Audit trails turn AI from a black box into an accountable process. Regulators, customers, and your own teams ask: what was sent, on what basis, and who approved it?
Minimum log fields
| Field | Why it matters |
|---|---|
| Workflow ID + version | Reproduce behavior after changes |
| User / service identity | Accountability |
| Input snapshot or hash | Evidence of what the model saw |
| Context sources retrieved | Explainability |
| Model + parameters | Regression when vendors update |
| Raw model output | Compare to what was sent |
| Human override flag | Prove review happened |
| Timestamp (UTC) | Ordering across systems |
Retention
- Align with existing records policy—do not invent a shorter window for “AI only.”
- Separate debug logs (verbose) from compliance logs (durable, immutable where possible).
Review cadence
- Monthly sample of high-risk cases for process owners.
- After every prompt or context pack change, spot-check 10 cases from evaluation hooks.