// GLOSSARY -- POLICY ENFORCEMENT

What is Log Retention?

2 min read Updated

Log retention refers to policies governing how long audit logs of AI agent tool calls are stored. Different regulations require different retention periods — from one year for PCI DSS to seven years for certain financial data — and organisations must define clear retention rules.

WHY IT MATTERS

Every audit log takes up storage, and storage costs money. But deleting logs too early can be far more expensive. If a regulator requests evidence of agent activity from 18 months ago and you only retain logs for 12 months, you have a compliance gap. If a security incident is discovered months after it occurred and the relevant logs have been purged, you cannot investigate or demonstrate that your controls were operating.

Log retention requirements vary significantly by regulation. PCI DSS requires at least one year of audit trail history, with a minimum of three months immediately available for analysis. HIPAA requires six years for security-related documentation. Financial regulations like those governing broker-dealers may require seven years. SOC 2 doesn't specify a duration but requires that logs cover the audit period — typically 6 to 12 months.

For AI agents, log volume can be substantial. An active agent might make dozens of MCP tool calls per task, and each call generates a decision log entry. Multiply by the number of agents and tasks, and organisations can accumulate millions of log entries per month. Retention policies must balance compliance requirements against storage costs — often using tiered storage (hot/warm/cold) to keep recent logs readily accessible while archiving older logs to cheaper storage.

HOW POLICYLAYER USES THIS

Intercept generates structured decision logs that can be forwarded to external storage with configurable retention. Because logs are emitted as structured events (JSON), they integrate with standard log lifecycle management — hot storage in Elasticsearch for recent logs, warm storage in S3 for intermediate retention, and cold storage in Glacier or equivalent for long-term compliance archives. Organisations configure retention at the storage layer rather than in Intercept itself, allowing different retention periods for different log types or compliance requirements.

FREQUENTLY ASKED QUESTIONS

What happens if I delete logs before the retention period expires?
Premature deletion is a compliance violation. Auditors and regulators expect logs to be available for the required period. If logs are missing, it can result in audit findings, regulatory penalties, or the inability to investigate security incidents. Automate retention with lifecycle policies to avoid accidental deletion.
Can I retain logs longer than required?
Yes, but be careful. Longer retention means more data to protect, more storage costs, and potential conflicts with data minimisation requirements (e.g. GDPR). Define a clear retention schedule that meets your most stringent requirement without keeping data indefinitely.
How do I handle different retention requirements for different regulations?
Apply the longest applicable retention period as your default, or tag logs by category and apply different retention policies. For example, logs involving health data might have a 6-year retention (HIPAA) while general access logs have a 1-year retention (PCI DSS).

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.