Your auditor is going to ask where the agent's decisions are logged. Do you have an answer?
Before an AI agent goes anywhere near production, someone will ask for the record of what it decided and did. If that record lives in a vendor's system, you get whatever they choose to give you. Here's why the audit trail has to be yours.
The demo always goes well. The agent answers, looks things up, takes an action, and the room nods along. Then the conversation moves one floor up, and the question changes:
“When this thing makes a decision in production, where is that written down — and can we get to it without asking a vendor?”
For most agent setups, the honest answer is some version of “there’s a log somewhere in the platform, and we can probably export it.” For anything that touches customers, money, or records, probably is where the rollout stalls. An audit trail you can’t produce on demand isn’t an audit trail — it’s a support ticket.
This is the first post in a series on the parts of the enterprise conversation that decide whether an agent ever ships: audit, regulation, and privacy. It builds directly on how FlowDrop works — the model proposes an action and FlowDrop is what actually runs it. That split is exactly what makes a real audit trail possible.
Why most agents can’t produce a real audit trail
When the AI model calls its own tools, deciding and acting happen in the same breath. There’s no seam between “the agent chose to do this” and “the agent did it” — so there’s nothing to record except, after the fact, that something happened. You can scrape the model’s chat transcript, but a transcript of what the model said is not a record of what your system actually did, who approved it, or which rule let it through.
And when the whole thing runs inside a vendor’s platform, the record — such as it is — lives there too. That puts three things you’ll need outside your reach:
- Completeness. You get the fields the vendor decided to log, at the granularity they chose. If your auditor wants something they didn’t capture, it doesn’t exist.
- Availability. Evidence collection becomes an export request on someone else’s timeline, in someone else’s format.
- Integrity. “Trust our dashboard” is a hard sell to a risk team that wants to know the record couldn’t have been quietly changed.
None of these are exotic asks. They’re the ordinary questions of a SOC 2 or ISO 27001 review — and the first place an agent rollout meets a control owner who isn’t impressed by the demo.
What the propose-then-run split gives you
Because the model in FlowDrop only proposes a tool call and FlowDrop runs it, every turn passes through points where there’s something concrete to write down — and you’re the one holding the pen:
- The proposal. What action the agent wanted to take, and the reason it gave. Captured before anything happens.
- The policy decision. Which guardrail ran, and whether it passed or blocked — on both sides of the call.
- The human step. For actions gated on approval, who approved or declined, and when.
- The outcome. What the action returned, and the result.
That’s not a chat log. It’s the decision record of a system, and it falls out of how the workflow is built rather than something you bolt on afterward.
An audit trail isn’t a feature you turn on. It’s a property of running the action yourself instead of letting the model do it for you.
“Our database” is the whole point
Here’s what changes when the record lives in your own store, next to the conversation data you already own:
- “Show me everything this agent did on June 18th” is a query — not a ticket to a vendor.
- Evidence collection is a report you generate, in your format, on your schedule, scoped to exactly what the auditor asked for.
- Retention and integrity follow your existing controls — the same backups, access rules, and tamper-evidence you already apply to the rest of your data.
- It joins to everything else. The agent’s actions sit in the same database as the customer, the ticket, the transaction — so you can reconstruct a full sequence of events, not just the agent’s slice of it.
You’re not adopting a new system of record for one of the most scrutinized things you run. You’re putting the agent’s decisions where the rest of your auditable data already lives.
When the incident review comes
Every agent that does real work eventually has a bad day — a wrong action, a customer complaint, a “how did this happen.” That review is the moment the audit trail earns its keep.
With a rented black box, you’re assembling a story from exports and screenshots and hoping the gaps don’t matter. With the record in your own database, you reconstruct exactly what happened: what the agent proposed, which rule cleared it, who approved it, what it did, and when — each line answerable with a query.
The question after an incident is never “what did the model say?” It’s “what did the system do, and can you prove it?” Own the record, and you can.
Need an audit trail your control owners will accept?
FlowDrop is open source and yours to self-host, so the record of what your agent did lives in your own database. When you need a managed platform, custom integrations, or enterprise support, the team behind it — Factorial.io — can build and run it with you.
Talk to us about enterprise →Series — Building agents that pass compliance:
- Your auditor is going to ask where the agent’s decisions are logged (you’re here)
- The EU AI Act says you need human oversight — a system prompt isn’t it
- GDPR for AI agents: can you delete data you don’t control?
Next in this series → The EU AI Act says you need human oversight — a system prompt isn’t it.