Guide
An agent that can act on your business needs a record of what it did. The hard part is not writing the record. It is being able to prove, later, that the record was not changed. This guide covers what to capture, the design choices that decide whether a log is evidence or just a story, and what the EU AI Act's logging rules require, on a high-risk timeline that now reaches into 2027.
An AI agent audit trail is a record of every action an agent took: which tool it called, with what inputs and outputs, on whose behalf, when, and whether the action was allowed or blocked. A chat transcript tells you what was said. An audit trail is built to answer a harder question: who told the agent to do that, and can you prove the record itself was not edited afterward.
That second clause is the whole topic. Most teams discover it the first time someone asks them to demonstrate, not assert, that an agent did only what they claim. We build Pinchy, a self-hosted AI agent platform whose audit trail is one of its core features, so we have a stake here. The design discussion below stands on its own either way, and the parts where the answer is genuinely contested are marked as such.
Every backend already writes logs. The instinct is to point an agent at the same pipeline and call it done. Three things make that insufficient.
The log is the evidence, and ordinary logs are editable. As one analysis of the EU AI Act's logging mandate put it, application logs "live on infrastructure someone controls. They can be edited or replaced without anyone noticing," and "if your logs can be silently altered and you can't show otherwise, their evidentiary value is zero" (Help Net Security). A log you can quietly rewrite proves nothing about an autonomous system that took actions on your behalf.
Agents are non-deterministic. The same prompt can produce a different sequence of tool calls on two different runs. Observability stacks built for deterministic services assume a request maps to a predictable path. An agent does not, which is exactly why the per-run record of what it actually chose to do matters more, not less.
The interesting events are tool calls, not page views. An agent reads a customer record, drafts an email, updates an invoice, hands off to a sub-agent. The audit-worthy moments are these actions and the decisions around them: which tool, which user asked, what was returned, what was refused. A request-and-response log of the chat endpoint captures almost none of it.
Working back from "could you reconstruct and defend this later," an agent audit entry needs at least:
This maps onto what regulators are starting to demand. EU AI Act Article 12 frames logging around recording the events needed to identify risk situations, support post-market monitoring, and monitor operation, and it expects traceability across inputs, outputs, and the people involved. A common gap, even in mature setups, is that the log captures the action but not the decision context: the system prompt, accumulated history, and tool results that shaped the agent's choice. Without that context you can show what the agent did but not why, which is often the question being asked.
Capturing the right fields is the easy half. The half that separates an audit trail from a diary is whether anyone, including an administrator, can change an entry after the fact without it showing. Access controls help, but access controls protect the living system; they say nothing about whether last quarter's log was rewritten last night. For that you need the record to carry its own proof.
There is a small design space here, and the choice has real consequences.
| Approach | Tamper-evident? | Survives lawful deletion? | Verify outside the system? |
|---|---|---|---|
| Access-controlled log file | No (editable by anyone with access) | Yes | No |
| Hash chain | Yes (a change breaks the chain) | No (deletion breaks the chain) | Yes, if the chain is exported |
| Merkle tree | Yes | Partial, with extra machinery | Yes, with proofs |
| WORM storage | Yes (write once) | No (cannot delete by design) | Depends on the vendor |
| Per-row signature | Yes (a change breaks that row's signature) | Yes (rows are independent) | Yes, if signatures are exported |
A hash chain is the approach most teams reach for first, and you can watch it happen in the open: agent projects file issues asking for a "SHA-256 hash-chained action log for tamper-proof agent accountability" (a real example lives in the hermes-agent issue tracker). Each entry includes a hash of its own data combined with the previous entry's hash, so altering one entry changes its hash and breaks verification for every entry after it. It is elegant, and for an append-only system that never has to remove anything, it is a fine answer.
The trouble is that real systems do have to remove things. GDPR's right to erasure can require you to delete a specific person's data on request. If your audit trail is a hash chain, deleting one entry breaks the hash of every entry recorded after it, and your tamper-evidence collapses into "this log has been altered" for the entire remainder of the chain. You are forced to choose between honouring a lawful deletion and keeping a verifiable log. That is not a trade-off most compliance teams will accept, and it is rarely surfaced in the tutorials that recommend chaining.
