Skip to content
Product · AI Audit Trail

Every prompt, every redaction, every decision — logged, signed, and SIEM-exportable.

PortEden's AI audit trail is the chain-of-custody record for AI activity. Tamper-evident, cryptographically chained, and streamed in real time to Splunk, Datadog, Elastic, or S3. One vendor-neutral timeline across Claude, ChatGPT, Copilot, and MCP servers — produces the per-request evidence SOC 2 CC7.2, HIPAA §164.312(b), and GDPR Art. 30 auditors typically request.

See pricing

Free tier · No credit card · Works with any AI client

Mapped to the frameworks your auditor reads
SOC 2 CC7.2HIPAA §164.312(b)GDPR Art. 30PCI-DSS Req. 10ISO 27001 A.8.15CMMC AU.L2GLBA
The problem

AI activity is invisible to your SIEM, your DLP, and your auditor.

Browser tabs bypass network egress. AI vendor consoles surface summary data, not per-request evidence. Each tool — Claude, ChatGPT, Copilot, MCP — runs its own silo if any. When the auditor asks "what client data has touched OpenAI in 2026?", you have nothing to point at. The audit trail layer is missing.

An auditor asks what client data has touched OpenAI in 2026

You're reconstructing from screenshots, Slack threads, and OAuth grant lists. There is no single timeline, no per-request evidence, and no way to prove what was redacted before it left.

A user pastes a customer thread into ChatGPT

There's no record of it. It never reaches your DLP because the browser tab bypassed the network egress controls. Your SIEM has nothing on it. The leak is invisible to incident response.

Compliance review can't reconstruct who saw what, when

Every AI tool has its own siloed log if any — Claude, ChatGPT, Copilot, MCP servers. None of them speaks SIEM. Stitching them together for an audit takes weeks and is never complete.

The audit trail in action

One feed, every AI client, every event.

A representative slice of the live audit feed. Every authorization, redaction, and filter is a record — actor, AI client, integration, decision, and detail — cryptographically chained and streamed to your SIEM.

audit.live · last 20 seconds
streaming
14:22:08.412
jamie@yourcompany.com
Claude
Gmail
ALLOW
Read 14 messages · last-30-days window · 0 redactions
14:22:09.118
jamie@yourcompany.com
Claude
Gmail
REDACT
Stripped 3 SSNs and 1 PAN before egress
14:22:11.804
alex@yourcompany.com
ChatGPT
Drive
FILTER
Excluded /Legal Hold/ folder · account-scope
14:22:14.227
agent-research-01
MCP
Notion
DENY
Action: page.delete · blocked by action-limits
14:22:18.065
morgan@yourcompany.com
Copilot
Outlook
ALLOW
Free/busy mode · 7 events · 2 attendees masked
14:22:20.991
morgan@yourcompany.com
Copilot
Outlook
REDACT
Stripped 2 customer email addresses on egress
14:22:23.500
sam@yourcompany.com
ChatGPT
Slack
FILTER
DM channel hidden · contact-rules · #leadership masked
14:22:26.713
agent-research-01
MCP
Jira
ALLOW
Read 22 issues · project=ENG · matter-tag=2026-114
Each row chained · prev-hash verified
Streaming to Splunk · 2.4 s median
Signed export ready for auditor
Coverage

Six event categories, one timeline.

Every event PortEden captures fits one of six categories. Each carries the same shared fields — actor, AI client, integration, policy version, evidence hash — so cross-category investigation is one query, not six.

Authentication & session

Who logged in from where, with what factor, on which AI client.

  • User sign-in / sign-out with IdP outcome
  • MFA challenge issued / passed / failed
  • AI client OAuth grant / revoke / re-consent
  • Session start / refresh / expiry
  • Impossible-travel and anomaly flags
  • Service-account and machine-identity logins
  • Break-glass admin elevations

Authorization decisions

Per-layer policy outcome for every request that crossed the boundary.

  • Visibility layer outcome (free/busy, filename-only, full)
  • Contact-rules layer outcome (allowed / excluded / overridden)
  • Action-limits outcome (read / write / send / delete)
  • Time-window outcome (in-window / out-of-window scoped)
  • Account-scope outcome (which workspaces / mailboxes / drives)
  • Data-reduction outcome (which fields masked)
  • Final allowed-payload size and shape

Redaction events

Which rules fired, with category counts and reversible placeholders.

