable regulation).

They also require that the audit trail be tied to the access control layer — so that the record of what a user accessed is connected to what that user was authorised to access. A discrepancy between the two is the signal that something requires investigation.