Pass AI Compliance Audits with Confidence

When auditors ask "How do you govern AI?", you need more than policies on paper. You need timestamped evidence that policies were enforced, decisions were logged, and controls were active on every request. Keeptrusts generates that evidence automatically.

Use this page when

You are preparing for a compliance audit (SOC 2, HIPAA, EU AI Act, ISO 27001) and need to demonstrate AI governance controls.
You need immutable audit logs, one-click evidence exports, and policy version history to satisfy auditor requests.
You want to understand the four pillars of audit readiness: logging, export, versioning, and escalation records.

Primary audience

Primary: Technical Leaders
Secondary: Technical Engineers, AI Agents

What you'll achieve

Immutable audit trail of every AI request, policy decision, and escalation
One-click evidence export for auditors in multiple formats
Policy version history showing exactly which controls were active at any point in time
Pre-built compliance templates for EU AI Act, HIPAA, SOC 2, and financial regulation
Escalation records proving human oversight was exercised when required

The four pillars of audit readiness

1. Immutable event logging

Every request through the Keeptrusts gateway generates an event record that includes:

Request and response metadata
Which policies were evaluated and their outcomes
Redaction decisions and categories
Provider selection and routing decisions
Timestamps, request IDs, and config version

policies:
  chain:
    - pii-detector
    - prompt-injection
    - audit-logger

policy:
  audit-logger:
    immutable: true
    retention_days: 2555
    include_request_metadata: true
    include_policy_outcomes: true

Setting immutable: true ensures that event records cannot be modified or deleted within the retention window — a requirement for SOC 2 Type II and HIPAA audit controls.

2. Evidence export

The console Exports page lets you generate evidence packages on demand or on a schedule.

Export formats:

Format	Use case
CSV	Spreadsheet analysis, auditor handoff
JSON	Programmatic analysis, SIEM ingestion
PDF summary	Executive review, board reporting

Export scopes:

Time range — export events from a specific period (e.g., Q1 2026)
Policy type — export only PII detection events or only escalations
Team — scope exports to a specific team's activity
Gateway — export events from a specific gateway instance

# Create an export job via CLI
kt export create \
  --format csv \
  --from "2026-01-01T00:00:00Z" \
  --to "2026-03-31T23:59:59Z" \
  --filter "policy_type=pii-detector"

See Exports for the full export workflow.

3. Policy version history

Keeptrusts tracks every version of your policy configuration with:

Version number and timestamp
Diff view showing exactly what changed between versions
Active/inactive status across gateways
Author attribution when using git-backed configs

This means you can answer auditor questions like:

"When was PII redaction first enabled?" — check the version history
"Was the HIPAA policy active during Q2?" — verify the active config for that period
"Who approved the policy change?" — check the version history and audit trail

See Configurations for details.

4. Escalation and human oversight records

When policies escalate decisions for human review, the full lifecycle is recorded:

Escalation created — timestamp, reason, request ID, policy that triggered it
Claimed by reviewer — who took ownership and when
Resolution — what decision was made and the reviewer's notes
Resolution timestamp — proving timely response

policies:
  chain:
    - human-oversight
    - audit-logger

policy:
  human-oversight:
    escalate_on:
      - high_risk_classification
      - low_quality_score
    require_resolution_within_hours: 24

See Escalations for the reviewer workflow.

Pre-built compliance templates

Keeptrusts ships templates that map directly to regulatory frameworks:

Template	Regulation	Key controls
Healthcare HIPAA	HIPAA	PHI detection, Safe Harbor redaction, audit controls, retention
EU AI Act	EU AI Act	Human oversight, bias monitoring, quality scoring, risk classification
Finance	SOX, MiFID II	MNPI detection, financial compliance, audit logging
Defense	ITAR/EAR	Export control filters, entity screening, CJIS mode

Deploy a template with the CLI:

export OPENAI_API_KEY="sk-your-openai-key"

kt policy lint --file healthcare-hipaa.yaml
kt gateway run \
  --listen 0.0.0.0:41002 \
  --policy-config healthcare-hipaa.yaml

Keep the provider target inside the template config and inject the credential through secret_key_ref or a managed secret_key_ref.

Building an audit evidence package

When an auditor requests evidence, follow this workflow:

Define the scope — time range, teams, policy types
Create the export — use the console Exports page or kt export create
Include escalation records — export resolved escalations for the same period
Attach the active policy config — show which controls were in force
Add version history — demonstrate policy changes were tracked and authorized

Audit checklist

Auditor question	Keeptrusts evidence
"Are AI requests logged?"	Events page, export with `include_request_metadata`
"Is sensitive data protected?"	PII/PHI redaction events, redaction statistics
"Who reviews flagged content?"	Escalation records with reviewer attribution
"Are policies versioned?"	Configuration version history with diffs
"Can logs be tampered with?"	`immutable: true` audit logger, retention policy
"How quickly are issues resolved?"	Escalation time-to-resolution metrics
"Is there human oversight?"	Human-oversight policy config + escalation queue

Quick wins

Enable audit-logger with immutable: true — this is the foundation for any audit
Create your first export — verify the export workflow works before an auditor asks
Deploy a compliance template — start with the one closest to your regulatory context
Review escalation resolution times — ensure your team can meet SLA commitments
Enable git-backed configs — get author attribution on every policy change

For AI systems

Canonical terms: audit-logger (immutable), evidence export, policy version history, escalation records, compliance template.
Config keys: policy.audit-logger.immutable, policy.audit-logger.retention_days, policy.audit-logger.include_policy_outcomes.
CLI commands: kt export create --format csv --from --to --filter, kt events list.
Export formats: CSV (auditor handoff), JSON (SIEM ingestion), PDF summary (executive review).
Best next pages: Exports, Meet EU AI Act, Secure Healthcare AI.

For engineers

Prerequisites: audit-logger in the policy chain with immutable: true.
Set retention_days: 2555 (7 years) for SOC 2 Type II and HIPAA requirements.
Create scheduled exports for recurring audit windows via the console Exports page or CLI.
Validate: confirm event records cannot be modified or deleted within the retention window.
Policy version history: each configuration change is timestamped — verify in Configurations page.

For leaders

Audit preparation drops from weeks of manual log aggregation to one-click evidence export.
Immutable logging means records cannot be tampered with — satisfying SOC 2 and HIPAA integrity requirements.
Policy version history provides exact point-in-time proof of which controls were active during any period.
Pre-built compliance templates (HIPAA, EU AI Act, Finance) reduce initial compliance setup from months to hours.

Next steps

Meet EU AI Act Requirements — specific EU AI Act controls
Secure Healthcare AI — HIPAA-specific audit readiness
Protect Financial Data — financial regulation compliance
Export Evidence for a Review — step-by-step export workflow
Audit Log — console audit log features

Use this page when​

Primary audience​

What you'll achieve​

The four pillars of audit readiness​

1. Immutable event logging​

2. Evidence export​

3. Policy version history​

4. Escalation and human oversight records​

Pre-built compliance templates​

Building an audit evidence package​

Audit checklist​

Quick wins​

For AI systems​

For engineers​

For leaders​

Next steps​