Explainables
Created with the help of AI
Category — Govern

Audit Trail & Logging

provenanceaudience adaptation
User question

What is the complete record of this decision?

Consulting signal

Surfaces when a client faces a regulatory inquiry or legal challenge and discovers their logs were built for debugging, not accountability: missing data states, no actor attribution, or records that can't be reconstructed in sequence.

Overview

Why this pattern exists

A decision gets challenged. Someone asks: what data was used, what did the model score, did a human review it, when exactly was it decided? The answer turns out to be scattered across three systems, partially missing, and impossible to reconstruct in sequence. The problem is not malice. It is that logging was built for engineers, added late, and never organized for the question "can we account for what happened here?"

This is the gap audit trail design addresses. The other governance patterns, contestability, human oversight, and transparency cards, all depend on it. You cannot review what wasn't logged. You cannot contest a decision whose data state wasn't captured. You cannot audit a process that has no sequence record. Audit trail and logging is the infrastructure that makes every other accountability mechanism real rather than nominal.

The design challenge is not technical: most systems can log events. The challenge is that logging designed for debugging is not the same as logging designed for accountability. The fields are different, the retention requirements are different, the audiences are different, and the level of human-readable structure required is different. Designing for audit means deciding, before deployment, what questions might need to be answered later, and capturing the evidence to answer them.

Design goal

Capture a comprehensive, tamper-evident, and accessible record of AI decisions, including inputs, outputs, model versions, human interventions, and data states, sufficient to support retrospective audit, regulatory review, and the exercise of user rights.

Usage guidance

When to use

  • The system makes or influences consequential decisions about people
  • Regulatory requirements mandate logging (EU AI Act, GDPR, sector-specific rules)
  • Decisions may be challenged, appealed, or subject to regulatory review
  • Multiple actors contribute to decisions (AI system, caseworkers, supervisors)
  • The organization needs to monitor system performance and detect degradation or bias over time

When not to use

  • The system handles information that cannot legally be retained (e.g. certain medical or financial records with mandatory deletion schedules): in this case, minimum viable logging must be designed within legal constraints
  • Logging would itself create a privacy risk: capture what is needed, not everything

Design

UI primitives

Content Block / Log

Case audit log (internal view)

The complete event log for a specific case, accessible to authorized internal users: - Timestamp for every event - Event type (model scored, human reviewed, override, document uploaded, decision issued, appeal received) - Actor (system version, caseworker ID, applicant ID) - Data state snapshot (inputs used at the time of the decision) - Model version reference
Navigation & Flow / Filter

Audit log search and filter

For compliance teams reviewing large numbers of cases: filtering by date range, event type, actor, outcome, model version, or flag status.
Inline Signal / Indicator

Tamper evidence

Technical and design indicators that the audit log has not been modified: cryptographic logging, display of log integrity status, immutability by design.
Content Block / Record

User-accessible decision record

A simplified version of the audit trail available to the affected person upon request: their right to access under GDPR. Not the full technical log, but the substantive record: what data was used, what the system recommended, who made the final decision.
Content Block / Schedule

Retention and deletion schedule display

A visible indication of how long audit records are retained, and when they will be deleted. Users who want to access their records need to know the window within which they can do so.
Navigation & Flow / Export

Export for regulatory review

A standardized export format for providing audit records to regulators on request: structured data (JSON, CSV) alongside a human-readable summary.

How to use

Log the data state, not just the decision.

A log entry that records only "decision: approved" is not auditable. An auditable log records: the data inputs at the time of the decision, the model version used, the score generated, any human review notes, and the final decision. If any of these change, you need to know which state produced which outcome.

Log human interventions explicitly.

Every override, deferral, flag, and review must be logged with actor, timestamp, and reason. The audit trail must reflect the full human-AI decision chain, not just the automated steps.

Design for the subpoena scenario.

In high-stakes domains (lending, benefits, employment), audit logs may be requested by regulators or required as evidence in legal proceedings. Design the log format, retention period, and access controls with this in mind.

Separate the audit data layer from the display layer.