  • PHI rule fires (count by sub-category — names, MRN, DOB)
  • PCI rule fires (PAN, CVV, expiry detection)
  • Secrets rule fires (API key, token, certificate, password)
  • Custom regex / dictionary rule fires
  • ML classifier confidence and category
  • Reversible placeholder issued / consumed
  • Original-vs-redacted hash pair for evidence

Data access

What resources were read, by whom, on behalf of which AI client.

  • Resource type and identifier (message, file, event, ticket)
  • AI client identity (Claude, ChatGPT, Copilot, MCP)
  • Integration (Gmail, Drive, Calendar, Slack, Jira)
  • Payload size in / out (bytes, token-equivalent)
  • Source IP and geo for the AI client
  • Custom tags (matter ID, patient panel, project code)
  • Cache hit / miss for repeated requests

Admin & policy change

Who changed what, with a diff, an approver, and a replayable version.

  • Policy create / edit / delete with full diff
  • Role assignment / removal per user or group
  • Integration connect / disconnect / re-auth
  • Retention setting changes
  • SIEM destination configuration changes
  • Approver decisions on change-control workflows
  • Tenant settings (region, isolation flags, retention)

System & integration

Sync runs, integration health, errors — the operational ground truth.

  • Integration sync start / success / failure
  • Rate-limit hit / backoff event from upstream
  • Token refresh outcomes (success, refused, revoked)
  • Schema change detection on a connected source
  • Background-job durations and queue depth
  • Internal error with stack-fingerprint hash
  • Health-check transitions (green / yellow / red)
How it works

Capture. Sign. Stream. Query.

1. Capture

Every event is captured at the integration boundary — auth, authorization, redaction, data access, admin, system. The same enforcement point that filters the data also writes the evidence, so there is no gap between what happened and what's logged.

2. Sign

Each record is cryptographically signed and chained — the hash of every event includes the previous hash. Daily anchors land in append-only storage. Any insertion, deletion, or edit breaks the chain and is detectable on verification.

3. Stream

Events ship to your SIEM in real time — Splunk, Datadog, Elastic, Sentinel, Chronicle, S3. Median end-to-end latency is 2–4 seconds. SIEM is the source of truth for long-term retention; PortEden holds the hot tier for investigation.

4. Query

An ad-hoc investigation UI lets compliance and DFIR teams pivot across actor, AI client, integration, and tag without touching the SIEM. Any filtered view exports as a signed CSV bundle that an auditor can verify independently.

See it in action

One audit entry, everything an auditor needs.

Click any row in the live feed and you see the full breakdown. Actor, AI client, integration, policy version, per-layer outcome, redactions applied, payload sizes, and a chained evidence hash. Operational detail without engineer-speak.

Entry overview
14:22:08.412 · 2026-04-22

Calendar.events.list — allowed (filtered)

Jamie asked Claude desktop to summarize meetings from the last six months. PortEden allowed the request, narrowed the time window, blocked the delete action, and recorded each layer outcome.

ALLOWFILTERDENY
Chained to prev event · integrity verified
SIEM-mirrored at 14:22:10.7 (Splunk HEC)
Included in next signed evidence pack
Full record
request_id · req_01HX7JN3…
request_id
req_01HX7JN3P9YQ8K4ZBM2F5VAEDC
timestamp
2026-04-22T14:22:08.412Z
user
jamie@yourcompany.com
ai_client
Claude desktop · 2.4.1
integration
Google Calendar
requested_resources
calendar.events.list (range: -180d → +30d)
policy_version
policy_2026_q2_v17
visibility
free_busy_only
contact_rules
passed (1 contact masked: legal@…)
time_window
filtered to last 30 days · 4 events excluded
action_limits
blocked: calendar.events.delete
account_scope
work calendar only · personal excluded
data_reduction
passed · 0 fields masked
redactions_applied
PHI: 0 · PCI: 0 · secrets: 0 · custom: 0
payload_size_in
186 bytes (prompt + headers)
payload_size_out
1,924 bytes (filtered response)
evidence_hash
0x7b3a…91ec (chain ok)
What this entry proves
Per-request evidence, no reconstruction needed

On 22 April 2026 at 14:22:08 UTC, Jamie asked Claude to read calendar events. Policy policy_2026_q2_v17 was live. Visibility was narrowed to free/busy. The personal calendar was excluded. The 6-month window was scoped to 30 days. The delete action was blocked. No PHI, PCI, or secrets were present. Every claim above is independently verifiable from the chained evidence hash.

