AI Decision Audit Logs
What This Requires
Log all AI system decisions with sufficient context for audit: timestamp, user ID, input summary, output, model version, confidence score, and override flag (if human intervened). Retain logs per compliance requirements (7 years for regulated industries).
Why It Matters
Audit trails enable accountability, debugging, and compliance. Without logs, you can't investigate bias complaints, security incidents, or regulatory audits.
How To Implement
Define Log Schema
Capture: timestamp, requestID, userID, sessionID, input hash (not full text if sensitive), output, modelVersion, confidenceScore, latency, error (if any), humanOverride (boolean).
Implement Logging
Instrument AI service to emit structured logs (JSON). Send to centralized logging (CloudWatch, Splunk, Elasticsearch). Ensure logging doesn't introduce excessive latency (<10ms overhead).
Retention & Access
Retain logs per compliance: 7 years (financial, healthcare), 3 years (general GDPR). Store in tamper-proof storage (S3 with object lock, WORM storage). Grant read access only to audit/compliance teams.
Query & Reporting
Build queries for common audit scenarios: all decisions for user X, all decisions by model version Y, all low-confidence outputs. Schedule monthly spot-checks.
Evidence & Audit
- Logging schema documentation
- Log samples showing all required fields
- Retention policy and storage configuration
- Access control policies for audit logs
- Query examples and monthly spot-check reports