AISC-03

Do you provide logging for your solution's AI feature(s) that includes user, date, and action taken?

Explanation

This question is asking whether your AI solution maintains detailed logs of user activities, specifically capturing who used the AI features (user identification), when they used them (date/timestamp), and what specific actions they performed (action taken). Why this matters in security assessments: 1. Audit Trail: Comprehensive logging creates an audit trail that helps organizations track how AI systems are being used, especially when processing sensitive or regulated data. 2. Incident Response: If there's a security incident or data breach, logs are crucial for determining what happened, when it happened, and who was involved. 3. Regulatory Compliance: Many regulations (GDPR, HIPAA, etc.) require organizations to maintain records of data processing activities, including AI-based processing. 4. Accountability: Logs help establish accountability by clearly showing who initiated specific AI operations. The guidance specifically mentions regulated data audits and incident response, highlighting that the assessor is concerned about scenarios where an organization might need to investigate how AI features were used with regulated data. When answering this question, you should: - Be specific about what user information is logged (usernames, IDs, roles) - Detail the timestamp precision (date only, or date and time with timezone) - Describe what actions are logged (queries, model selections, data inputs, outputs) - Mention how long logs are retained - Note any log protection measures (tamper-proofing, encryption) - Explain how logs can be accessed for audit purposes

Guidance

Looking for the ability to audit AI feature(s) for a regulated data audit or incident response.

Example Responses

Example Response 1

Yes, our AI solution implements comprehensive logging for all AI features Each log entry includes the authenticated user's unique ID and username, precise timestamp with date and time (ISO 8601 format with timezone), and detailed action information Actions logged include model selection, prompt submissions, generated outputs, feedback provided, and any configuration changes Logs are stored in an immutable format for a minimum of 12 months and can be exported in common formats (CSV, JSON) for audit purposes For regulated environments, we offer extended retention options up to 7 years All logs are encrypted at rest and in transit, with access controls limiting log visibility to authorized security and compliance personnel.

Example Response 2

Yes, our platform maintains detailed audit logs for all AI interactions Each log record contains: 1) User identity (full name, employee ID, and department), 2) Complete timestamp (YYYY-MM-DD HH:MM:SS with UTC offset), and 3) Comprehensive action details including input prompts, AI model version used, output generated, data sources accessed, and any modifications made to outputs Our logging system is integrated with our centralized SIEM solution, allowing security teams to correlate AI activities with other system events Logs are retained for 24 months by default and are digitally signed to prevent tampering We provide a self-service audit portal for compliance officers to review or export logs based on date ranges, users, or action types.

Example Response 3

No, our current AI solution has limited logging capabilities While we do track basic system-level events, we don't currently capture user-specific information or detailed actions within the AI features Our logs primarily focus on system performance metrics and error conditions rather than user interactions We recognize this limitation for organizations requiring detailed audit trails for compliance purposes and have added comprehensive user activity logging to our product roadmap for the next major release (expected Q3 2023) In the interim, we recommend customers implement additional monitoring at the application or network level if detailed AI interaction logs are required for their compliance needs.

Context

Tab
AI
Category
AI Data Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron