January 10, 2026 • Marcus Chen, Head of Security Research
A log file in the same directory as the application it monitors is not an audit trail. An attacker who compromises the application can delete or modify the log before anyone reads it. Tamper-evident logging requires that the logs be written to a system the agent cannot reach, using a mechanism that makes any modification detectable. For AI agents, which can execute arbitrary code within their permissions, this distinction matters more than it does for traditional services.
Application logs capture errors and debug information. An audit log captures decisions and their context. For AI agents, every entry should answer six questions:
Most logging systems capture who, when, and what. Few capture why (the task context) and fewer still sign the entries. Without the task context, an audit log tells you that agent A read customer record 4892 at 14:32:07, but not whether it was doing so as part of a legitimate support task or as part of an enumeration attack. Without entry signatures, an attacker who gains write access to the log store can backfill plausible-looking entries to cover their tracks.
S3 Object Lock is a popular choice for immutable log storage, and it is better than nothing. But it provides immutability at the object level, not the entry level. An attacker with S3 write access can create new log objects and, if they control timing, replace recent objects before the lock period activates.
Stronger approaches use append-only log structures where each entry includes a hash of the previous entry, forming a chain. Any modification to an earlier entry changes its hash, which breaks the chain from that point forward. Verifying chain integrity is a linear scan that takes seconds for millions of entries. AWS CloudTrail Lake and Google Cloud Audit Logs both use this approach internally.
For teams building their own log pipeline, a simpler approach is to stream audit events to a SIEM (Splunk, Datadog, Elastic) over an authenticated TLS connection, with the agent's sidecar doing the streaming rather than the agent itself. The agent cannot write to the SIEM directly, and cannot modify entries after they are written. The sidecar — which operates under a separate identity with write-only SIEM access — is the only component that touches the audit stream.
An audit trail is only valuable if investigators can query it efficiently during an incident. The most common forensic queries on AI agent systems are:
Each of these requires that the audit log includes indexed fields for agent identity, resource, task context, and call count per session. Log systems that store entries as unstructured text make forensic queries slow and error-prone. Structured log formats (JSON with consistent field names) stored in a queryable backend are the baseline requirement for useful forensics.
SOC 2 requires one year of audit log retention. FedRAMP requires three years. GDPR complicates both by requiring that personal data not be retained longer than necessary. For AI agent audit logs, the practical answer is: retain the full structured entry for one year, then archive with personally identifiable fields redacted for the required compliance period. The cryptographic chain integrity can be preserved through the redaction by hashing the redacted fields rather than removing them entirely, keeping the chain verifiable while reducing the personal data footprint.
Marcus Chen leads security research at Riptides. Questions: hello@riptidesio.com