Audit Log Integrity

An audit log is only as good as the guarantees you can make about it under adversarial review. "We log every query" is a starting point; "we can prove these records were written in order and have not been modified or deleted since" is the standard a compliance auditor or opposing counsel will actually apply. The techniques below — append-only storage, hash-chained entries, independent signing, and external notarization — turn logs from a convenient debug artifact into evidence.

---

---

1. What an Audit Log Must Record

For an AI document pipeline, each event should capture:

• Actor identity (user, service, tenant).
• Matter / document IDs touched.
• Action (query, retrieve, re-identify, export, delete).
• Prompt hash and response hash (not raw contents, to avoid duplicating sensitive data into the log).
• Model route (provider, region, tier) and attestation fingerprint if TEE.
• Policy decisions taken (which routing rule fired, which access check passed or failed).
• Timestamp from a trusted clock source, plus a monotonic sequence number.

---

2. Append-Only Storage

• Object-lock / WORM — S3 Object Lock in Compliance mode, Azure immutable blob storage, GCS bucket lock. Once written, rows cannot be modified or deleted for the retention window, even by the account root.
• Append-only DB schemas — revoke UPDATE and DELETE on the audit table for all roles including DBA; writes go through a restricted INSERT-only service account.
• Separate storage account — audit logs live outside the application's production account, so a compromise of the app plane does not compromise the log.

---

3. Hash-Chained Entries

Each log entry includes the hash of the previous entry, so tampering with any record invalidates every subsequent hash. A verifier can walk the chain and detect any insertion, deletion, or modification.

• Missing entries are detectable because the chain breaks.
• Reordering is detectable for the same reason.
• Silent deletion of trailing records is the one attack a pure hash chain does not detect — mitigated by external notarization (section 5).

---

4. Example: Signed Hash Chain

import json, hashlib, hmac, time
from dataclasses import dataclass, asdict


@dataclass
class AuditEntry:
    seq: int
    ts: float
    actor: str
    action: str
    subject: dict
    prev_hash: str
    mac: str = ""


def _canonical(e: AuditEntry) -> bytes:
    d = asdict(e); d.pop("mac")
    return json.dumps(d, sort_keys=True, separators=(",", ":")).encode()


def append(prev: AuditEntry | None, actor: str, action: str,
           subject: dict, sign_key: bytes) -> AuditEntry:
    entry = AuditEntry(
        seq=(prev.seq + 1) if prev else 1,
        ts=time.time(),
        actor=actor,
        action=action,
        subject=subject,
        prev_hash=hashlib.sha256(_canonical(prev)).hexdigest() if prev else "GENESIS",
    )
    entry.mac = hmac.new(sign_key, _canonical(entry), hashlib.sha256).hexdigest()
    return entry


def verify_chain(entries: list[AuditEntry], sign_key: bytes) -> bool:
    prev = None
    for e in entries:
        expected_prev = (hashlib.sha256(_canonical(prev)).hexdigest()
                         if prev else "GENESIS")
        if e.prev_hash != expected_prev:
            return False
        mac = hmac.new(sign_key, _canonical(e), hashlib.sha256).hexdigest()
        if not hmac.compare_digest(mac, e.mac):
            return False
        prev = e
    return True

For production, replace HMAC with an asymmetric signature (Ed25519, ECDSA P-256) whose private key lives in a KMS HSM. The HMAC version is illustrative; asymmetric signing lets an auditor verify without holding the signing key.

---

5. External Notarization

To defend against silent truncation, periodically publish the chain's current head hash to an external, append-only medium:

• Trusted third party — a timestamping authority per RFC 3161, or a public transparency log (Sigstore Rekor, Google Trillian).
• Cross-account witness — write the head hash to a different cloud account or a different provider.
• Blockchain anchor — occasionally useful for legal defensibility; cost and complexity usually do not justify it over simpler options.

Cadence is a trade-off: anchor every minute and the head can only slide a minute before detection, but cost rises; anchor daily and the detection window is a day.

---

6. Access Controls & Retention

• Read access is privileged — the audit log is itself sensitive. Grant read only to auditors and compliance; applications can write but never read.
• Retention aligned to regulation — HIPAA 6 years, SOX 7 years, state bar requirements vary. Encode retention per log category, not globally.
• Legal hold overrides retention — when litigation or regulatory inquiry is foreseeable, suspend deletion for affected scopes; annotate the hold in the log itself so its provenance survives.
• Destruction is itself auditable — when retention expires and logs are deleted, record the deletion in a secondary retention log that lives longer.

---

↑ Back to Top