Every organisation deploying AI in production has logs. Most believe that having logs is equivalent to having an audit trail. The difference between the two determines whether AI accountability is real or performative, and it is a distinction that regulators, courts, and boards are beginning to understand in ways that many technology teams have not yet caught up with.

A log records what happened. A timestamp, an input, an output, an error code. This is useful for debugging. It is useful for operational monitoring. It is not, by itself, sufficient for accountability, because accountability requires more than knowing what happened. It requires the ability to reconstruct why a decision was made, who or what had authority to make it, what information was available at the time, and what the downstream consequences were.

What Logs Actually Contain

Operational logs for AI systems typically record: the timestamp of the inference call, the input provided to the model, the output returned, latency and resource consumption, and any errors encountered. This information serves the purposes it was designed for. It tells you the system was running, it tells you what it processed, and it tells you where it broke.

What it does not tell you is whether the output was appropriate for the input in the context in which it was used. It does not tell you which version of the model was deployed at that time, whether the training data for that model version was appropriate for this use case, or whether there was a policy requirement that the model's output was supposed to implement and whether the output did so. These are the questions that governance requires, and they are systematically not answered by standard operational logging.

Accountability requires more than knowing what happened. It requires the ability to reconstruct why a decision was made, who had authority to make it, and what the downstream consequences were.

The Challenge of Probabilistic Systems

Rules-based systems have deterministic audit trails. Given the rule, the input, and the output, you can verify that the output followed from the rule applied to the input. The audit is straightforward.

Probabilistic models do not. The same input will not always produce the same output. The output is a sample from a distribution shaped by training, by the model architecture, by the specific runtime conditions, and by any sampling parameters applied to the generation process. Auditing a specific output requires understanding not just that the model produced it, but that it was within the expected distribution for that class of input under those conditions. This is a substantially harder problem, and most audit trail infrastructure is not designed to address it.

The practical consequence is that for most language model deployments, it is currently impossible to answer, with documentary evidence, the question: "Was this AI output within the bounds of what the model was approved to produce?" The output happened. The log records it. Whether it was appropriate is not determinable from the log.

Technical and Regulatory Audit Trails Are Different Artefacts

Technical audit trails are optimised for the needs of the engineering team: debugging production incidents, identifying performance regressions, tracing the sequence of events that led to a failure. They are dense, technical, and typically queried by people with the background to interpret them in context.

Regulatory audit trails need to support queries from people who are not engineers, who may be looking at the records months or years after the fact, and who need to understand what happened in terms that allow them to assess whether appropriate governance was in place. These are not the same requirements, and optimising for one does not give you the other.

This distinction is increasingly consequential as regulators and courts develop more specific requirements for AI decision documentation. An organisation that has comprehensive technical logging and no regulatory audit trail has evidence that the system was running, but no evidence that it was governed. These are different things, and the absence of the second is becoming a compliance risk in its own right.

Building for Reconstruction

Building an inference audit trail that supports genuine accountability requires working backwards from the reconstruction requirement. The first question is not "what do we log?" It is "what would a regulator, court, or internal governance review need to see to assess whether this AI decision was appropriate?" The answer to that question defines the data architecture of the audit trail.

For most production AI systems, the reconstruction requirement includes: the model version and training data version at the time of inference; the policy or governance requirements the model was approved to implement; the input context, including any relevant prior context in the case of conversational or agentic systems; the output, with enough context to assess whether it was within the expected distribution; and the downstream action or decision that followed from the output.

Capturing this information requires treating audit trail infrastructure as a first-class architectural concern from the beginning of system design, not as a logging configuration to be revisited if a regulatory question arises. Organisations that are currently deploying AI in production without this infrastructure are accumulating a governance debt that will become due when the first serious accountability question arrives.

A Practical Starting Point

For organisations that are not currently building to this standard, the starting point is to define the decisions that need to be reconstructable before building the system that makes them. The reconstruction requirement shapes the data architecture. If you cannot describe what a complete audit of an AI decision would require, you are not ready to make the decision about what to log.

The organisations that will handle regulatory scrutiny of their AI deployments most effectively are the ones that built their audit trail infrastructure with that scrutiny in mind, not the ones that built comprehensive technical logging and then tried to retrofit governance documentation onto it. The sequence matters as much as the content.