Audit trails for AI agents: what auditors ask for
When an agent changes a record, can you say who, what, and who approved it — months later? An audit trail for agents, and what a compliance review will ask.
By Dmitrii SelikhovFounderReviewed by Planoda
Key takeaways
- An agent's actions need the same forensic record as a person's — who acted, what changed, when, and who approved it — or the agent becomes an accountability black hole nobody can answer for later.
- Agent actions belong in the same immutable log as human actions, not a separate, weaker side-log that's easy to overlook and easy for an auditor to distrust.
- Record the proposal and the decision, not just the change: an audit that shows what happened but not who approved it can't answer the question that actually matters in a post-mortem.
- Immutability is the point — an audit trail you can quietly edit proves nothing, because tamper-evidence is exactly what an auditor is checking for.
- Design for the queries a review will actually run: reconstruct any consequential change, name the agent and the approver, and show the blast radius of what a single action touched.
Here's the 2 a.m. question that decides whether your AI governance is real: a record changed overnight, and you need to know what changed it, and who said yes. If the honest answer is 'an agent did something, we're not totally sure what, and there was no approval step,' you don't have governance — you have an accountability black hole with good intentions around it. An audit trail built for agents is what turns that question into a lookup.
Agents need a person-grade paper trail
When a person changes a record, a decent system records who, what, and when. An agent deserves exactly the same treatment plus one more field: who approved it. The temptation is to hold agents to a looser standard because they're 'just automation,' but that's backwards — an agent can act faster and at larger scale than any human, so the case for a rigorous record is stronger, not weaker. Every consequential agent action should be reconstructable to who-what-when-and-who-signed-off. This is the accountability half of the propose-and-approve model working as intended.
One log, not a side-log
A frequent mistake is to route agent activity into its own separate log, off to the side, weaker than the one that records human actions. Auditors distrust side-logs on sight, and for good reason: a separate trail is easy to overlook, easy to disable, and easy to argue with. Agent actions should land in the same immutable audit trail as everything else, so 'what touched this record' has one answer covering people and agents alike. The unified log is exactly the evidence layer the governance frameworks assume.
Record the proposal and the decision
A change record that shows only the change is half a story. The question that actually comes up in a review is not just 'what happened' but 'who approved that it should.' So the trail has to capture both halves: the agent's proposal — the intent, the scope, the rows it wanted to touch — and the human decision to accept or reject it. Together they answer the accountability question completely; either alone leaves a gap. This is why governed agent autonomy records the accept, not just the effect.
Immutability or it's theater
An agent audit log you can quietly edit is worse than none, because it offers false confidence. The entire value of the trail is that it's tamper-evident: an auditor needs to trust that what it says happened is what happened, and that nobody rewrote the record after the fact. Append-only, tamper-evident storage isn't a nice-to-have here — it's the property that makes the log admissible as evidence rather than as a story you're telling about yourself.
Design for the auditor's questions
Build the trail around the queries a review will actually run, because those are predictable. Can you reconstruct any consequential change end to end? Can you name both the agent that proposed it and the human who approved it? Can you show the blast radius — every record a single action touched? A trail that answers those three cleanly will survive a compliance review; one that can't will fail it regardless of how good your policy PDF reads. When the questionnaire arrives, this is the difference between a calm afternoon and a scramble — the same relief covered in security without the questionnaire dread. Start from the security pillar.
Sources
- EU AI Act — EU AI Act explorer
- AI Risk Management Framework — NIST