Agent Audit Trail

Definition

An agent audit trail is a tamper-evident record of every governance decision and action an AI agent took — what it attempted, which policy decided the outcome, who approved it, and what resulted — kept for compliance, forensics, and accountability.

What a good audit trail records

For agents, logs are not enough; auditors and incident responders need a defensible record. A strong audit trail captures each action's intent, the policy decision applied (ALLOW, DENY, REQUIRE_APPROVAL, ALLOW_WITH_CONSTRAINTS), any human approval and who gave it, and the result — including whether output was redacted or quarantined. The question it must answer is precise: which policy allowed this agent to take this action, and can you prove the record has not been altered?

Tamper-evidence and export

Cordum keeps an append-only, hash-chained audit log per tenant: each event carries a sequence number, its own hash, and the previous event's hash, so any insertion, deletion, or reordering is detectable. A verification endpoint walks the chain and reports gaps, and a SIEM exporter streams events to webhook, syslog, Datadog, or CloudWatch backends. Legal hold can exempt a time range from retention trimming. Together these make the audit trail not just a log but admissible evidence.

Frequently asked questions

Related reading

• The Run Audit Trail
• AI Agent Audit Trails: Compliance Guide
• Agent Observability
• Human-in-the-Loop