With and without an AI audit trail

The same incident, two very different outcomes.

Auditor asks for AI activity reconstruction during a SOC 2 review
Without
Screenshot drag-and-drop from each AI vendor's console, OAuth grants from your IdP, and Slack threads. The reconstruction takes weeks, is incomplete, and proves only what you remember.
With
One signed export covers every AI client and integration in the audit window. Per-request evidence with policy version, layer outcome, and redaction count. Independently verifiable.
Incident response — "did the assistant exfiltrate the M&A folder?"
Without
DFIR queries OAuth scope grants and asks the user what the AI did. There's no per-request log; the AI vendor's logs are summary-level and don't list the resources touched.
With
Filter to actor + integration + time window. Every read on the M&A folder appears with payload size, AI client, and what redactions fired. Forensics-grade timeline in minutes.
Breach disclosure under GDPR Art. 33 (72-hour notification)
Without
You can't enumerate what personal data was processed by the AI in the disclosure window. The notification has to over-disclose to be safe — reputational damage scales accordingly.
With
Subject-access scoped query lists exactly which records, fields, and AI clients touched the affected data. Notification is precise, defensible, and meets the 72-hour window with hours to spare.
Producing audit evidence for a HIPAA review
Without
A spreadsheet of OAuth grants and a screenshot of the access-control settings page. Auditor asks for §164.312(b) audit-control evidence; you don't have it in machine-readable form.
With
Per-request audit log with chain-integrity attestation, configurable retention, exportable as a signed PDF evidence pack. Maps to the evidence §164.312(b) and §164.308(a)(1)(ii)(D) auditors typically request.
SOC 2 Type II evidence collection across the audit period
Without
Manual sampling from each AI vendor's console once a quarter. Sampling gaps. Your auditor wants population testing on access events and you can't produce it.
With
CC7.2 monitoring evidence is continuous, signed, and SIEM-mirrored. Population testing runs against the SIEM with a single saved query. Audit fieldwork shrinks from weeks to days.
Regulator subpoena — "produce all AI access to records X, Y, Z"
Without
Frantic outreach to OpenAI, Anthropic, Microsoft, and Google for vendor logs. Most vendors don't surface per-request logs to enterprise customers. You miss the response window.
With
Filter the audit trail by resource identifier, export as a signed bundle, hand it over. Vendor-neutral, auditor-readable, with chain-integrity attestation that defeats spoliation arguments.
Auditor-readable

Citations, not vague reassurances.

The audit trail maps directly to the clauses your auditor is reading. Evidence is exportable as a signed CSV bundle or a PDF evidence pack — independently verifiable with the published PortEden public key.

Framework
Citation
PortEden control
SOC 2
CC7.2 — System monitoring
The entity monitors system components and the operation of those components for anomalies. PortEden streams every authorization, redaction, and access event with policy-version evidence.
SOC 2
CC4.1 — COSO Monitoring
Ongoing and separate evaluations to ascertain whether internal controls are present and functioning. Saved investigation views and SIEM correlation rules deliver continuous monitoring.
HIPAA
§164.312(b) Audit controls
Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. Full per-request audit with actor, resource, redaction count, and chain integrity.
HIPAA
§164.308(a)(1)(ii)(D)
Information system activity review. Saved investigation views and anomaly flags surface unusual AI access patterns. Evidence-pack export supports the periodic-review obligation auditors examine.
GDPR
Art. 30 — Records of processing
Each controller maintains a record of processing activities. Per-AI-client logs cover purposes, categories of data, recipients (AI vendors), and transfers — exportable on demand.
GDPR
Art. 33 — Breach notification
Notification within 72 hours including categories and approximate number of data subjects concerned. Subject-access scoped queries enumerate exact records touched in the breach window.
PCI-DSS v4.0
Req. 10 — Log and monitor access
Log and monitor all access to system components and cardholder data. Card-data redaction events plus access events form the §10.2 record set with §10.5 chain-integrity protection.
ISO 27001
A.8.15 / A.8.16
Logging (A.8.15) and monitoring activities (A.8.16) of the 2022 revision. Tamper-evident chaining and SIEM streaming; evidence packs to support certification audits run by your assessor.
Where the audit trail runs

Every source the AI tries to reach into.

