Audit Trail & Compliance

For regulatory compliance:

• What — what the agent did (tool, params, result)
• When — timestamp (ms precision)
• Who — user_id, session_id, model version, prompt hash
• Why — model's rationale (thinking block)
• Result — success/fail, output snapshot

Immutable storage: append-only log (S3 + Object Lock, AWS QLDB, Postgres with no-update trigger).

Retention: 3-7 years by sector. If PII, hash + encrypt.

Use case: EU AI Act mandates post-incident audit for high-risk systems — without these logs you're not compliant.