Field notes · Read all posts
SOC 2 Type II·HIPAA·ISO 27001
Field notes / FIELD NOTES

What an Immutable Audit Trail Actually Means — and Why Your SIEM Is Not One

The difference between logging and compliance-grade audit trails for AI agent activity.

By Mershard J.B. Frierson · Founder, ARX

Every security tool generates logs. Your SIEM collects those logs. You have dashboards. You have alerts. You have retention policies. You might reasonably conclude that you have an audit trail for the AI agents your team is deploying.

You probably do not. Here is why.

Logs vs. Audit Trails

A log is a record that something happened. An audit trail is a record that something happened, that the record has not been altered since it was created, that the record contains sufficient context to reconstruct exactly what happened and why, and that the record will be there when an auditor asks to see it two years from now.

A log that says “agent ran at 14:32” is not an audit trail. An audit trail says “agent invoked contain_host on host ID WKSTN-4421 at 14:32:17 UTC, action was evaluated against policy rule P-042, risk score was 73, action was escalated to reviewer, reviewer approved at 14:34:51, action executed, host isolation confirmed at 14:35:03, audit entry written to append-only storage.”

That is the difference.

Most logging systems allow log modification and deletion. Compliance-grade audit trails require append-only storage where no entry can ever be modified or deleted.

Why Your SIEM Is Not Enough

SIEMs are designed for detection, investigation, and response. They are excellent at aggregating logs, correlating events, and surfacing anomalies. They are not designed for compliance-grade immutable audit trails of autonomous agent activity.

The key word is immutable. Most logging systems allow log modification and deletion — by administrators, by retention policies, by accident. This is a different architectural requirement from what a SIEM provides.

Additionally, SIEM logs capture what your security tools reported. They do not capture the agent’s decision-making context — what policies were evaluated, what risk score was computed, what human approvals were requested and granted.

What ARX Captures

ARX’s audit trail captures every agent invocation with: the specific action requested, the connector and endpoint called, the inputs and outputs (hashed, never raw), the policy evaluation result and risk score, the human reviewer identity and decision if escalated, the final action result, and a timestamp for every step. Every entry is written to append-only storage. No entry can be modified or deleted — including by administrators.

The audit trail exports to your SIEM, to S3, or to any storage you choose. You have both: the compliance-grade immutable record and the SIEM integration you already rely on.

// More field notes
FIELD NOTES
The Agentic Transition in Cybersecurity: What It Means for Security Teams Right Now
Read →
FIELD NOTES
How We Built ARX: The Technical Architecture of a Compliance-Native Security Agent Platform
Read →

See what Arx looks like on your agents.

30-minute demo. We'll load one of your Python agents into a sandbox workspace and walk your review board through what they'd see.

Book a demo Read the platform brief