← Journal
Audit TrailArticle 26EU AI ActComplianceAI Logging

Satisfying EU AI Act Article 26: Immutable Audit Trails

NordClaw·

Satisfying EU AI Act Article 26: Immutable Audit Trails

When the regulator asks for six months of high-risk AI logs — mapped to named humans, with cryptographic proof the data has not been tampered with — your OpenAI billing dashboard will not save you. Article 26(6) is not a recommendation. It is a core enforcement pillar, and the gap between “usage receipts” and “compliance records” is exactly where €15M fines live.

Most enterprises only discover the difference when it is too late. Standard LLM dashboards show token counts. Regulators want forensic traceability: who, what, when, with whose data, and prove none of it has been edited.

“Receipts” vs. “Compliance Records”

Most LLM providers offer usage dashboards focused on resource consumption. Useful for finance. Legally insufficient for an audit:

  • No identity mapping. They show which API key was used, not which human.
  • No content context. They do not log the data processed — making it impossible to prove redaction or policy enforcement.
  • Mutable data. Standard logs sit in environments where they can be purged or modified.

Operating a high-risk system (HR screening, financial decisions) without an Article 26(6)-compliant log can result in fines of up to €15 million or 3% of global annual turnover. The same risks apply to Shadow AI tools you have not yet inventoried.

Identity-Mapped Infrastructure

NordClaw sits in the traffic path as a transparent proxy. It does not just record that a request happened — it captures the full context required for legal defence.

Immutable audit logs

Every AI interaction is written to an append-only audit_logs table on our Dedicated PostgreSQL 15 Cluster in Frankfurt. The pipeline is fully asynchronous and decoupled from the critical path:

Edge Proxy (Frankfurt)
  └─ fire-and-forget → message queue
       └─ HTTP push → Audit Worker
            └─ swap-buffer bulk INSERT → Immutable Ledger

Records are inserted with ON CONFLICT (request_id) DO NOTHING idempotency. The application layer has no UPDATE or DELETE permissions — the log is tamper-proof by design.

Precision metadata capture

Each log entry captures:

  • User identity. Resolved via Enterprise Identity Federation (OIDC SSO) to a named human. A blocking auth function injects the tenant_id into every JWT at sign-in.
  • Departmental context. Precisely who in Legal, HR, or Finance triggered the request.
  • PII detection results. Proof of which entity categories were detected and the policy applied — logged as pii_categories (e.g., {"EMAIL": 2, "PERSON": 1}). The full PII pipeline is described in our cross-border GDPR audit.
  • Cryptographic evidence. A SHA-256 token_map_hash for every interaction, providing tamper-evident proof of data integrity without storing the original PII values.

Row-level security for the CISO dashboard

Audit logs are exposed to compliance officers through our Secure GraphQL API. Row-level security is enforced at the database layer — not in application code — using @auth directives:

query ListAuditLogs($tenantId: String!)
  @auth(expr: "auth.token.tenant_id == tenant_id") {
  audit_logs(
    where: { tenant_id: { eq: $tenantId } }
    orderBy: { created_at: DESC }
    limit: 100
  ) {
    request_id
    model
    pii_count
    pii_categories
    token_map_hash
    created_at
  }
}

Each CISO sees only their own organisation’s records, enforced inside PostgreSQL itself.

Value to Compliance & Legal

One-click regulator export

Responding to a regulator’s request for an audit trail can take weeks of forensic reconstruction. NordClaw provides a Compliance Export button that generates a full Article 26 trail as a PDF or CSV in seconds.

Solving the erasure paradox

By redacting PII before it leaves the EU, NordClaw satisfies GDPR Article 17. The audit trail documents that the LLM never received personal data. Erasure is satisfied by managing your own logs — not by attempting to delete data from a model’s weights.

Automated forensic readiness

In the event of a suspected breach or “hallucination” incident, the NordClaw log is the single source of truth. It answers the three questions every regulator asks: what AI was used, by whom, with what data?

NordClaw vs. Standard LLM Logs

Compliance fieldStandard LLM providerNordClaw infrastructure
IdentityAPI key onlyNamed human via OIDC SSO
DepartmentNot availableMapped to org chart (JWT claim)
ImmutabilityNot guaranteedAppend-only ledger (INSERT-only perms)
Data residencyContractual (US exposure)Sovereign Frankfurt jurisdiction
PII proofNo contextpii_categories + SHA-256 token_map_hash
Audit readinessManual extractionOne-click PDF / CSV export

Early access · MVP cohort

Be audit-ready before August 2, 2026.

NordClaw is onboarding a limited cohort of enterprise partners ahead of the EU AI Act enforcement deadline. Reserve your seat and shape the compliance infrastructure your DPO, CISO, and CFO will rely on.

Sign up for early access →

Technical Enforcement

Documentation is a claim. An immutable log is a proof. As the August 2026 deadline approaches, paper controls and token receipts will no longer suffice for high-risk AI operations in the EU.

NordClaw automates the Article 26(6) obligation so that every AI interaction is documented, governed, and ready for inspection from day one. A single line of configuration. The infrastructure does the rest.

Related posts