What audit trail should AI agents maintain?

Answer

Every agent action should produce an immutable audit record containing:

1. Who — org_id, user_id, agent_id, API key used.
2. What — action_type, action_name, resource_type, input summary, output summary.
3. When — timestamp with timezone, duration_ms.
4. Why — which rules were evaluated, which passed or failed, the compliance decision.
5. Context — risk score at time of action, applicable regulations, feature flags in effect.
6. Integrity — hash chain linking each record to its predecessor, SHA-512 verification hashes on aggregated reports.