Audit trail
A queryable record of every AI-driven decision - inputs, outputs, model version, tool calls, policy evaluations, timestamps - indexed for regulator-level review.
An audit trail is the evidentiary record of what the system did, when, and on whose behalf. It is what lets you answer, on day 180 of a production deployment, what the system did with a specific customer's request on day 7
- and prove it.
What it records
- Inputs and outputs - the full prompt, the full response, with PII handled per the PII redaction policy.
- Model metadata - which model version, which prompt template version, which tools were available.
- Tool calls - for agent-based systems, every tool invocation with its input and output.
- Policy evaluations - which rules fired, which passed, which blocked.
- Timing and cost - latency, token counts, cost per invocation.
- Human approvers - who, if anyone, reviewed the output before it shipped.
How it should be queryable
Indexed by customer / case / transaction ID. Retained for the compliance period - typically seven years in finance, variable by jurisdiction in healthcare and public sector. Readable by someone who doesn't write Python.
Why it's a design input, not a logging afterthought
Retrofitting an audit trail onto a live system is painful and expensive. A system designed without audit from day one usually has to be partly rewritten to produce the evidence a regulator will accept. Build the audit trail alongside the first feature, not in phase two.