Post

Building an AI Security Logging Baseline

Posted
By Nathan Berg
1 min read
Building an AI Security Logging Baseline

Most AI incidents are hard to investigate because telemetry is fragmented. Teams log prompts but not retrieval IDs, or they store tool outputs without caller identity. After an event, there is no complete chain of evidence.

A baseline logging schema should answer four questions fast: who asked, what context was retrieved, what actions were attempted, and what was returned.

Context

Problem: Incomplete AI telemetry prevents reliable detection and incident response. Approach: Standardize logging for prompts, retrieval, tool calls, policy decisions, and outputs. Outcome: Security teams can reconstruct model-assisted actions end to end.

Threat model and failure modes

  • Missing user/session identity in model requests.
  • No traceability from answer text to retrieved documents.
  • Tool invocations without policy decision logs.
  • Retention gaps that erase critical evidence within days.

Control design

  • Generate immutable correlation IDs across prompt, retrieval, and action layers.
  • Log document IDs, versions, and tenant scope for every retrieval hit.
  • Store policy allow/deny outcomes for each tool invocation.
  • Apply PII-aware redaction before persisting prompt content.
  • Retain high-risk audit fields longer than general application logs.

Implementation pattern

Keep raw event granularity high and generate summarized views downstream. Investigation quality drops quickly when you only log aggregated metrics.

1
2
3
4
5
6
7
8
9
10

{
  "trace_id": "6bfa2b0d",
  "user": "analyst@corp",
  "prompt_hash": "sha256:...",
  "retrieval_docs": ["kb-4431@v12", "runbook-12@v4"],
  "tool_call": "create_ticket",
  "policy": "allow",
  "response_risk": "low"
}

Research and standards

These controls align well with guidance from OWASP Top 10 for LLM Applications, NIST AI RMF practices, and MITRE ATLAS adversarial behavior patterns.

Validation checklist

  • Run a tabletop and verify investigators can reconstruct each AI-assisted decision.
  • Check redaction quality on sampled prompt logs.
  • Validate trace IDs survive retries and fallback paths.
  • Alert on missing critical fields such as user or tenant.
  • Test retention rules by querying 30+ day incidents.

Takeaways

Without logging discipline, AI safety controls are impossible to prove. Baseline telemetry is foundational security engineering, not optional observability work.

blog
logging llm detection observability security
This post is licensed under CC BY 4.0 by the author.