Audit Log Integrity

An audit log is only as good as the guarantees you can make about it under adversarial review. "We log every query" is a starting point; "we can prove these records were written in order and have not been modified or deleted since" is the standard a compliance auditor or opposing counsel will actually apply. The techniques below — append-only storage, hash-chained entries, independent signing, and external notarization — turn logs from a convenient debug artifact into evidence.

1. What an Audit Log Must Record

For an AI document pipeline, each event should capture:

Actor identity (user, service, tenant).
Matter / document IDs touched.
Action (query, retrieve, re-identify, export, delete).
Prompt hash and response hash (not raw contents, to avoid duplicating sensitive data into the log).
Model route (provider, region, tier) and attestation fingerprint if TEE.
Policy decisions taken (which routing rule fired, which access check passed or failed).
Timestamp from a trusted clock source, plus a monotonic sequence number.

2. Append-Only Storage

Object-lock / WORM — S3 Object Lock in Compliance mode, Azure immutable blob storage, GCS bucket lock. Once written, rows cannot be modified or deleted for the retention window, even by the account root.
Append-only DB schemas — revoke UPDATE and DELETE on the audit table for all roles including DBA; writes go through a restricted INSERT-only service account.
Separate storage account — audit logs live outside the application's production account, so a compromise of the app plane does not compromise the log.

3. Hash-Chained Entries

Each log entry includes the hash of the previous entry, so tampering with any record invalidates every subsequent hash. A verifier can walk the chain and detect any insertion, deletion, or modification.

Missing entries are detectable because the chain breaks.
Reordering is detectable for the same reason.
Silent deletion of trailing records is the one attack a pure hash chain does not detect — mitigated by external notarization (section 5).

4. Example: Signed Hash Chain

import json, hashlib, hmac, time
from dataclasses import dataclass, asdict


@dataclass
class AuditEntry:
    seq: int
    ts: float
    actor: str
    action: str
    subject: dict
    prev_hash: str
    mac: str = ""


def _canonical(e: AuditEntry) -> bytes:
    d = asdict(e); d.pop("mac")
    return json.dumps(d, sort_keys=True, separators=(",", ":")).encode()


def append(prev: AuditEntry | None, actor: str, action: str,
           subject: dict, sign_key: bytes) -> AuditEntry:
    entry = AuditEntry(
        seq=(prev.seq + 1) if prev else 1,
        ts=time.time(),
        actor=actor,
        action=action,
        subject=subject,
        prev_hash=hashlib.sha256(_canonical(prev)).hexdigest() if prev else "GENESIS",
    )
    entry.mac = hmac.new(sign_key, _canonical(entry), hashlib.sha256).hexdigest()
    return entry


def verify_chain(entries: list[AuditEntry], sign_key: bytes) -> bool:
    prev = None
    for e in entries:
        expected_prev = (hashlib.sha256(_canonical(prev)).hexdigest()
                         if prev else "GENESIS")
        if e.prev_hash != expected_prev:
            return False
        mac = hmac.new(sign_key, _canonical(e), hashlib.sha256).hexdigest()
        if not hmac.compare_digest(mac, e.mac):
            return False
        prev = e
    return True

For production, replace HMAC with an asymmetric signature (Ed25519, ECDSA P-256) whose private key lives in a KMS HSM. The HMAC version is illustrative; asymmetric signing lets an auditor verify without holding the signing key.

5. External Notarization

To defend against silent truncation, periodically publish the chain's current head hash to an external, append-only medium:

Trusted third party — a timestamping authority per RFC 3161, or a public transparency log (Sigstore Rekor, Google Trillian).
Cross-account witness — write the head hash to a different cloud account or a different provider.
Blockchain anchor — occasionally useful for legal defensibility; cost and complexity usually do not justify it over simpler options.

Cadence is a trade-off: anchor every minute and the head can only slide a minute before detection, but cost rises; anchor daily and the detection window is a day.

6. Access Controls & Retention

Read access is privileged — the audit log is itself sensitive. Grant read only to auditors and compliance; applications can write but never read.
Retention aligned to regulation — HIPAA 6 years, SOX 7 years, state bar requirements vary. Encode retention per log category, not globally.
Legal hold overrides retention — when litigation or regulatory inquiry is foreseeable, suspend deletion for affected scopes; annotate the hold in the log itself so its provenance survives.
Destruction is itself auditable — when retention expires and logs are deleted, record the deletion in a secondary retention log that lives longer.