Every decision your agents make, every action they propose or execute, and every sensitive read they perform is recorded in Delphi’s append-only audit trail. You get a complete, timestamped record of who did what, when, and why — without lifting a finger. Personal data is automatically stripped from metadata before anything is written, so your audit log is defensible by default rather than a new liability.
What gets logged
Delphi captures three classes of events automatically. Actions cover the full governed-execution lifecycle: proposed, approved, rejected, executed, and failed — each with the actor, the target system, and the policy that allowed the action through. Decisions cover agentic work: alert evaluations, scenario runs, recommendations, and human verifications on AI suggestions. Reads cover access to sensitive data — org graph snapshots, confidential documents, compliance dashboards, and exports of classified data.
Each entry carries the actor’s user ID, the command center it touched, the specific action name, structured metadata about the event, and a server-generated timestamp. Nothing is client-supplied — timestamps and actor identity come from verified sessions on the server side, so they cannot be spoofed after the fact.
PII redaction
Audit records describe what happened, not the underlying personnel data. Before any entry is written, Delphi runs the metadata through an automatic PII filter that strips email addresses, phone numbers, government identifiers, and free-text fields that commonly leak personal information. The action name and actor are preserved; the sensitive payload around them is not.
This matters for two reasons. First, your audit log itself does not become a secondary data store of regulated information — auditors can review the trail without inheriting a DPIA. Second, it means audit retention policies can be longer than data retention policies without creating a compliance conflict. If you need the full un-redacted context of a specific event, that lives in the source system the action touched, gated by its own access controls.
Where logs go
Audit entries are written to a dedicated, append-only log stream separate from application logs. They are immutable from Delphi’s side — there is no user-facing API to edit or delete an entry, and writes are tagged so they can be exported to your own SIEM, data warehouse, or long-term archive on a schedule you control.
For customers on sovereign or regulated deployments, audit logs respect the same data residency boundary as the rest of the tenant. A UK-resident command center’s audit stream never leaves the UK region. See Compliance and Trust Score for how the audit trail feeds ISO 42001 control evidence automatically.
Auditor access
Delphi ships with a dedicated Auditor role designed exactly for this job. Auditors can read the full audit trail, compliance dashboard, and all public, internal, and confidential data across the command centers they are assigned to — but they cannot mutate records, approve actions, or configure agents. It is a read-plus-investigate role, not an operator role.
Assign the auditor role the same way you assign any other scope, from the Permissions tab on a command center. See Roles and permissions for the full scope hierarchy and what each role can and cannot do. For external auditors on time-bounded engagements, pair the role with an expiring invite so access falls off automatically at the end of the engagement.