Satisfying EU AI Act Article 26: Immutable Audit Trails

Audience: Chief Privacy and Information Officer (CPIO), Legal Counsel, and Data Protection Officers Subject: Satisfying the EU AI Act's Six-Month Immutable Logging Requirement

1. Executive Summary: The Audit Trail Mandate

Under the EU Artificial Intelligence Act, specifically Article 26(6), deployers of high-risk AI systems are legally mandated to retain automatically generated logs for at least six months. This is not a mere recommendation — it is a core enforcement pillar designed to ensure accountability and forensic traceability in the event of an incident.

The compliance gap is severe: most standard AI platforms provide only "receipts" — aggregate token counts and billing summaries — which are legally insufficient for a regulatory audit. NordClaw provides the necessary compliance infrastructure to transform these basic usage metrics into an immutable, identity-mapped audit trail built on sovereign EU infrastructure.

---

2. The Problem: "Receipts" vs. "Compliance Records"

2.1 The Failure of Standard LLM Dashboards

Most LLM providers (e.g., OpenAI, Anthropic) offer usage dashboards focused on resource consumption. While useful for finance teams tracking costs, they fail to meet the technical reality of oversight required by regulators for three reasons:

• Lack of Identity Mapping: They show which API key was used, not which human being or department sent the prompt.
• No Content Context: They do not log the data processed, making it impossible to prove that personal data was redacted or that high-risk policies were followed.
• Mutable Data: Standard logs are often stored in environments where they can be purged or modified, failing the immutability requirement.

2.2 The Regulatory Penalty

Operating a high-risk AI system (such as for HR screening or financial decisions) without an Article 26(6)-compliant log can result in fines of up to €15 million or 3% of global annual turnover.

---

3. The NordClaw Solution: Identity-Mapped Infrastructure

NordClaw sits in the traffic path as a transparent proxy. It does not just record that a request happened — it captures the full context required for legal defence.

3.1 Immutable Cloud SQL Audit Logs

Every AI interaction is written to an append-only audit_logs table in a Google Cloud SQL for PostgreSQL 15 instance hosted in europe-west3 (Frankfurt, Germany). The pipeline is fully asynchronous and decoupled from the critical path:

Edge Proxy (Cloud Run, europe-west3)
  └─ fire-and-forget → GCP Pub/Sub topic
       └─ HTTP push → Audit Worker (Cloud Run)
            └─ swap-buffer bulk INSERT → Cloud SQL PostgreSQL

Records in this database are inserted with ON CONFLICT (request_id) DO NOTHING idempotency guarantees. The application layer has no UPDATE or DELETE permissions, ensuring the log is tamper-proof by design.

3.2 Precision Metadata Capture

Unlike standard "receipts," each log entry captures:

• User Identity: Resolved via SSO (Microsoft Entra ID / Google Workspace) to a named human. A Firebase Auth blocking function injects the tenant_id into every JWT at sign-in, binding every request to an authenticated identity.
• Departmental Context: Precisely who in Legal, HR, or Finance triggered the request.
• PII Detection Results: Proof of which entity categories were detected and the policy applied — logged as pii_categories (e.g., {"EMAIL": 2, "PERSON": 1}).
• Cryptographic Evidence: A SHA-256 token_map_hash for every interaction, providing tamper-evident proof of data integrity without storing the original PII values.

3.3 Row-Level Security for the CISO Dashboard

Audit logs are exposed to compliance officers through the Firebase Data Connect GraphQL API. Row-level security is enforced directly at the database layer — not in application code — using @auth directives:

query ListAuditLogs($tenantId: String!)
  @auth(expr: "auth.token.tenant_id == tenant_id") {
  audit_logs(
    where: { tenant_id: { eq: $tenantId } }
    orderBy: { created_at: DESC }
    limit: 100
  ) {
    request_id
    model
    pii_count
    pii_categories
    token_map_hash
    created_at
  }
}

This guarantees each CISO sees only their own organisation's records, enforced at the PostgreSQL layer.

---

4. Value to Compliance & Legal Teams

4.1 One-Click Regulator Export

In a manual compliance environment, responding to a regulator's request for an audit trail can take weeks of forensic reconstruction. NordClaw provides a Compliance Export button on the dashboard that generates a full Article 26 audit trail as a PDF or CSV in seconds.

4.2 Solving the Erasure Paradox

By redacting PII before it leaves the EU, NordClaw satisfies GDPR Article 17 (Right to Erasure). The audit trail documents that the LLM never received personal data. The "erasure" obligation is satisfied simply by managing your own NordClaw logs — rather than attempting the technically impossible task of deleting data from a trained model's weights.

4.3 Automated Forensic Readiness

In the event of a suspected data breach or AI "hallucination" incident, the NordClaw log serves as the single source of truth. It allows the CPIO to answer the three critical questions every regulator will ask: What AI was used? By whom? With what data?

---

5. Comparison: NordClaw vs. Standard LLM Logs

---

6. Conclusion: Moving to Technical Enforcement

Documentation is a claim; an immutable log is a proof. As the August 2026 deadline approaches, "paper controls" and token receipts will no longer suffice for high-risk AI operations in the EU.

By implementing NordClaw, your organisation gains a technical enforcement layer that automates the Article 26(6) logging obligation, ensuring that every AI interaction is documented, governed, and ready for regulatory inspection from day one. The risk of non-compliance is significant. NordClaw provides the infrastructure to mitigate that risk with a single line of configuration.