Buzo
Get started
← All notes
  • Compliance
  • Audit
  • Trust

Audit trails for AI: what regulators will ask for next.

The EU AI Act, NIST AI RMF, and SOC 2 Type II are converging on the same answer: tamper-evident records of every change to the data your model depends on.

May 13, 2026

Article 12 of the EU AI Act, in force since August 2024, requires high-risk AI systems to maintain "automatic recording of events (logs) over the duration of the lifetime of the system." The U.S. equivalent, NIST AI RMF 1.0 (January 2023), articulates the same expectation across its four functions (Map, Measure, Manage, Govern). SOC 2 Type II controls CC7.2 and CC7.3 — applicable to any vendor handling customer data through an AI feature — require evidence that audit records exist and are tamper-evident.

The pattern is identical to what financial systems went through after Sarbanes-Oxley in 2002: regulators stop accepting "we have it in our logs somewhere" and start requiring cryptographically verifiable trails. The mechanism financial systems converged on is a hash chain — each log entry includes the SHA-256 of the previous entry, so any tampering breaks the chain instantly and verifiably. The same construction underlies Bitcoin's block validation and Certificate Transparency's Merkle log.

For AI systems, the unit of record is not the inference; it is the change to the data the inference depends on. Every fragment added, modified, or removed from a vector store. Every embedding-model migration. Every quarantine action on a row flagged as PII. Each of these is a state change a regulator can — and increasingly will — ask you to reconstruct.

The implementation is straightforward: write each event as `{prev_hash, actor, action, target, payload, timestamp, hash = SHA256(prev_hash || canonical_json(rest))}`. Replicate to write-once storage (S3 Object Lock, Azure Blob Immutable, GCS Bucket Lock) on a daily cadence. Verify the chain end-to-end before any export. That is the entire mechanism — and it is what differentiates a log from evidence.

The hard part is not the cryptography. It is the surface coverage. An audit trail with gaps — the bulk-delete script that ran outside the platform, the manual SQL update during the incident, the embedding-model swap nobody recorded — is worse than no audit trail, because it implies systematic record-keeping that does not actually exist.

Whether you build the chain in-house, lean on a managed compliance platform (Vanta, Drata, Secureframe handle the SOC 2 wrapper but not the AI-specific events), or use a vertical tool like Buzo that records the vector-store layer specifically, the test is the same: hand the export to your auditor and let them verify the hashes themselves. If they cannot, you do not have evidence — you have a story.