# Audit Archive & Reporting Highflame's audit and reporting capabilities give organizations durable records of AI activity, structured summaries for stakeholders, and the access controls needed to govern who can do what across the platform. *** ## Audit Archive ### What it captures When Audit Archive is enabled on a route, Highflame records every request and response that flows through that route — including: * Model inputs (prompt, conversation history, system prompt) * Model outputs (full response) * Tool call arguments and tool responses * Shield evaluation results: detector scores, Cedar policy decisions, determining policies, enforcement action taken * **Cryptographic agent identity**: the full ZeroID JWT claims — `sub` (SPIFFE URI of the acting agent), `act.sub` (delegating principal or human user), `trust_level`, `identity_type`, `sub_type`, `delegation_depth`, `scopes`, and `grant_type` * Token usage and cost attribution * Timestamp and end-to-end latency Because identity claims come from cryptographically-signed ZeroID tokens — validated by the Gateway before the request is processed — archive records carry verifiable attribution, not just logged metadata. See [Agent Identity & Audit Trail](/governance-and-reporting/agent-identity-audit.md) for how identity claims are structured and how to verify them independently. Records are immutable once written. They cannot be modified or selectively deleted, which satisfies the non-repudiation requirements of most audit frameworks. ### Route-level enablement Archiving is configured at the route level rather than globally. This allows teams to: * Enable archiving only for regulated workflows or sensitive applications, avoiding unnecessary data retention costs elsewhere * Apply different retention periods to different route classes (e.g., longer retention for financial or healthcare routes) * Satisfy data residency requirements by routing regulated traffic through region-specific routes with archiving enabled To enable archiving on a route, navigate to **Highflame Studio → Gateway → Routes → \[route name] → Audit Archive**. ### Data retention Standard Observatory data is retained on a rolling basis: | Data type | Default retention | | -------------------------- | ------------------------------ | | Detection events (threats) | 90 days | | Distributed traces | 30 days | | Audit Archive records | Configurable (90 days–7 years) | Audit Archive retention periods are set per route and can be extended to meet regulatory requirements (e.g., 7 years for SOC 2 or HIPAA). Contact your account team to configure extended retention. *** ## Reporting Highflame generates structured reports that transform raw observability and audit data into summaries consumable by both technical and non-technical stakeholders. ### What reports cover Reports are built around three dimensions: **Usage** — How AI resources are being consumed across the organization: * Request volume per application, route, and model over time * Token consumption and cost attribution broken down by agent, user, and application * Top tools and MCP servers by invocation count * Active sessions and their lifecycle metrics **Security posture** — The state of policy enforcement across your deployments: * Block, alert, and monitor rates by threat category and enforcement action * Policy coverage — which routes have guardrails enabled vs. running unprotected * Threat trend analysis: which attack categories are increasing or decreasing * Top-targeted agents, users, and applications **Compliance** — Evidence of responsible AI operation for audits and reviews: * Policy change history: when policies were modified, by whom, and what changed * Guardrail failure rate and availability — periods where evaluation may have been incomplete * Framework coverage: what percentage of OWASP / NIST controls are actively enforced ### Who reports are for Reports are designed for multiple audiences: | Audience | Primary use | | ---------------------- | ---------------------------------------------------------- | | **Security teams** | Threat trend analysis, coverage gaps, incident volume | | **Compliance & legal** | Evidence of controls for audits and regulatory inquiries | | **Platform teams** | Cost attribution, model usage, route utilization | | **Leadership** | Summary posture view, risk trends, policy change oversight | Reports are accessible in **Highflame Studio → Governance → Reports**. *** ## Access Controls ### Role-based access control Highflame supports role-based access control (RBAC) across all platform resources. Roles determine who can read, create, modify, or delete: * **Routes** — model endpoints and their policy assignments * **Policies** — Cedar policies and profile assignments * **Providers** — LLM provider registrations and credentials * **MCP Registries** — registered tool servers and enabled tools * **Audit Archive** — archive records and export configuration Roles are assigned to users and service accounts at the project level. Fine-grained permissions prevent lower-trust team members from modifying production guardrails or accessing sensitive credential configuration. ### Secrets Vault Provider credentials (API keys, tokens, private keys) are stored in the **Secrets Vault**, backed by AWS Secrets Manager with KMS encryption at rest. Applications reference a named route; the Gateway retrieves credentials from the vault at request time. Applications never handle raw credentials. This means: * A compromised agent or application cannot leak the underlying model API key * Rotating a provider key requires updating it in one place (the vault), not across every application * Credential access is logged and auditable ### Routing controls Route configuration determines which models and capabilities are accessible to each application. Administrators can restrict access to high-risk models, specific capability sets, or expensive model tiers — ensuring that only explicitly authorized workloads can invoke them. These restrictions are enforced by the Gateway before any request is forwarded. *** ## Related * [Compliance Framework Coverage](/governance-and-reporting/compliance-frameworks.md) — how Highflame maps to OWASP, MITRE, NIST, and regulatory frameworks * [Observatory Overview](/observatory/observatory.md) — investigation surfaces for threat events, sessions, and traces * [Integrated Guardrails](/agent-gateway/agent-gateway.md) — route-level guardrail configuration * [Alerts](/integrations/alerts.md) — streaming governance events to Slack, Splunk, or webhooks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/governance-and-reporting/audit-archive.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.