Audit Readiness
Minimum Logging and Tracing Before You Pay for an Audit
A production AI audit fails for one reason more than any other: you don't have enough observable evidence to diagnose what's actually breaking. Without the right logs and traces, every audit becomes a guessing game.
To understand what you keep after the audit, read AI System Audit Deliverables. For an Audit Readiness Check, see our AI System Audit service.
What it means
Audit readiness is not "we have logs"
It means you can reliably answer, for a representative set of production requests:
What happened? (inputs → retrieval → tools → output)
Where did it fail? (retrieval vs generation vs tools vs policy)
Why did it fail? (root causes you can see in evidence)
What did it cost and how long did it take? (per stage)
What changed? (prompt/model/routing/version)
If you can't answer those, a vendor can still help—but the engagement will shift from "audit" to "instrumentation project."
The audit packet
Minimum logging/tracing schema (5 layers)
Each request produces an audit packet. You don't need to log everything—just the right things consistently.
Request metadata
Compare versions, enable cohort-based analysis
Retrieval evidence
Identify recall vs ranking vs context construction failure
Generation evidence
Cost decomposition, quality signals, regression detection
Tool / agent evidence
Separate LLM slowness from tool timeouts; detect loop storms
Timing + cost breakdown
Find hidden spenders, explain P95 spikes
Privacy & compliance
"Safe logging" modes
Audit readiness must not create a compliance nightmare. Choose one:
Full-fidelity
Raw prompts + text. Internal only, strict access + retention.
Token-safe + reference
Prompt hash, chunk IDs + scores, redacted response. 80% diagnostic power, far less risk.
Proof-only
IDs + scores + validation + metrics. No raw text. Slower debugging.
Starting from zero
The minimum 10 things
If you only implement 10 things, implement these:
- request_id + timestamps
- prompt/model/routing versions (hashes)
- cohort labels (intent/lang/tenant)
- retrieval candidate IDs + scores
- final selected chunk IDs
- tool call logs (name, latency, status, retries)
- stage latency breakdown
- token counts (in/out)
- validation signals (schema/citation/policy)
- retry/timeout counts
With these, an audit can reliably produce: baseline scorecard, failure taxonomy, cost + latency teardown, root-cause attribution and roadmap.
Avoid these
Common mistakes
- Logging only the final answer—can't diagnose retrieval vs generation vs tools
- No versioning for prompts and routing—can't attribute regressions
- No cohort labels—everything averages out, real failures hide
- Logging too much then turning it off—trends disappear
- No retention/access policy—auditors blocked or compliance blocks everything
Implementation
Quick and practical (7 days)
A practical week-long implementation guide.
Instrumentation
- request_id propagation
- stage timers
- token counts + versions
Retrieval + tools
- candidate chunk IDs + scores
- selected chunks
- tool call details
Storage + privacy
- Choose mode (A/B/C)
- redaction + retention
- RBAC
First baseline
- Sample 200–500 requests
- compute baseline
- tag top 10 failures
FAQ
Common questions
What if we don't have any logging yet?
Start with the minimum 10. Day 1–2: request_id, stage timers, token counts. Day 3–4: retrieval + tool logs. Day 5: storage + privacy. Day 6–7: first baseline sample.
Which safe logging mode should we use?
Mode B (token-safe + reference) gives 80% diagnostic power with far less risk. Many teams run Mode B in production and temporarily enable full-fidelity during incident windows.
Can we do an audit without this schema?
Yes, but the engagement shifts from 'audit' to 'instrumentation project.' You'll spend time building observability before you can produce a baseline and failure taxonomy.
What's an Audit Readiness Check?
We review your anonymized traces and pipeline diagram, then tell you what schema fields you're missing, what to instrument first for biggest ROI, and how to keep it privacy-safe.
Share a few anonymized traces and your pipeline diagram. We'll tell you what schema fields you're missing. See our AI System Audit service to request an Audit Readiness Check.