Audit Logging and Provenance for AI Workflows (AWS and MongoDB Patterns)

Key Takeaways

• Audit logs are a product feature for regulated workflows.
• Capture hashes and versions so outputs are defensible.
• Use S3 versioning and append only logs.
• Store review actions and approvals as explicit events.

If an AI system affects legal, financial, or compliance outcomes, you need to answer: what happened, when, why, and who approved it. This post outlines audit logging and provenance patterns for AWS plus MongoDB based systems.

What to capture in an audit log

At minimum:

• Actor (system, user, service)
• Timestamp
• Action (state transition)
• Input pointers and hashes
• Output pointers
• Model or ruleset version

Append only, never overwrite

An audit log should be append only. If something changes, you write a new event.

This reduces risk and simplifies investigations.

AWS storage patterns

• Store raw documents in S3 with versioning
• Store logs in CloudWatch and export if needed

References:

• S3 versioning: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
• Amazon CloudWatch Logs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

MongoDB patterns

MongoDB can store:

• Audit events (append only)
• Workflow state per document
• Review and approval actions

Useful features:

• Change streams for downstream consumers

References:

• Change streams: https://www.mongodb.com/docs/manual/changeStreams/

Compliance baselines

Map controls early.

References:

• NIST SP 800-53: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• NIST AI RMF: https://www.nist.gov/itl/ai-risk-management-framework
• OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/

zed in logs, store pointers where possible, and implement deletion workflows that respect legal requirements.

Q: Should we log model prompts and responses? Sometimes yes, but treat them as sensitive. Apply encryption and access controls, and consider redaction.

Internal reference:

• Lid Vizion secure automation blog: https://lidvizion.ai/blog/secure-expungement-automation-ocr-rules-pdf-sharepoint

FAQs

Q: How long should we retain audit logs? Retention depends on your domain and policy. Design for configurable retention with legal hold capability.

Q: How do we handle privacy requests? Keep personal data minimi

Q: What should we link to internally? A: Link to relevant solution pages like Computer Vision or Document Intelligence, and only link to published blog URLs on the main domain. Avoid staging links.