Compliance Audit Policy Template
Maintain a complete, tamper-evident audit trail for every AI agent interaction. Log every request, response, policy decision, approval, and budget event with timestamps and agent identity. Essential for SOC 2, GDPR Article 30, HIPAA, and EU AI Act compliance requirements. All logs are stored on your infrastructure with configurable retention.
What this prevents
During a SOC 2 audit, a fintech company was asked to demonstrate full traceability of their AI agent's actions over the past six months. The auditor wanted to see every prompt sent to the LLM, every response received, every policy decision made, and every budget threshold crossed — with tamper-evident integrity verification. Without centralized audit logging, the company had to reconstruct the trail from scattered application logs, OpenAI usage exports, and deployment records. With Govyn's compliance audit policy, every interaction is logged in a chain-hashed, tamper-evident format with one-click export.
Policy template
Copy this into your govyn.yaml and adjust the values to match your requirements.
global:
logging:
replay: true
level: full
include:
- request_body
- response_body
- policy_decisions
- budget_events
- approval_events
- error_events
redact_pii: true
format: json
retention_days: 365
storage:
path: /var/log/govyn/audit/
rotate: daily
compress: true
integrity:
hash_algorithm: sha256
chain: true
agents:
regulated_agent:
logging:
level: full
export:
destination: s3://compliance-bucket/govyn/
schedule: dailyHow it works
Every agent interaction is captured
Govyn logs the complete request body, response body, selected model, token counts, costs, and timing for every API call that passes through the proxy.
Policy decisions are recorded
Every policy evaluation is logged: which rules were checked, whether the request was allowed or denied, what budget was consumed, and whether approval was required.
PII is redacted before storage
When redact_pii is enabled, personally identifiable information is stripped from logs before they're written to disk — giving you a complete audit trail without storing sensitive data.
Logs are integrity-protected
Each log entry is SHA-256 hashed and chained to the previous entry, creating a tamper-evident log. Any modification to historical logs breaks the hash chain and is immediately detectable.
Automated export and retention
Logs are rotated daily, compressed, and optionally exported to S3 or other storage. Retention policies automatically clean up logs older than the configured retention period.
Configuration options
| Option | Description | Example |
|---|---|---|
logging.level | Detail level: minimal, standard, or full | full |
logging.include | Specific event types to log | [request_body, response_body, policy_decisions] |
logging.retention_days | How many days to retain logs locally | 365 |
logging.integrity.chain | Enable hash-chained tamper-evident logging | true |
logging.export.destination | Remote storage for log exports | s3://compliance-bucket/govyn/ |
Add this policy to your config
Start Govyn with this policy in under 5 minutes. No code changes needed.
Get startedRelated policy templates
Set daily and monthly spending limits for AI agents. Prevent runaway costs with hard budget caps enforced at the proxy level.
Require human approval before AI agents send emails, messages, or external communications. Prevent unauthorized agent outreach.
Detect and redact personally identifiable information in AI agent requests and responses. GDPR-friendly PII protection at the proxy level.
Explore more
SDK wrappers are door locks. Proxies are walls. A deep technical comparison of both governance architectures for AI agents in production.
INTEGRATIONAdd governance to Azure OpenAI deployments. Enforce budgets, model policies, and compliance logging for enterprise AI agents.
INTEGRATIONAdd governance to any Python AI agent. Works with requests, httpx, and the OpenAI SDK. Budget limits, policy enforcement, full replay.
COMPARISONCompare Govyn and Coralogix for AI agent governance. Proxy-level enforcement vs enterprise observability with AI monitoring.