TechnologyMarch 17, 2026·10 min read

Audit Logging: Complete Traceability for AI Compliance

Citai Team

March 17, 2026 · 10 min read

Why Do You Need Audit Logging?

In enterprise environments, knowing who did what, when, and from where isn’t a luxury — it’s a requirement. Regulations like GDPR, SOC 2, HIPAA, and ISO 27001 demand complete traceability of actions in systems handling sensitive data.

What is an audit log? An immutable record of events documenting every significant action on the platform. Unlike application logs (debug), audit logs are designed for compliance, investigation, and accountability.

What Does Citai Log?

Citai records over 15 event types, covering the entire platform lifecycle:

Category Events Example
Authentication Login, logout, 2FA activated, password reset [email protected] logged in from 190.x.x.x”
Users Create, edit, delete, role change “admin assigned tenant_admin role to [email protected]
Knowledge Bases Create, edit, delete KB “Created KB ‘Technical Support’”
Documents Upload, reprocess, delete “Uploaded ‘manual-v2.pdf’ to KB ‘Product’”
FAQs Create, edit, delete, bulk operations “Created 15 FAQs via bulk import”
Configuration RAG config changes, plan, settings “Changed chunk_size from 512 to 768 in KB ‘Support’”
API Keys Create, regenerate, delete “Generated new API key for KB ‘Product’”
Widget Widget config, CORS “Updated widget config: primary_color, welcome_message”
Data Export, bulk delete, purge “Exported last month’s conversations (JSON)”

Anatomy of an Audit Event

Each event contains structured JSON metadata:

  • event_type: Event type (e.g., user.login, kb.create, document.upload)
  • user_id: Who executed the action
  • tenant_id: Which tenant it occurred in
  • timestamp: Exactly when (UTC)
  • ip_address: From which IP
  • metadata: Event-specific details in JSON (previous values, new values, affected IDs)

Retention and Purge

Retention best practices:
  • Recommended minimum: 1 year to comply with most regulations
  • GDPR: Retain audit logs as long as necessary to demonstrate compliance, but no longer
  • SOC 2: Minimum 1 year mandatory retention
  • Purge by range: Citai allows purging logs by date range, keeping the most recent ones
  • Automation: Configure automatic retention policies to avoid unnecessary accumulation

Citai’s retention policies allow:

  • Configurable retention per tenant — each organization defines its period
  • Purge by date range — delete old logs without affecting recent ones
  • Export before purge — download logs in JSON/CSV before deleting them
  • Purge logs — even log deletion is recorded (meta-auditing)

Query and Filtering

Audit logs are queryable with advanced filters:

  • By event type: View only logins, only configuration changes, etc.
  • By user: Track all actions of a specific user
  • By date range: Investigate a specific period
  • By tenant: In super_admin mode, filter by organization
  • Export: Download filtered results in JSON or CSV

Why It Matters for Enterprise

Audit logs aren’t just for regulations. They’re operational tools:

  • Incident investigation: Who deleted that KB? When was the configuration changed?
  • Team onboarding: Verify that new members are following correct processes
  • Optimization: Identify usage patterns (which KBs are edited most, which configs change frequently)
  • Security: Detect suspicious access or unauthorized changes

Specific Compliance Frameworks

SOC 2 (Type II)

Requires controls over security, availability, processing integrity, confidentiality, and privacy. Audit logs must demonstrate access control, change management, continuous monitoring, and minimum 1-year retention.

ISO 27001

Requires event logging (A.12.4), system access control (A.9.4), and incident management (A.16.1) where logs are key evidence.

HIPAA (healthcare)

If your chatbot handles protected health information: PHI access logging, minimum 6-year retention, and logs to determine breach scope.

GDPR

Article 30 (records of processing activities), Article 33 (breach notification within 72 hours), and documentation of personal data deletion.

Audit Log Schema Design

{
  "id": "uuid-v4",
  "event_type": "kb.document.upload",
  "severity": "info",
  "user_id": "usr_abc123",
  "tenant_id": "tnt_xyz789",
  "timestamp": "2026-03-15T14:30:00Z",
  "ip_address": "190.123.45.67",
  "resource_type": "document",
  "resource_id": "doc_456",
  "metadata": {
    "file_name": "manual-v2.pdf",
    "kb_name": "Technical Support",
    "file_size_bytes": 2048576
  }
}

Design Principles

  • Immutability: Logs are never edited, only appended
  • Granularity: Enough detail to reconstruct the complete action
  • Normalization: Consistent, predictable event types
  • Separation: Audit logs stored separately from application logs

Real-Time Alerting

Pattern Alert Action
3+ failed logins Possible brute force Temporarily block IP
Bulk document deletion Error or malicious action Notify admin
Role change to super_admin Privilege escalation Require secondary approval
Export > 1000 records Possible exfiltration Detailed log + notification
Off-hours access Suspicious activity Flag for review

Audit Dashboard Design

An effective dashboard includes:

  • Activity timeline: Events filtered by type, user, or severity
  • Access statistics: Active users, peak hours, frequent IPs
  • Detected anomalies: Events deviating from normal patterns
  • Compliance by framework: SOC 2 / ISO 27001 checklist with current status
Export for external audits: Export filtered logs by period and type in CSV to demonstrate traceability without granting direct system access.

Conclusion

Citai’s audit logging transforms your chatbot from a black box to a fully traceable system. Every action is documented with rich, queryable, and exportable metadata — exactly what you need for enterprise compliance and operational peace of mind.


Complete traceability for your AI chatbot. Discover Citai →

Try Citai for free

Create your intelligent knowledge base in minutes. No credit card required.

Create free account