Logging of prompts + outputs to SIEM
Demonstrate that all generative AI prompt and output pairs are logged with sufficient metadata and reliably forwarded to the organization's SIEM for security monitoring, incident response, and compliance purposes.
Description
What this control does
This control requires that all prompts submitted to generative AI systems and their corresponding outputs be logged and forwarded to a centralized Security Information and Event Management (SIEM) platform in near real-time. Logs must include metadata such as user identity, timestamp, session identifier, model version, token count, and any content filtering flags. This enables security teams to detect data exfiltration attempts, prompt injection attacks, policy violations, and unauthorized use patterns. The control is critical for maintaining audit trails and enabling retrospective investigation of AI-related security incidents.
Control objective
What auditing this proves
Demonstrate that all generative AI prompt and output pairs are logged with sufficient metadata and reliably forwarded to the organization's SIEM for security monitoring, incident response, and compliance purposes.
Associated risks
Risks this control addresses
- Unauthorized users exfiltrate sensitive data by embedding it in prompts or extracting it through crafted queries without detection
- Prompt injection attacks manipulate AI behavior to bypass security controls or generate harmful content, leaving no forensic trail
- Employees submit proprietary code, trade secrets, or regulated data to external AI services without organizational visibility
- Adversaries use compromised accounts to perform reconnaissance or generate malicious content undetected over extended periods
- Lack of audit trail prevents investigation of compliance violations, policy breaches, or misuse incidents involving AI systems
- Data loss or intellectual property theft occurs through AI interactions but cannot be attributed to specific users or sessions
- Insider threats leverage AI tools to automate social engineering attacks or generate phishing content without triggering alerts
Testing procedure
How an auditor verifies this control
- Inventory all generative AI systems in use across the organization, including both sanctioned enterprise tools and shadow IT identified through network monitoring or user surveys.
- Review the logging configuration for each AI system to confirm that both user prompts and system outputs are captured with required metadata fields (user ID, timestamp, session ID, model version, token counts, content flags).
- Verify SIEM integration by tracing the log forwarding pipeline from AI systems to the SIEM, documenting transport protocols, authentication methods, and forwarding frequency.
- Select a stratified sample of 20-30 AI interaction sessions spanning different users, models, and time periods, then locate corresponding log entries in the SIEM.
- Compare sampled log entries against source system records to validate completeness, checking that no prompts or outputs are truncated and metadata is accurate.
- Test log retention by querying the SIEM for AI interaction logs from the oldest required retention period and confirming records are intact and searchable.
- Simulate a test prompt injection scenario (coordinated with IT) and verify that the prompt, output, and any triggered content filtering alerts appear in the SIEM within the defined time threshold.
- Review SIEM alerting rules to confirm that detection use cases exist for high-risk patterns such as sensitive data patterns in prompts, excessive token usage, after-hours access, or repeated content policy violations.
Where this control is tested