Audit trail

Cognify captures every data, configuration, and evaluation artifact from your fine-tuning run in an immutable audit log. This guide covers how that log is structured, how to export it, and which compliance frameworks each export format targets.

Immutability guarantees

Once a run completes and is sealed, its audit record cannot be modified. Cognify enforces immutability at two levels:

  • Application-level seal: Calling cognify.export_audit() or clicking "Seal run" in the dashboard transitions the run to AUDIT_SEALED status. Sealed runs are read-only in the API and UI.
  • Storage-level WORM: On Enterprise plans, sealed run objects are stored on write-once object storage (AWS S3 Object Lock or GCS Object Retention). Physical deletion requires support escalation.

You can verify the seal integrity at any time by computing the SHA-256 hash of the exported package and comparing it against the package_hash returned by the export API.

Lineage graph schema

The lineage graph is a directed acyclic graph (DAG) stored as JSON. Every node has a type, id, hash, and timestamp:

{
  "run_id": "run_20250912_143022_a7f3c",
  "status": "AUDIT_SEALED",
  "sealed_at": "2025-09-12T16:45:00Z",
  "nodes": [
    {
      "type": "dataset",
      "id": "ds_patient_notes_v3",
      "hash": "sha256:8f4a2c...",
      "record_count": 142000,
      "schema_version": "3"
    },
    {
      "type": "config",
      "id": "cfg_llama3_8b_lora_r16",
      "hash": "sha256:3b9d1e..."
    },
    {
      "type": "checkpoint",
      "id": "ckpt_step_2500",
      "hash": "sha256:c7f9a4...",
      "step": 2500
    }
  ],
  "edges": [
    { "from": "ds_patient_notes_v3", "to": "ckpt_step_2500" },
    { "from": "cfg_llama3_8b_lora_r16", "to": "ckpt_step_2500" }
  ]
}

Export formats

Format Use case Contents
pdf Auditor handoff, regulatory submission Narrated run summary, dataset provenance, hyperparameter table, eval results, seal certificate
json Programmatic ingestion, GRC tools (ServiceNow, Vanta) Full lineage graph + all hashes in machine-readable JSON
xlsx Compliance spreadsheets, SOC 2 evidence collection Tabular view: datasets, configs, checkpoints, eval metrics — one sheet per type

The template parameter of cognify.export_audit() selects compliance-specific report templates. See below for details.

EU AI Act model card template

Pass template="eu_ai_act" to generate a model card aligned with EU AI Act Article 11 technical documentation requirements. The template populates:

  • Model identification (architecture, parameter count, fine-tuning method)
  • Training data description (dataset hashes, record counts, data source categories)
  • Performance on standard benchmarks (populated from cognify.eval() data)
  • Known limitations and failure modes section (populated from run notes)
  • Deployment restrictions and acceptable use policy (supplied by your organization)

HIPAA documentation package

Pass template="hipaa" for a package aligned with HIPAA Security Rule technical safeguard documentation. This template includes:

  • PHI data handling attestation (no PHI in training data, or PHI de-identification method)
  • Access control log for the training run (who ran it, when, from which IP)
  • Encryption-at-rest attestation for checkpoint storage
  • Incident response cross-reference (links to your workspace's incident policy URL)

Note: Cognify's HIPAA template covers ML pipeline documentation only. It does not replace your organization's broader HIPAA compliance program or BAA obligations.

Retention and export APIs

Retention settings are configurable via the REST API:

PATCH /v2/workspaces/{workspace_id}/retention
Content-Type: application/json

{
  "retention_years": 7,
  "archive_after_days": 90,
  "auto_export_on_seal": true,
  "auto_export_format": "json"
}

When auto_export_on_seal is true, Cognify automatically exports an audit package to your configured storage integration (S3, GCS, or Azure Blob) each time a run is sealed.