← Blog

Agentic AI Audit Trail: Reconstructing a Multi-Step Agent Run From the Record

An agent run is not one request. It is a chain: a plan, a sequence of tool calls, retrieved context, and model calls whose inputs were produced by earlier steps in the same chain. An audit trail that records only the final model call cannot reconstruct any of it. This walks the fields an agentic audit trail has to carry, the correlation identifier that makes a chain reconstructible, and why the record has to be written outside the agent that produced it.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Problem-Awareagentic-aiforensic-auditauditai-complianceidentity-and-authorizationai-security
Agentic AI Audit Trail: Reconstructing a Multi-Step Agent Run From the Record

A single-turn LLM call produces one request and one response, and an audit record with a timestamp, an identity, and a prompt hash tells you most of what happened. An agent run produces a plan, then a tool call, then a model call whose prompt contains the output of that tool call, then another tool call chosen because of what the model just said, and so on for anywhere from three to forty steps.

Record only the last model call and you have captured the least informative moment in the chain. The question an investigator asks about an agent is never "what was the final prompt." It is "why did it do that," and the answer lives in the steps.

What an investigator actually needs to reconstruct

Take a concrete failure. A procurement agent issued a purchase order to a supplier that should have been blocked. Four weeks later, a compliance officer asks what happened.

Answering that requires reconstructing: which human or service initiated the run, what authority was delegated to the agent for this run, what the agent was asked to do, which tools it called and with what arguments, what each tool returned, which of those returns entered a model prompt, what the model produced at each step, which policy evaluated each model call, and what each policy decided. Nine facts, at every step, correlated into one chain.

NIST's AI agent identity and authorization framework names the three pillars this decomposes into: agent identity, delegated authority, and action lineage (NIST NCCoE). Action lineage is the audit trail. It is a structured record of who authorized this, under which policy, at what moment, with what outcome, and it is a different artifact from an application log.

The correlation identifier is the load-bearing field

Everything in an agent audit trail hangs on one field: a chain identifier that is issued at the start of the run and carried by every subsequent call in that run.

Without it, an investigator holds a pile of individually correct records with no way to know which belong to the same decision. With it, the run is queryable as a unit. The identifier has to be generated at the initiating boundary, propagated into every tool invocation and every model call, and survive the agent's own retries and sub-agent spawns.

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

Note the sources array. It records which earlier step produced the content now sitting in this prompt. That field is what lets an investigator trace a bad output back to the tool return that poisoned it, which is the single most common root cause in agent incidents.

Delegated authority has to be in the record, not just in the config

An agent's permissions are usually defined once, in a config file, and never appear in the run record. This is a mistake that surfaces the moment anyone asks what the agent was allowed to do at the time rather than what it is allowed to do now.

Policy changes. Roles change. Scope grants get widened during an incident and never narrowed. A record that omits the delegated scopes in force at the moment of the call is a record that requires an archaeological dig through configuration history to interpret, and configuration history is rarely versioned with the fidelity an audit demands.

Write the delegated scopes into every step. The redundancy costs bytes and buys the ability to answer the question directly. I go deeper on the scoping model in AI agent tool scoping and delegated authority in AI agent authorization.

Why the agent cannot write its own audit trail

If the agent that took the action also writes the record of the action, the record is self-attestation. In every regulated domain, the system under audit does not author the audit evidence. The CFO does not sign the audit of the financial statements they prepared.

Agent-written trails fail three specific ways.

Selective recording. The agent logs the steps its instrumentation anticipated. The step where it did something unanticipated is exactly the step most likely to be missing.

Suppression. A compromised agent process can modify or drop records it has not yet flushed. If the agent is the thing under investigation, its testimony about itself is worth nothing.

Loss on crash. The agent calls a tool, the tool executes a real-world side effect, the agent crashes before the log write commits. Action taken, evidence gone. This is the worst case, because the record's absence is indistinguishable from the action never happening.

The fix is write-path independence. The record is committed by an enforcement point in the request path, before the response returns to the agent, so the agent never has custody of the write. I argued the general form of this in tamper-evident audit logs for AI.

What regulators are already asking for

The EU AI Act's Article 12 requires automatic recording of events over the lifetime of the system to ensure traceability, including period of use, input data, and identification of the natural persons involved (Practical AI Act). For a high-risk system implemented as an agent, "input data" means the prompt at every step, and "natural persons involved" means the human on whose behalf the agent acted. Penalties under Article 99 reach €15 million or 3% of global annual turnover, whichever is higher (EU AI Act Article 99).

An agent trail that captures only the final call satisfies neither clause.

DeepInspect

This is the gap DeepInspect closes. DeepInspect sits at the AI request boundary as a stateless proxy between agents and the model endpoints they call. Every model call an agent makes transits the proxy, carrying the identity of the agent, the principal it acts on behalf of, and the scopes delegated for the run.

For each call, DeepInspect evaluates policy against that identity and the classification of the prompt content, then commits a signed, per-decision record before the response returns to the agent. The chain identifier ties the records of a single run together, so a forty-step agent run reconstructs as one queryable lineage rather than forty unrelated log lines. Because the record is written by the proxy, a compromised or crashed agent cannot suppress it.

If you are deploying agents into a regulated environment and need the action lineage before the auditor does, book an AI readiness assessment.

Frequently asked questions

What is an agentic AI audit trail?

It is a structured, per-step record of an autonomous agent's execution: the identity that initiated the run, the authority delegated to the agent, every tool call and its arguments and returns, every model call and the classification of its prompt, the policy that evaluated each call, and the decision that policy reached. All steps share a chain identifier so the run reconstructs as one lineage. NIST calls this action lineage, the third pillar of its AI agent identity and authorization framework. It differs from an application log because it records authorization decisions rather than program events, and because it is written outside the agent's custody.

What fields must an agentic audit record contain?

At minimum: a chain identifier and step number, the parent step (agents branch), the principal (the agent identity plus the human or service it acts on behalf of), the delegated scopes in force at that moment, the action type and target endpoint, the classification of the prompt content and a hash of it, the identifiers of earlier steps whose output entered this prompt, the policy identifier and version, the decision outcome, any redactions applied, and a signed timestamp. The scopes and the source-step references are the two fields most often omitted and the two that most often matter in an investigation.

Why can't the agent framework write the audit trail itself?

Because that is self-attestation. The system that took the action would be authoring the evidence about the action, which fails the independence requirement every other regulated audit regime imposes. Concretely, an agent-written trail is subject to selective recording (the unanticipated step is the one that goes unlogged), suppression (a compromised agent can drop records before flush), and loss on crash (the tool executes a real side effect, the process dies, the log write never commits). An enforcement point in the request path commits the record before the response returns, which removes all three failure modes.

How does an agent audit trail support EU AI Act compliance?

Article 12 requires automatic recording of events over the system's lifetime to ensure traceability, covering the period of use, the input data, and the identification of the natural persons involved. For an agentic system, satisfying that clause means recording the prompt at every model call in the chain, the timestamps of each, and the human principal the agent acted for. A trail that captures only the final model call records neither the intermediate inputs nor the delegation chain back to a person, so it fails the traceability test that Article 12 sets and that Article 99 penalties enforce.

How long should agentic audit records be retained?

Retention follows the regime, not the technology. Under the EU AI Act, logs for high-risk systems are retained for a period appropriate to the system's purpose and at least six months unless other Union or national law specifies longer. Sector rules frequently push further: financial-services record-keeping regularly runs five to seven years, and healthcare retention is set by state and national law. Set retention by the strictest regime the AI system touches, keep the records in a store the producing application cannot write to, and preserve the signature chain so the record's integrity is demonstrable years later.