A per-row signature avoids the collision. Each entry is signed independently, typically with an HMAC (a hash keyed by a secret) or a digital signature. Tampering with any single entry breaks that entry's signature and only that one, so verification still points at the exact altered row. Because the entries are not linked, you can delete or redact a single entry to satisfy an erasure request, and every other entry still verifies on its own. You give up the "this entry came after that one" ordering guarantee that a chain provides, but you keep the property that actually matters for compliance: each record can be proven unaltered, and lawful deletion does not destroy the rest of the log.
This is the reasoning behind Pinchy's choice of per-row HMAC signatures rather than a chain. It was a deliberate decision to keep tamper-evidence and the right to be forgotten from fighting each other.
Verification is mechanical once the design is right. For a per-row signed log:
The test of a real audit trail is that last point. If the only thing that can tell you the log is intact is the same application that could have edited it, you have a claim, not evidence.
The driver behind most of this work in 2026 is regulatory. EU AI Act Article 12 requires high-risk AI systems to "technically allow for the automatic recording of events (logs) over the lifetime of the system." Two words carry weight: automatic means the system generates the logs itself, not a person writing notes, and lifetime means from deployment to decommissioning. Related provisions set a minimum retention of six months, and the article expects logs detailed enough to identify risk situations and to support both post-market monitoring and operational oversight. Its high-risk obligations are phasing in on a timeline that has already shifted once: the 2026 Omnibus package moved the use-based high-risk deadline to 2 December 2027.
Worth knowing: there is not yet a finalised technical standard for how to satisfy this. Two are in draft (prEN 18229-1 and ISO/IEC DIS 24970), which means the specifics are still moving. The safe reading is to build for the property the law is reaching for, an automatic and trustworthy record, rather than to a checkbox. The same per-entry integrity and external verifiability also map cleanly onto SOC 2 and onto GDPR's expectation of accountability, so the work is not single-use.
Whether you are building one or assessing a vendor's, these are the questions that separate evidence from decoration:
This is the part where we describe our own product, so read it as such. Pinchy records every agent action in an audit trail where each entry is individually signed with an HMAC-SHA256 over its canonically serialised fields. Tampering with an entry breaks that entry's signature and points at the exact row. The design is deliberately per-row rather than a chain, so a lawful deletion removes one entry without invalidating the rest, and the entries can be exported to CSV with their signatures so the integrity check can run independently of Pinchy. Pinchy can recompute the signatures and report any rows that no longer match.
The audit trail sits behind the rest of the model: an allow-list of tools per agent so the log records actions the agent was actually permitted to take, and a self-hosted deployment so the records, and the data they describe, never leave your infrastructure. If you build your own layer instead, the design above is what we would build toward, and if you try Pinchy and something here does not hold up, that is an issue report we want.
FAQ
An AI agent audit trail is a record of every action an AI agent took: which tool it called, with what inputs and outputs, on whose behalf, when, and whether the action was allowed or blocked. Unlike a chat transcript, it is meant to answer 'who told the agent to do that, and can you prove the record was not altered afterward.'
Standard application logs live on infrastructure someone controls and can be edited or replaced without anyone noticing, so their evidentiary value is low. Agents also behave non-deterministically (the same prompt can produce different tool calls on different runs) and act through tool calls and sub-agents, so the log has to capture which user asked, which tool ran, and what was allowed, not just request and response lines.
A hash chain links each entry to the one before it, so altering any entry breaks every entry after it. That makes tampering obvious, but it also means lawfully deleting a single entry (for example to honour a GDPR erasure request) breaks the chain for everything that followed. A per-row signature signs each entry independently, so a single entry can be removed or redacted without invalidating the verification of the rest.
EU AI Act Article 12 requires high-risk AI systems to technically allow the automatic recording of events (logs) over the lifetime of the system, sufficient to identify risk situations, support post-market monitoring, and monitor operation. Related provisions require keeping those logs for at least six months. The high-risk timeline for these obligations has shifted: the 2026 Omnibus changes moved the use-based high-risk deadline to 2 December 2027, so treat the requirement as firmer than any single date.
You recompute each entry's signature from the entry's own data and compare it to the signature stored with the entry. If they do not match, that specific entry was altered. For this to be meaningful the data has to be serialised in a canonical form (for example with sorted keys) before signing, and the signatures should be exportable so the check can run outside the system that produced the log.
Pinchy records every agent action with a per-row signature you can export and check independently. Open source, self-hosted, free to run.
Or email us: info@heypinchy.com