Your Audit Trail Is Your Compliance Evidence
When a regulator inspects your AI compliance, they will ask for records of what your AI system did, when, what data it processed, what decisions it made, and who oversaw it. That evidence is your audit trail. Under the EU AI Act, it is not optional.
What the EU AI Act Requires
Article 12: Automatic Logging
High-risk AI systems must be designed with logging capabilities that record events relevant to:
- Identifying risk situations
- Facilitating post-market monitoring
- Supporting traceability of functioning
Logs must capture the period of use, reference databases, input data producing matches, and identification of oversight personnel.
Article 19: Log Retention
Deployers must keep automatically generated logs for at least six months.
What Regulators Actually Look For
1. Completeness
Can you trace any AI decision back to its inputs, processing, and human oversight? Gaps undermine the entire audit.
2. Integrity
Can you prove logs have not been tampered with? Editable databases and spreadsheets provide no assurance. Regulators expect tamper-evident logging — append-only systems where entries cannot be altered after creation.
3. Accessibility
Can you produce logs when requested? Logs buried in application logs or requiring engineering effort to extract fail this test.
4. Retention
Are logs retained for the legally required period? Six months is the floor, not the ceiling.
What to Log
For each AI decision or action, capture:
- Timestamp: ISO 8601, UTC
- Event type: Decision made, input received, output generated, human intervention, config change
- Input data reference: Data processed or hash/reference
- Output/decision: What the system produced
- Confidence score: System confidence level
- Human oversight: Who oversaw, whether they intervened
- System version: Which model version produced the output
- Context: Environmental factors
Tamper-Evident Architecture
The gold standard is hash-chain integrity: each entry includes a SHA-256 hash of the previous entry, creating a chain where any modification breaks the chain and is immediately detectable.
Implementation approaches:
- Append-only databases: No UPDATE/DELETE on audit tables
- Hash-chain logging: Cryptographic chain linking entries
- Immutable storage: AWS S3 Object Lock, Azure Immutable Blob Storage
Audit Trail vs Application Logging
| Aspect | Application Logs | Compliance Audit Trail |
|---|---|---|
| Purpose | Debugging, performance | Regulatory evidence |
| Mutability | Often rotated/overwritten | Append-only, immutable |
| Retention | Days to weeks | 6+ months minimum |
| Integrity | No tamper evidence | Hash-chain or equivalent |
| Access | Engineering teams | Compliance and legal |
| Content | Technical events | Decision-relevant events |
Common Mistakes
- Logging too little: Recording decisions but not inputs, confidence, or oversight context
- Logging too much: Capturing raw personal data, creating GDPR issues
- Mutable storage: Standard tables where logs can be edited or deleted
- No integrity verification: Logs without tamper-evidence mechanisms
- Inaccessible logs: Requiring engineering to extract compliance data
- Short retention: Purging before minimum retention period
Implementation Checklist
- Define events to log for each high-risk AI system
- Implement append-only storage with hash-chain integrity
- Configure minimum 6-month retention with archival
- Ensure compliance team accessibility without engineering support
- Separate audit logs from application logs
- Test integrity verification procedures
- Document architecture as part of Annex IV documentation
- Establish procedures for producing logs on regulatory request
Build your audit trail right from the start, and inspections become demonstrations of competence rather than crises.
Start your compliance interview with AI Comply Help — classify your AI systems and generate compliance documents in a single conversation.
AI Comply Help supports compliance operations and is not a substitute for legal advice.