Glossary
Audit Logging for AI
Recording every model invocation — the requesting user, the input, the retrieved context, the model's output, and the tools it called — in a tamper-evident log.
Audit logging for AI is the practice of recording every interaction with a model so that, after the fact, you can answer the questions an auditor or breach investigator will ask: who used the AI, what data did it see, what did it produce, what actions did it take, and was any of that outside policy?
A complete AI audit log captures the requesting user identity (carried through from the application layer, not invented at the model layer), the prompt or input including any retrieved context, the model identifier and version, the full output, any tool calls and their results, the latency and token usage, and a stable correlation ID that ties the AI invocation back to the application-layer request.
In healthcare, the log itself is sensitive — it contains PHI. Treat it the same way you treat the rest of your PHI data path: encrypted at rest, access-controlled, retained for the regulatory window (six years for HIPAA), and never exported to systems lacking BAA coverage.
The practical engineering challenge is volume and structure. Naïve approaches log full prompts and outputs as free text. Production systems use structured logs (JSON with consistent fields), separate the metadata layer (queryable, frequent access) from the body layer (object storage, compressed, retrieved on demand), and stream to a log sink that supports immutability or write-once semantics.
See also
Related terms
Agentic Workflows
Multi-step AI workflows where the model selects tools, makes decisions, and chains actions — rather than producing a single response from a single prompt.
HIPAA-Aligned AI
AI systems designed so that protected health information (PHI) flows only through HIPAA-eligible services, with audit logging, access controls, and BAA coverage end-to-end.