Audit Trails That Survive Discovery, Append-Only by Design

Pull-quote: “The test of an audit trail is not whether you can write to it. It is whether, eighteen months later, someone you have never met can prove nobody edited it.”
Why this matters
Every regulated AI deployment eventually receives the same request, months after the fact: show us what the AI contributed to this decision, who approved it, and what they saw at the time. The requester may be a regulator, an auditor, or opposing counsel in discovery, and the request is not answered by intent; it is answered by records. Ordinary logs fail this moment reliably. They expire on retention schedules set by storage budgets. They are mutable by anyone with write access, which is exactly what a challenge will point out. They scatter context across systems, and they carry no proof of their own integrity. A log that cannot demonstrate it was never edited is testimony. Regulators want evidence.
Evidence-grade properties
| Property | Requirement | Why it matters under challenge |
|---|---|---|
| Append-only | No update or delete path, in schema and permissions | The absence of an edit path is the first question asked |
| Hash-chained | Each record commits to its predecessor’s hash | Tampering breaks the chain verifiably, not deniably |
| Attributable | Human identity, model ID, prompt and context versions on every record | “Who knew what, and when” becomes answerable |
| Complete per decision | Inputs, retrieved context, output, confidence, approvals, overrides | The decision reconstructs without hunting other systems |
| Time-anchored | Trusted, monotonic timestamps | Ordering disputes end instead of beginning |
| Independently retained | Retention set by regulation, stored apart from ops | Survives log rotation, platform migrations, and budget cuts |
Separate the trail from the telemetry
Observability and evidence answer different questions on different clocks, and merging them ruins both. Traces are for engineers: verbose, sampled, mutable in practice, and expired by TTL, all of which is correct for debugging. The audit trail is for the record: one canonical entry per decision, minimal and complete, written synchronously on the decision’s write path rather than reconstructed later from telemetry, because reconstruction is where completeness goes to die. Store references and redacted forms where data minimization applies; a trail you cannot lawfully retain for years is a trail you will be forced to delete. In practice the record captures AI provenance per decision: which model, what contribution, which human approved it, written to an append-only, hash-chained trail, with dual review where the domain demands it. The same posture serves quantitative research, where an append-only log means a strategy’s history is reviewable as it was recorded, not as it is remembered.
Verify the chain, or it is decoration
A hash chain nobody walks is a promise nobody checks. Run a scheduled verification job that re-walks the chain and alerts on the first broken link, and treat a break as a security incident, not a data quality ticket. Build the export before it is requested: an auditor-readable bundle, the records for a decision, the chain proof around them, and the version manifest, deliverable without granting anyone access to production. The regulatory direction is not subtle. Record-keeping and traceability obligations attached to the EU AI Act’s high-risk categories assume exactly this capability, and the difference between a good week and a bad quarter is whether the capability was designed in or improvised after the letter arrived.
decision event: agent output + human approval
│ synchronous write, same transaction
▼
audit record N: inputs · context refs · model +
prompt versions · output · approver · timestamp
│
hash(N) written into record N+1 ──► chain
│
├─► scheduled job: re-walk chain,
│ alert on first broken link
└─► export bundle: records + chain
proof + version manifest
Closing
Write the audit record on the decision’s write path, append-only and hash-chained, with every version pinned and every approval attributed. Retain it on the regulation’s clock, not the storage budget’s. Verify the chain on a schedule and rehearse the export. Observability tells you what the system did last week. Evidence proves what it did eighteen months ago, to someone who does not trust you, and regulated AI needs both, kept separate.