The raw audit log and the user-facing decision timeline are different things with different audiences. Design them separately: the audit log for legal and compliance use, the timeline for user understanding.

Establish retention periods deliberately.

Logs retained indefinitely create privacy risks. Logs deleted too quickly prevent audit. Set retention periods based on the legal requirements and the realistic window for challenges and regulatory review. Document the retention policy.

Use cases

flow a

Compliance team investigating a systemic issue

  1. 1. Compliance team receives a complaint pattern: multiple similar applicants received adverse decisions in a short period.
  2. 2. Team searches audit logs: filter by date range, outcome (decline), and demographic attribute [group].
  3. 3. Audit log reveals that all decisions were made using a model version that was later found to have a calibration error.
  4. 4. Team uses the log to identify affected cases and initiate a review.
flow b

Regulatory inspection

  1. 1. Regulator requests audit records for a sample of decisions made in Q3.
  2. 2. System exports structured audit records in the required format.
  3. 3. Regulator reviews: data inputs, model versions, decision outcomes, override rates, and documentation quality.
  4. 4. Regulator finds that a significant proportion of overrides lack documented reasons: a compliance finding.
flow c

Applicant exercising GDPR access rights

  1. 1. Applicant submits a Subject Access Request.
  2. 2. Organization provides the user-accessible decision record: data used, recommendation, human reviewer role, final decision, date.
  3. 3. Applicant reviews and identifies that an outdated address was used: submits a correction and a challenge.

Design trade-offs

Completeness vs. privacy

A comprehensive audit log may contain personal data that creates privacy obligations. Log what is necessary for accountability, not everything that is technically possible to capture.

Retention vs. right to erasure

GDPR includes a right to erasure. Audit logs for regulatory compliance may need to be retained even when a user requests deletion. These tensions must be resolved in policy before they can be resolved in design, but the design must reflect the policy.

Accessibility vs. confidentiality

The full audit log may contain commercially sensitive details or third-party data. The user-accessible version of the record must be carefully scoped to what the affected person has a right to see.

Connections

Relation to other patterns

Govern

Decision Timeline

What happened and when?

Provide a clear, chronological view of the key events in a decision's lifecycle, including data collection, model assessment, human review, overrides, and communications, in a form that supports both user understanding and audit.

The decision timeline is the user-facing presentation layer; the audit trail is the underlying data. They are different tools for different audiences reading from the same underlying record.

Act

Human-in-the-Loop

Who can review or override this decision?

Provide authorized users with clear, accessible mechanisms to review, modify, and override AI recommendations, and ensure that all interventions are documented in a way that supports accountability and audit.

Override events are the most important human-generated entries in the audit trail. HITL without documented logging is not accountable oversight.

Act

Contestability & Appeal

How can I challenge this decision?

Provide a clear, accessible, and functional mechanism through which the person affected by an AI-influenced decision can formally challenge it: with confidence that the challenge will be received, reviewed by a human, and result in a documented response.

The audit trail provides the evidence base for contestability reviews. Without it, challenges cannot be properly evaluated.

Act

Feedback Loops

How can I correct the system?

Provide a low-friction mechanism for users to report errors, provide corrections, and signal disagreement with AI outputs, and close the loop by communicating that feedback was received and, where appropriate, how it was used.

Feedback submissions are audit events. Systematic analysis of the audit log for feedback patterns is a key governance tool.

Sources

Raji et al. (2020) — Closing the AI Accountability Gap

argues that closing the accountability gap requires systematic auditing infrastructure, not just documentation. Establishes audit trails as the technical foundation for accountability

Kroll et al. (2017) — Accountable Algorithms

proposes that algorithmic accountability requires process transparency implemented through logging and audit, not just outcome disclosure

European Union (2024) — EU AI Act, Article 12

requires high-risk AI systems to have logging capabilities that allow post-market monitoring and retrospective audit

European Union (2016) — GDPR, Articles 13, 15, 22

the right of access (Article 15) and the right not to be subject to solely automated decision-making (Article 22) both require that decision records be retained and accessible

Explainables
Created as a side project by Christian Laesser & AI