Audit Logging: Complete Traceability for AI Compliance
Citai Team
March 17, 2026 · 10 min read
Why Do You Need Audit Logging?
In enterprise environments, knowing who did what, when, and from where isn’t a luxury — it’s a requirement. Regulations like GDPR, SOC 2, HIPAA, and ISO 27001 demand complete traceability of actions in systems handling sensitive data.
What Does Citai Log?
Citai records over 15 event types, covering the entire platform lifecycle:
| Category | Events | Example |
|---|---|---|
| Authentication | Login, logout, 2FA activated, password reset | “[email protected] logged in from 190.x.x.x” |
| Users | Create, edit, delete, role change | “admin assigned tenant_admin role to [email protected]” |
| Knowledge Bases | Create, edit, delete KB | “Created KB ‘Technical Support’” |
| Documents | Upload, reprocess, delete | “Uploaded ‘manual-v2.pdf’ to KB ‘Product’” |
| FAQs | Create, edit, delete, bulk operations | “Created 15 FAQs via bulk import” |
| Configuration | RAG config changes, plan, settings | “Changed chunk_size from 512 to 768 in KB ‘Support’” |
| API Keys | Create, regenerate, delete | “Generated new API key for KB ‘Product’” |
| Widget | Widget config, CORS | “Updated widget config: primary_color, welcome_message” |
| Data | Export, bulk delete, purge | “Exported last month’s conversations (JSON)” |
Anatomy of an Audit Event
Each event contains structured JSON metadata:
- event_type: Event type (e.g.,
user.login,kb.create,document.upload) - user_id: Who executed the action
- tenant_id: Which tenant it occurred in
- timestamp: Exactly when (UTC)
- ip_address: From which IP
- metadata: Event-specific details in JSON (previous values, new values, affected IDs)
Retention and Purge
- Recommended minimum: 1 year to comply with most regulations
- GDPR: Retain audit logs as long as necessary to demonstrate compliance, but no longer
- SOC 2: Minimum 1 year mandatory retention
- Purge by range: Citai allows purging logs by date range, keeping the most recent ones
- Automation: Configure automatic retention policies to avoid unnecessary accumulation
Citai’s retention policies allow:
- Configurable retention per tenant — each organization defines its period
- Purge by date range — delete old logs without affecting recent ones
- Export before purge — download logs in JSON/CSV before deleting them
- Purge logs — even log deletion is recorded (meta-auditing)
Query and Filtering
Audit logs are queryable with advanced filters:
- By event type: View only logins, only configuration changes, etc.
- By user: Track all actions of a specific user
- By date range: Investigate a specific period
- By tenant: In super_admin mode, filter by organization
- Export: Download filtered results in JSON or CSV
Why It Matters for Enterprise
Audit logs aren’t just for regulations. They’re operational tools:
- Incident investigation: Who deleted that KB? When was the configuration changed?
- Team onboarding: Verify that new members are following correct processes
- Optimization: Identify usage patterns (which KBs are edited most, which configs change frequently)
- Security: Detect suspicious access or unauthorized changes
Specific Compliance Frameworks
SOC 2 (Type II)
Requires controls over security, availability, processing integrity, confidentiality, and privacy. Audit logs must demonstrate access control, change management, continuous monitoring, and minimum 1-year retention.
ISO 27001
Requires event logging (A.12.4), system access control (A.9.4), and incident management (A.16.1) where logs are key evidence.
HIPAA (healthcare)
If your chatbot handles protected health information: PHI access logging, minimum 6-year retention, and logs to determine breach scope.
GDPR
Article 30 (records of processing activities), Article 33 (breach notification within 72 hours), and documentation of personal data deletion.
Audit Log Schema Design
{
"id": "uuid-v4",
"event_type": "kb.document.upload",
"severity": "info",
"user_id": "usr_abc123",
"tenant_id": "tnt_xyz789",
"timestamp": "2026-03-15T14:30:00Z",
"ip_address": "190.123.45.67",
"resource_type": "document",
"resource_id": "doc_456",
"metadata": {
"file_name": "manual-v2.pdf",
"kb_name": "Technical Support",
"file_size_bytes": 2048576
}
}
Design Principles
- Immutability: Logs are never edited, only appended
- Granularity: Enough detail to reconstruct the complete action
- Normalization: Consistent, predictable event types
- Separation: Audit logs stored separately from application logs
Real-Time Alerting
| Pattern | Alert | Action |
|---|---|---|
| 3+ failed logins | Possible brute force | Temporarily block IP |
| Bulk document deletion | Error or malicious action | Notify admin |
| Role change to super_admin | Privilege escalation | Require secondary approval |
| Export > 1000 records | Possible exfiltration | Detailed log + notification |
| Off-hours access | Suspicious activity | Flag for review |
Audit Dashboard Design
An effective dashboard includes:
- Activity timeline: Events filtered by type, user, or severity
- Access statistics: Active users, peak hours, frequent IPs
- Detected anomalies: Events deviating from normal patterns
- Compliance by framework: SOC 2 / ISO 27001 checklist with current status
Conclusion
Citai’s audit logging transforms your chatbot from a black box to a fully traceable system. Every action is documented with rich, queryable, and exportable metadata — exactly what you need for enterprise compliance and operational peace of mind.
Complete traceability for your AI chatbot. Discover Citai →
Try Citai for free
Create your intelligent knowledge base in minutes. No credit card required.
Create free accountRelated articles
AI Chatbot Security: 2FA, OAuth, Headers and More
Complete security guide for AI assistants: multi-factor authentication, OAuth, HTTP headers, API key hashing, and rate limiting.
Read article → Practical GuideGDPR and Privacy in AI Assistants: A Practical Guide
How to comply with GDPR when deploying AI chatbots: data portability, right to erasure, retention, and auditing.
Read article → TechnologyMulti-Tenancy in SaaS: Data Isolation with PostgreSQL
How we implement real multi-tenancy with complete data isolation, hierarchical roles, anti-fraud plan enforcement, and enterprise security.
Read article →