Quick Answer
BoundrixAI logs 100% of LLM inference requests with tamper-proof audit trails that satisfy SOC2 CC7, ISO 27001 Annex A.12.4, and DPDP's data processing records requirements in a single unified log. Most AI teams build three separate logging systems for three compliance frameworks costing 6–8 weeks of engineering time. Here's what each standard actually requires and how to build it once.
SOC2+ISO+DPDP
Frameworks Covered
6–8 weeks
Eng Time Saved
1 year min
Log Retention (SOC2)
22 fields
BoundrixAI Log Fields
SOC2 Audit Trail Requirements for AI Systems
SOC2 Trust Services Criteria CC7 (System Operations) requires logging of: all privileged access to systems, all data access events, all system configuration changes, and security incidents.
For AI-specific logging, SOC2 auditors increasingly expect: model inference requests (who requested, what prompt, what response), model configuration changes (model version, system prompt changes, parameter changes), and data flows (what data entered the AI pipeline, where it was stored, when it was deleted).
Retention: SOC2 requires logs to be retained for the period covered by the report (minimum 6 months for Type I, 12 months for Type II). Tamper-evidence is required logs must be write-once or have integrity checking.
ISO 27001 Logging Requirements for AI
ISO 27001 Annex A.12.4 (Logging and Monitoring) requires: event logs recording user activities, exceptions, faults, and information security events; protection of log information; administrator and operator logs; clock synchronisation.
ISO adds a risk-based requirement: your logs must cover all assets identified as high-risk in your risk assessment. For an AI product, your LLM inference pipeline is almost certainly high-risk, meaning every inference must be logged.
ISO 27001 certification auditors look for: log aggregation in a SIEM, alerting on anomalous patterns, regular log review procedures, and evidence that logs are reviewed (not just collected).
DPDP Audit Trail Requirements
India's DPDP Act 2023 requires Data Fiduciaries to maintain records of: processing activities and purposes, consent records with timestamps, data principal rights requests and responses, and data breach records.
For AI products, this translates to: logging every instance where personal data enters an AI model, logging the purpose for which it was processed, logging the consent ID that authorised the processing, and maintaining a record of any AI-generated output that influenced a decision about a data principal.
The unified log schema that satisfies all three: timestamp (ISO 8601), event_type, user_id, session_id, model_id, model_version, prompt_hash (not plaintext for privacy), response_hash, personal_data_present (boolean), consent_id, processing_purpose, outcome, retention_expiry.
Frequently Asked Questions
Should we log the full prompt and response text?
What does tamper-proof logging actually mean?
Explore More
Free AI Audit
30 minutes with the Shoppeal Tech team to review your AI stack and build a 90-day roadmap.
Book Free AuditRelated Service
AI Governance & Compliance
Shoppeal Tech engineers deliver this end-to-end for enterprise teams.
View ServiceBoundrixAI
The AI governance gateway: prompt injection protection, PII redaction, audit logging, and SOC2/DPDP compliance in one platform.
Request DemoMore AI Guides
Explore 15+ deep guides on AI governance, RAG, AEO/GEO, and offshore AI delivery.
Browse All Guides