Gmail
Gmail
Outlook
Outlook
Google Calendar
Google Calendar
Google Drive
Google Drive
Entra ID
Entra ID
Slack
Slack
Microsoft Teams
Microsoft Teams
Jira
Jira
Confluence
Confluence
Notion
Notion
Asana
Asana
Linear
Linear
See all integrations
Use cases

One audit trail, six regulated workflows.

Architecture

Evidence at the boundary, not stitched after the fact.

Vendor consoles surface summary data. PortEden writes the evidence at the same enforcement point that filters the data — so the log is the ground truth, not a reconstruction. One timeline, every AI client, cryptographically chained.

Tamper-evident chain

Each event hash includes the previous hash. Daily anchors land in append-only storage. Gaps and edits are detectable on verification — even by a fully compromised tenant.

Streamed in real time

Events leave PortEden in seconds, not nightly batches. SIEM is the source of truth for long-term retention; PortEden's UI is the hot tier for ad-hoc investigation.

One timeline, every AI client

Claude, ChatGPT, Copilot, Gemini, MCP servers — all surface in the same audit view. No per-vendor consoles to stitch together. Vendor-neutral by design.

Available in: Pro, Business, Enterprise tiers · See pricing

Pairs well with

Audit trail questions

What is an AI audit trail and why do I need one?
An AI audit trail is the chain-of-custody record for everything an AI client touched: every authorization decision, every redaction event, every prompt and response, every admin action. Without one, you cannot answer "what client data has touched OpenAI in 2026?" or reconstruct an incident. Auditors for SOC 2, HIPAA, and ISO 27001 expect this; regulators under GDPR Art. 30 require it. PortEden captures it at the integration boundary so a single timeline covers Claude, ChatGPT, Copilot, Gemini, and any MCP server uniformly — no per-vendor log-stitching.
What gets logged exactly?
Six event categories. Authentication and session events (logins, token issuance, MFA outcomes). Authorization decisions (the per-layer outcome of every request — visibility, contact rules, action limits, time window, account scope, data reduction). Redaction events (which rules fired, count by category, original-vs-redacted hash). Data access events (resources read, AI client, integration, payload size in/out). Admin and policy-change events (who changed what, with diff and approver). System and integration events (sync runs, errors, integration health). Each event carries a timestamp, request_id, actor identity, AI client, integration, policy version, and a chained evidence hash.
Is the audit log tamper-evident?
Yes. Every record is cryptographically signed and each event hash includes the previous event's hash, so the log forms a chain. Any insertion, deletion, or edit breaks the chain and is detectable on verification. Daily anchors are written to an append-only store (S3 Object Lock or equivalent) so even a fully compromised tenant cannot retroactively rewrite history. The verification UI shows chain integrity at a glance and produces a signed report you can hand to an auditor or DFIR team during an investigation.
Does it integrate with Splunk, Datadog, Elastic, and S3?
Yes. PortEden streams events in real time to Splunk (HEC), Datadog (Logs API), Elastic (Elasticsearch / OpenSearch), Sumo Logic, Microsoft Sentinel, Chronicle, and any S3-compatible bucket. CEF, JSON, and OCSF formats are supported out of the box. SIEM is the source of truth for long-term retention; PortEden's UI is for ad-hoc investigation and live tailing. Custom destinations (Kafka, Kinesis, webhook) are available on the Enterprise tier. Streams are at-least-once with deduplication keys so your SIEM correlation rules never see double-counts.
Can I export signed CSVs for auditors?
Yes. Any filtered query in the audit UI exports as a signed CSV bundle: the data file, a manifest with row counts and time bounds, the chain anchors that cover the export window, and a detached signature you can verify with the published PortEden public key. Auditors love this format — it travels via email or portal upload, requires no SIEM access, and is independently verifiable. PDF evidence packs (with screenshots and chain-integrity attestation) are also available for SOC 2 and HIPAA audit-evidence collection.
How long are events retained?
