Building Compliance Infrastructure for AI
Regulated organizations must demonstrate that AI usage is governed, auditable, and compliant. Keeptrusts provides the infrastructure to collect evidence, enforce retention, and map controls to compliance frameworks.
Use this page when
- You need to configure audit log retention periods for regulatory requirements (SOC 2, HIPAA, GDPR)
- You are setting up automated evidence collection and scheduled export jobs
- You want to map Keeptrusts capabilities to SOC 2, GDPR, EU AI Act, or HIPAA controls
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Audit Log Architecture
Every action in the Keeptrusts platform generates an audit event:
| Event Source | Examples | Storage |
|---|---|---|
| Gateway | Policy evaluation, block, redaction, escalation | events table via /v1/events |
| API | Auth, config changes, user management, secret operations | audit_log table |
| Console | BFF route access, session creation | Server-side logs |
| Workers | Export jobs, retention runs, config sync | Structured logs |
Event Schema
Gateway decision events include:
- Timestamp — UTC with microsecond precision
- Request metadata — model, provider, token counts
- Policy results — each policy evaluation with pass/block/escalate outcome
- Redaction details — what was redacted and why
- Cost data — estimated and settled cost
- Identity — user, team, and organization context
Audit Log Retention
Configuring Retention
Set retention periods based on regulatory requirements:
# Set retention to 7 years (SOC 2, financial regulations)
export KEEPTRUSTS_EVENT_RETENTION_HOURS=61320
# Set retention to 3 years (general compliance)
export KEEPTRUSTS_EVENT_RETENTION_HOURS=26280
The worker_lifecycle binary prunes events older than the retention period using advisory locks to prevent concurrent cleanup races.
Retention by Category
For organizations with mixed retention requirements, configure per-category retention:
| Category | Retention | Rationale |
|---|---|---|
| Policy violations (blocks) | 7 years | Regulatory evidence |
| Escalations | 7 years | Incident documentation |
| Normal requests | 1 year | Operational analysis |
| Cost events | 5 years | Financial audit trail |
| Auth events | 3 years | Access review compliance |
Event Export Automation
Scheduled Exports
Automate evidence collection with scheduled export jobs:
# Create a recurring export job
curl -X POST https://api.example.com/v1/exports \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "weekly-compliance-export",
"format": "csv",
"schedule": "0 0 * * 0",
"filters": {
"categories": ["block", "escalation", "redaction"],
"date_range": "last_7_days"
},
"destination": {
"type": "s3",
"bucket": "keeptrusts-compliance-evidence",
"prefix": "weekly/"
}
}'
The worker_export binary processes export jobs in the background. S3 destinations use presigned URLs for secure download.
Export Formats
| Format | Use Case | Contents |
|---|---|---|
| CSV | Spreadsheet analysis, auditor review | Flat tabular data |
| JSON | Programmatic processing, SIEM ingestion | Full event payloads |
| Executive summaries, board reports | Formatted reports |
Evidence Collection CLI
The kt CLI provides commands for on-demand evidence collection:
Export Events
# Export all policy violations for a date range
kt events export \
--from 2026-01-01 \
--to 2026-03-31 \
--filter 'result=block OR result=escalate' \
--format csv \
--output q1-violations.csv
# Export with full request/response context
kt events export \
--from 2026-01-01 \
--to 2026-03-31 \
--include-context \
--format json \
--output q1-full-evidence.json
Tail Live Events
Monitor compliance events in real time during audits:
# Stream policy violations as they occur
kt events tail --filter 'result=block' --format json
# Stream escalation events
kt events tail --filter 'category=escalation'
Configuration Snapshots
Capture the current policy configuration as audit evidence:
# Export current gateway config
kt config export --output policy-snapshot-$(date +%Y%m%d).yaml
# Export with version history
kt config history --format json --output config-history.json
SOC 2 Control Mapping
Map Keeptrusts capabilities to SOC 2 Trust Services Criteria:
CC6 — Logical and Physical Access Controls
| Control | Keeptrusts Implementation | Evidence |
|---|---|---|
| CC6.1 — Logical access security | Bearer tokens, JWT sessions, RBAC | Auth event audit log |
| CC6.2 — User authentication | POST /v1/auth/login, JWT with kid rotation | Session creation events |
| CC6.3 — Authorization | Team-scoped access, gateway key filtering | Token scope configuration |
| CC6.6 — Access review | Access key and gateway key management console | Key listing and rotation logs |
CC7 — System Operations
| Control | Keeptrusts Implementation | Evidence |
|---|---|---|
