Pre-Incident Logging Architecture

Forensic readiness means the logging infrastructure is in place before the incident occurs. You cannot retroactively enable logging for an event that has already happened. The logs that will reconstruct the incident must exist at the time of the incident. Pre-incident logging architecture ensures that every AI-specific evidence type is captured as a routine operational practice.

1. Interaction Logging Log every model interaction — input, output, context composition, system prompt version, and model configuration — with timestamps and session identifiers. Interaction logs are the primary evidence source for most AI incidents. Without them, the incident is a gap in the record.
2. Tool and Action Logging Log every tool invocation, API call, database query, and file operation performed by or on behalf of an AI agent. Include the requesting agent identity, the authorization result, the parameters, and the response. Action logs trace what the model did, not just what it said.
3. Retention and Storage Define retention periods by log type: interaction logs retained for one year, tool logs retained for two years, guardrail events retained indefinitely for trend analysis. Store logs in tamper-evident storage with access controls and audit trails. The logs that prove the incident must themselves be provably unmodified. [RECOMMEND]: Use append-only storage systems for forensic log retention.