VORIM
We use cookies

We use cookies to analyze site traffic and improve your experience. You can choose to accept all cookies or only essential ones. See our Privacy Policy.

ComplianceAuditCryptography

Cryptographic Audit Trails: How to Make AI Agent Actions Compliance-Ready

S
Vorim AI Team
March 1, 2026 · 6 min read

The Compliance Clock Is Ticking

The EU AI Act is in force. NIST's AI Risk Management Framework is becoming the de facto US standard. Financial regulators (SEC, FCA, MAS) are issuing guidance on autonomous systems. The common thread: if your AI agent takes an action, you must be able to prove what it did, when, and why.

Traditional logging ("we wrote it to a file") doesn't meet this bar. Logs can be edited, deleted, or corrupted. For compliance, you need cryptographic proof that your audit data hasn't been tampered with.

What Makes an Audit Trail Tamper-Proof?

Three properties, all of which Vorim AI provides out of the box:

1. Event Chaining

Each audit event includes a hash of the previous event. This creates a Merkle-like chain where any modification to any event invalidates all subsequent hashes. 
Event N:
  data: { agent: "order-bot", action: "transact", amount: 499.00 }
  hash: sha256(data + Event[N-1].hash)
  → "a3f8c1..."

Event N+1:
  data: { agent: "order-bot", action: "write", target: "orders" }
  hash: sha256(data + "a3f8c1...")
  → "b7d2e4..."
If someone modifies Event N, its hash changes, which means Event N+1's hash is now wrong — and so on for every subsequent event. Tampering is immediately detectable.

2. Signed Bundles

Periodically (hourly, daily, or on-demand), Vorim AI generates a signed audit bundle. This bundle contains:
  • All events in the time window
  • A SHA-256 manifest listing every event hash
  • A digital signature over the manifest
  • Metadata: time range, agent IDs, event count

The signature proves that the bundle was created by Vorim AI at a specific point in time. The manifest proves that no events have been added, removed, or modified since the bundle was created.

3. Immutable Storage

Audit events are stored in TimescaleDB with append-only semantics. The database schema uses:
  • No UPDATE or DELETE permissions on audit tables
  • Continuous aggregates for efficient querying
  • Automated compression for long-term retention
  • Replication for durability

Practical Implementation

Here's how to build compliance-ready audit trails with the Vorim AI SDK:

Emitting Events

import { createVorimSDK } from '@vorim/sdk';

const vorim = createVorimSDK({
  baseUrl: 'https://api.your-vorim.ai/v1',
  apiKey: 'agid_sk_live_...',
});

// Emit a structured audit event
await vorim.emitAuditEvent({
  agent_id: agent.agent.agent_id,
  event_type: 'tool_call',
  action: 'process_payment',
  resource: 'orders/ord_12345',
  result: 'success',
  metadata: {
    amount: 499.00,
    currency: 'USD',
    customer_id: 'cust_789',
    latency_ms: 145,
  },
});

Exporting for Compliance

Vorim AI's audit export endpoint generates signed bundles that can be submitted directly to compliance teams or regulators: 
# Export signed audit bundle for a date range
curl -H "Authorization: Bearer <jwt>" \
  "https://api.your-vorim.ai/v1/audit/export?from=2026-03-01&to=2026-03-31"
The response includes: - events — array of all audit events - manifest — SHA-256 hash of the event array - signature — cryptographic signature over the manifest - metadata — export timestamp, event count, agent IDs

Verification

Anyone with the bundle can verify its integrity: 1. Recompute the SHA-256 hash of the events array 2. Compare with the manifest hash — must match exactly 3. Verify the signature against Vorim AI's public key 4. If all checks pass, the bundle is authentic and untampered

What Compliance Teams Want to See

Based on conversations with compliance officers across fintech, healthcare, and enterprise AI teams, here's what they consistently ask for:

- Complete attribution. Every action linked to a specific agent identity (not just an API key or service account)
  • Temporal accuracy. Timestamps with millisecond precision, synchronized to NTP
  • Chain of custody. The ability to prove that audit data hasn't been modified since creation
  • Export flexibility. JSON for programmatic analysis, CSV for spreadsheets, PDF for reports
  • Retention policies. Configurable retention with proof of deletion when required

Vorim AI's free plan includes 30-day audit retention and JSON export. Starter adds 90-day retention. Growth provides unlimited retention with CSV, PDF, and signed bundle exports.

Start Now, Not When the Auditor Calls

The worst time to implement audit trails is during an audit. The second worst time is the day before one. The best time is now — before your agents are in production, before the regulations are enforced, before an incident forces your hand.

Every day of audit data you don't capture is a day you can't account for later. Start with the free plan and upgrade as your compliance needs grow.

Ready to build with agent identity?

Free plan: 3 agents, 10K auth events/month, full SDK access. No credit card.