How do I audit log every AI agent tool call?

Enterprise-grade audit logging for AI agents requires capturing the agent identity, proposed action, policy decision, business state, and cryptographic chain — not just prompts and tokens. Standard observability tools (LangSmith, Helicone, Arize) capture model-layer telemetry. They miss the execution-layer evidence that auditors and regulators require.

What a compliant audit trail must capture:

• Agent identity: Which specific agent (not just which service account) performed the action
• User delegation: Which human user authorized the agent's session
• Proposed action: The exact tool call, parameters, and target system
• Policy decision: Which rule allowed/blocked the action and why
• Business state: The relevant system state at evaluation time (state hash)
• Outcome: Whether the action was executed, blocked, or escalated
• Cryptographic chain: Tamper-proof linking between sequential audit records

Compliance frameworks (SOC 2, GDPR, EU AI Act, HIPAA) all require evidence that links an action to a specific intent and authorization. "Traditional logging is insufficient. Auditors expect evidence that links an action to a specific intent and authorization."

Exogram's Trust Ledgers automatically capture all seven elements for every agent tool call. Records are cryptographically chained (SHA-256) so they cannot be modified post-hoc. PII is detected and scrubbed before storage. The result is an audit trail that satisfies SOC 2, GDPR, and EU AI Act requirements — generated automatically as a byproduct of governance, not as a separate logging system.