# How we built a tamper-evident WORM audit log for AI agents using SHA-256 hash chains and PostgreSQL

How we built a tamper-evident WORM audit log for AI agents using SHA-256 hash chains and PostgreSQL

Published on dev.to | Tags: ai, security, postgres, node

When your AI agents are making real decisions — sending emails, approving contracts, deleting records — "we have logs" is not the same as "we can prove what happened." This is the story of how we built a cryptographically tamper-evident audit log for AI Governor, and why the implementation details matter more than people think.

The problem with normal audit logs

Most audit logs have a critical flaw: they can be altered after the fact. If someone with database access modifies a row, deletes it, or even changes the timestamp, there's no automatic way to detect it. For enterprise AI agents executing high-stakes actions, this is a compliance nightmare.