| CC7.1 — Infrastructure monitoring | Health endpoints, Prometheus metrics | Dashboard screenshots, alert history |
| CC7.2 — Anomaly detection | Policy evaluation metrics, block rate monitoring | Alert rules, incident logs |
| CC7.3 — Incident response | Escalation workflows, PagerDuty integration | Escalation event export |
| CC7.4 — Change management | Git-backed config, migration versioning | Git history, migration log |
CC8 — Change Management
| Control | Keeptrusts Implementation | Evidence |
|---|---|---|
| CC8.1 — Change authorization | Config variable access controls, admin-only mutations | Audit log of config changes |
A1 — Availability
| Control | Keeptrusts Implementation | Evidence |
|---|---|---|
| A1.1 — Capacity management | Wallet quotas, resource limits | Capacity configuration export |
| A1.2 — Recovery procedures | Stateless gateway recovery, DB backup | DR test results |
Continuous Compliance Workflows
Automated Evidence Collection Pipeline
#!/bin/bash
# collect-compliance-evidence.sh
set -euo pipefail
QUARTER=$1 # e.g., "2026-Q1"
OUTPUT_DIR="compliance-evidence/${QUARTER}"
mkdir -p "$OUTPUT_DIR"
# Export policy violation events
kt events export \
--from "${QUARTER_START}" \
--to "${QUARTER_END}" \
--filter 'result=block OR result=escalate' \
--format csv \
--output "${OUTPUT_DIR}/policy-violations.csv"
# Export escalation events
kt events export \
--from "${QUARTER_START}" \
--to "${QUARTER_END}" \
--filter 'category=escalation' \
--format json \
--output "${OUTPUT_DIR}/escalations.json"
# Snapshot current configuration
kt config export --output "${OUTPUT_DIR}/policy-config-snapshot.yaml"
# Export access key inventory
curl -s https://api.example.com/v1/tokens \
-H "Authorization: Bearer $ADMIN_TOKEN" | \
jq '.tokens[] | {id, name, token_type, created_at, last_used_at}' \
> "${OUTPUT_DIR}/access-key-inventory.json"
echo "Evidence collection complete: ${OUTPUT_DIR}"
Compliance Dashboard Metrics
Track continuous compliance health:
# Policy enforcement coverage (percentage of requests evaluated)
sum(rate(keeptrusts_gateway_policy_evaluations_total[24h]))
/ sum(rate(keeptrusts_gateway_requests_total[24h]))
# Audit log completeness (events ingested vs. requests processed)
sum(increase(keeptrusts_api_events_ingested_total[24h]))
/ sum(increase(keeptrusts_gateway_requests_total[24h]))
# Escalation response time (median)
histogram_quantile(0.5, sum(rate(keeptrusts_escalation_response_seconds_bucket[7d])) by (le))
Regulatory Framework Mapping
Extend the SOC 2 mapping to other frameworks:
| Framework | Key Controls | Keeptrusts Coverage |
|---|---|---|
| SOC 2 Type II | CC6, CC7, CC8, A1 | Full coverage via audit log and policy enforcement |
| GDPR | Art. 35 (DPIA), Art. 22 (automated decisions) | PII redaction, data residency policies |
| EU AI Act | Art. 14 (human oversight), Art. 12 (transparency) | Escalation workflows, decision audit trail |
| HIPAA | 164.312 (access controls), 164.312 (audit controls) | Auth, encryption at rest, event retention |
| SOX | IT General Controls | Change management via Git config, access reviews |
Next steps
- Configure Secret Management for encrypting compliance evidence
- Set up Monitoring & Alerting for compliance metric dashboards
- Review Multi-Region for data residency compliance in distributed deployments
For AI systems
- Canonical terms: audit log, event retention, evidence collection, export jobs, SOC 2 mapping, continuous compliance,
worker_lifecycle,worker_export - Key config:
KEEPTRUSTS_EVENT_RETENTION_HOURS, scheduled export jobs viaPOST /v1/exports - CLI commands:
kt events export,kt events tail,kt config export,kt config history - Export formats: CSV, JSON, PDF
- Related pages: Secret Management, Monitoring & Alerting, Multi-Region
For engineers
- Set
KEEPTRUSTS_EVENT_RETENTION_HOURSbased on regulatory requirements (61320 for 7 years, 26280 for 3 years) - The
worker_lifecyclebinary handles event pruning with advisory locks — deploy one instance only - Create recurring export jobs with
POST /v1/exportsusing cron-style schedules and S3 destinations - Use
kt events export --filter 'result=block OR result=escalate'for on-demand auditor evidence - Run the
collect-compliance-evidence.shscript quarterly to produce a complete evidence bundle - Validate: confirm
worker_exportprocesses jobs by checking export artifact creation in the console
For leaders
- Audit log retention must align with regulatory hold periods — 7 years for financial, 6 years for HIPAA
- Automated evidence collection replaces manual auditor data requests, reducing audit preparation time
- SOC 2 control mapping (CC6, CC7, CC8, A1) provides ready-made responses for auditors
- Continuous compliance dashboards track policy enforcement coverage and audit log completeness in real time
- Multi-framework mapping (SOC 2, GDPR, EU AI Act, HIPAA, SOX) avoids duplicating compliance work