Audit Archive & Reporting

Highflame's audit and reporting capabilities give organizations durable records of AI activity, structured summaries for stakeholders, and the access controls needed to govern who can do what across the platform.

Audit Archive

What it captures

When Audit Archive is enabled on a route, Highflame records every request and response that flows through that route — including:

Model inputs (prompt, conversation history, system prompt)
Model outputs (full response)
Tool call arguments and tool responses
Shield evaluation results: detector scores, Cedar policy decisions, determining policies, enforcement action taken
Cryptographic agent identity: the full ZeroID JWT claims — sub (SPIFFE URI of the acting agent), act.sub (delegating principal or human user), trust_level, identity_type, sub_type, delegation_depth, scopes, and grant_type
Token usage and cost attribution
Timestamp and end-to-end latency

Because identity claims come from cryptographically-signed ZeroID tokens — validated by the Gateway before the request is processed — archive records carry verifiable attribution, not just logged metadata. See Agent Identity & Audit Trail for how identity claims are structured and how to verify them independently.

Records are immutable once written. They cannot be modified or selectively deleted, which satisfies the non-repudiation requirements of most audit frameworks.

Route-level enablement

Archiving is configured at the route level rather than globally. This allows teams to:

Enable archiving only for regulated workflows or sensitive applications, avoiding unnecessary data retention costs elsewhere
Apply different retention periods to different route classes (e.g., longer retention for financial or healthcare routes)
Satisfy data residency requirements by routing regulated traffic through region-specific routes with archiving enabled

To enable archiving on a route, navigate to Highflame Studio → Gateway → Routes → [route name] → Audit Archive.

Data retention

Standard Observatory data is retained on a rolling basis:

Data type

Default retention

Detection events (threats)

90 days

Distributed traces

30 days

Audit Archive records

Configurable (90 days–7 years)

Audit Archive retention periods are set per route and can be extended to meet regulatory requirements (e.g., 7 years for SOC 2 or HIPAA). Contact your account team to configure extended retention.

Reporting

Highflame generates structured reports that transform raw observability and audit data into summaries consumable by both technical and non-technical stakeholders.

What reports cover

Reports are built around three dimensions:

Usage — How AI resources are being consumed across the organization:

Request volume per application, route, and model over time
Token consumption and cost attribution broken down by agent, user, and application
Top tools and MCP servers by invocation count
Active sessions and their lifecycle metrics

Security posture — The state of policy enforcement across your deployments:

Block, alert, and monitor rates by threat category and enforcement action
Policy coverage — which routes have guardrails enabled vs. running unprotected
Threat trend analysis: which attack categories are increasing or decreasing
Top-targeted agents, users, and applications

Compliance — Evidence of responsible AI operation for audits and reviews:

Policy change history: when policies were modified, by whom, and what changed
Guardrail failure rate and availability — periods where evaluation may have been incomplete
Framework coverage: what percentage of OWASP / NIST controls are actively enforced

Who reports are for

Reports are designed for multiple audiences:

Audience

Primary use

Security teams

Threat trend analysis, coverage gaps, incident volume

Compliance & legal

Evidence of controls for audits and regulatory inquiries

Platform teams

Cost attribution, model usage, route utilization

Leadership

Summary posture view, risk trends, policy change oversight

Reports are accessible in Highflame Studio → Governance → Reports.

Access Controls

Role-based access control

Highflame supports role-based access control (RBAC) across all platform resources. Roles determine who can read, create, modify, or delete:

Routes — model endpoints and their policy assignments
Policies — Cedar policies and profile assignments
Providers — LLM provider registrations and credentials
MCP Registries — registered tool servers and enabled tools
Audit Archive — archive records and export configuration

Roles are assigned to users and service accounts at the project level. Fine-grained permissions prevent lower-trust team members from modifying production guardrails or accessing sensitive credential configuration.

Secrets Vault

Provider credentials (API keys, tokens, private keys) are stored in the Secrets Vault, backed by AWS Secrets Manager with KMS encryption at rest. Applications reference a named route; the Gateway retrieves credentials from the vault at request time. Applications never handle raw credentials.

This means:

A compromised agent or application cannot leak the underlying model API key
Rotating a provider key requires updating it in one place (the vault), not across every application
Credential access is logged and auditable

Routing controls

Route configuration determines which models and capabilities are accessible to each application. Administrators can restrict access to high-risk models, specific capability sets, or expensive model tiers — ensuring that only explicitly authorized workloads can invoke them. These restrictions are enforced by the Gateway before any request is forwarded.

Compliance Framework Coverage — how Highflame maps to OWASP, MITRE, NIST, and regulatory frameworks
Observatory Overview — investigation surfaces for threat events, sessions, and traces
Integrated Guardrails — route-level guardrail configuration
Alerts — streaming governance events to Slack, Splunk, or webhooks

PreviousOverview NextAgent Identity & Audit Trail

Last updated 1 month ago