PortEden retains hot-queryable events for 90 days on Pro, 1 year on Business, and configurable up to 7 years on Enterprise. SIEM streaming runs in parallel from day one, so your own retention policy in Splunk, Datadog, S3, or Sentinel can extend beyond what PortEden holds. WORM-mode S3 archival with chain anchors is a common Enterprise-tier setup for HIPAA, FINRA, and SOX programs that need 6–7 year horizons. Retention can also be set per event category if you need shorter holds for high-volume access events.
Can I redact PII inside the audit log itself?
Yes — and the audit redaction is itself audited. By default, audit-log payloads use the same redaction profile as the runtime data path, so SSNs, PHI, and secrets never sit in the log in plaintext. Admins can choose to view originals through a break-glass workflow that requires a second admin's approval and writes its own audit event. This means a stolen audit export does not become a PII leak, while compliance teams retain enough fidelity to investigate. The audit log is GDPR-aware: subject-access requests can extract or erase a single user's records.
Does it cover MCP servers and autonomous agents?
Yes. The audit trail captures every request that crosses the integration boundary, regardless of whether the caller is Claude desktop, ChatGPT, Microsoft 365 Copilot, GitHub Copilot, an autonomous agent built on the Claude or OpenAI APIs, or an MCP server. Each event records the AI client identity, so you can filter the timeline to "everything the autonomous research agent did last Tuesday" or "every request from MCP server X this quarter." This is a single, vendor-neutral timeline — the same shape as you'd get from a network IDS, but for AI.
What evidence does this produce for HIPAA §164.312(b) auditors?
HIPAA §164.312(b) (audit controls) directs covered entities to implement "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI." PortEden's audit trail records every AI access to ePHI-bearing systems (Gmail, Drive, EHR-connected sources) with actor identity, timestamp, resources accessed, redactions applied, and the policy version that was live. The saved investigation views surface anomalous patterns — the kind of evidence §164.308(a)(1)(ii)(D) (information system activity review) auditors typically request. Evidence packs covering both clauses are exportable as signed PDFs. Compliance with HIPAA remains your responsibility — PortEden provides the technical control, you operate the program around it.
What's the latency to SIEM?
Median end-to-end latency from event capture to SIEM ingestion is 2–4 seconds. PortEden batches events on sub-second windows and ships them via the destination's streaming API; there is no nightly batch job that creates evidence gaps. The streaming pipeline is at-least-once delivery with exponential backoff and a durable queue, so a SIEM outage does not lose events — it adds replay latency. For incident response, near-real-time SIEM means your detection rules fire on AI activity at the same speed they fire on network and endpoint events.
Can I tag events with custom metadata?
Yes. Every event accepts custom tags — matter ID for legal, patient panel for healthcare, project code for agencies, ticket reference for engineering — set at the policy level or injected per-request. Tags are first-class search dimensions in the UI and propagate to your SIEM, so you can pivot from "all activity for matter 2026-114" to a single timeline across Claude, ChatGPT, and Copilot in one query. Tags are also useful for evidence segmentation: per-client audit isolation for agencies and managed-service providers becomes a tag filter, not a separate tenant.
What pricing tier includes audit trail?
Basic event logging with 90-day retention is included on the Pro tier. Business adds 1-year retention and Splunk / Datadog / Elastic streaming. Enterprise adds tamper-evident chaining, signed CSV exports, S3 Object Lock archival, SSO/SAML, SCIM, custom SIEM destinations (Kafka, Sentinel, Chronicle), per-AI-client audit isolation, and retention configurable up to 7 years. See pricing for the full breakdown.

When your auditor asks "who let ChatGPT see this?" — have the answer in one query.

Five minutes to install. Every prompt, every redaction, every authorization decision is signed and SIEM-ready from the first request — so the timeline already exists when the question lands. Free tier for solo users; Enterprise adds tamper-evident chaining, signed CSV exports, S3 archival, and 7-year retention.

Talk to sales