Trustworthy Document AI
Audit trail for document AI
Updated June 2026 · 2 min read
An audit trail for document AI records who, what, and when for every extraction, correction, and access — plus the model version and the source evidence behind each output — in an immutable, queryable log. It is what lets you answer an auditor’s "how was this decision made?" months later, and it is increasingly a procurement requirement, not a nice-to-have.
What an audit trail must capture
A defensible audit trail for document AI records, for every event:
- Who — the user, service, or agent that acted (extraction, correction, acceptance, access, export).
- What — the entity and the before/after diff of any change.
- When — a trustworthy timestamp and correlation ID linking related events.
- Which model — the model and prompt version that produced the output.
- On what evidence — the source document and span the output was grounded in.
Why immutability matters
An audit log you can quietly edit is not evidence. For the trail to be useful to an auditor or in a dispute, entries must be append-only and tamper-evident, with retention you can configure to your regulatory obligations. Immutability is what turns a log file into a record you can stand behind.
Provenance and model cards
An audit trail answers "what happened"; provenance answers "by what." Pair the event log with model cards that capture each model’s lineage, version, and attestation, so you can tie any historical output to the exact model that produced it. Together they let you reconstruct and defend a decision long after it was made.
The regulatory drivers
Audit trails are moving from best practice to requirement. SOC 2 expects logging and change tracking; GDPR requires you to account for processing of personal data; and the EU AI Act mandates automatic record-keeping (logging) for high-risk systems. A single immutable trail that records actions, model versions, and evidence covers the common core of all three.
How IntelliMento implements the audit trail
IntelliMento logs every mutation to an immutable, month-partitioned audit store with entity diffs, user context, and correlation IDs, alongside model cards that capture provenance and attestation — and every output is grounded in the source span it came from. The result is an audit trail that ties who, what, when, which model, and on what evidence into a single defensible record.
Frequently asked questions
What should a document-AI audit trail include?
For every extraction, correction, and access: the actor (who), the entity and before/after diff (what), a timestamp and correlation ID (when), the model and prompt version that produced the output, and the source document and span it was grounded in — stored immutably with configurable retention.
Does the EU AI Act require logging for document AI?
For high-risk AI systems, the EU AI Act requires automatic record-keeping (logging) over the system’s lifetime. Document extraction used for consequential decisions can fall in scope, so an immutable audit trail recording actions, model versions, and evidence is a practical way to meet the obligation.
How long should audit logs be retained?
Retention should match your regulatory and contractual obligations — often several years for financial, insurance, healthcare, and government records. The audit store should let you configure retention and residency rather than imposing a fixed window.
Related guides
See it on your documents
IntelliMento extracts, connects, and answers — with every answer traced to the source. Start free, no templates, no credit card.