Every compliance officer knows the feeling: an examiner asks to see your audit trail, and you produce a spreadsheet of log entries. The examiner asks how you prove those entries have not been altered. You point to access controls. The examiner asks what happens when the administrator with access controls is the threat. Silence.
This is the gap that every major regulatory framework is closing in 2026. The question is no longer whether you have logs. The question is whether your audit trail constitutes independently verifiable proof. Proof that a record existed at a specific time, was created by a specific actor, has not been modified since creation, and will remain verifiable decades from now when the cryptographic assumptions underpinning today's signatures may no longer hold.
This guide maps the specific audit trail requirements across four regulated industries: banking, healthcare, insurance, and government. For each, we identify the controlling frameworks, the precise requirements, the retention periods, and the gap between what regulators demand and what most organizations actually deliver. We also show how a single cryptographic primitive, H33-74, satisfies the audit trail requirements across all four frameworks with 74 bytes of attestation per record.
Banking: FFIEC, OCC, SOX, and BSA/AML
Banking is the most heavily examined industry in the United States, and its audit trail requirements reflect that intensity. Four overlapping frameworks define what banks must produce when examiners arrive.
FFIEC IT Examination Handbook
The Federal Financial Institutions Examination Council publishes the IT Examination Handbook, which serves as the operational bible for examiners from the OCC, FDIC, Federal Reserve, and NCUA. The Audit section of this handbook establishes the foundational requirement: audit trails must capture who performed an action, what the action was, when it occurred, and where it occurred within the information system. This four-element requirement applies to every access event and every change event across every system that processes, stores, or transmits financial data.
The handbook goes further than simple logging. It requires that audit trails be protected against unauthorized modification, that they be reviewed regularly by independent parties, and that the review itself be documented. In practice, this means your audit trail infrastructure must be at least as secure as the systems it monitors. An audit trail that an administrator can silently edit is not an audit trail. It is a liability.
FFIEC examiners increasingly test this boundary. They ask how you detect tampering with audit records. They ask whether your audit trail system has its own audit trail. They ask whether the integrity of historical records can be independently verified without relying on the same infrastructure that produced them. If your answer depends on a single vendor's claim that their database is append-only, you will receive a Matter Requiring Attention.
OCC Bulletin 2023-17: Third-Party and AI Audit Trails
OCC Bulletin 2023-17 on third-party risk management extended audit trail requirements into a domain most banks were not prepared for: AI and algorithmic decision-making. When a bank uses a third-party model for credit decisioning, fraud detection, or customer segmentation, the bank must maintain audit trails that document how the model reached each decision. This requirement applies regardless of whether the model is hosted internally or provided as a service.
The bulletin specifically addresses the challenge of opaque models. If a vendor cannot provide decision-level audit trails, the bank must either build its own monitoring layer or discontinue use of the model. There is no exception for model complexity. The audit trail must capture the inputs to each decision, the model version used, the output produced, and any human overrides applied after the model rendered its judgment.
For banks operating AI-driven systems, this means every inference must be attested. Not logged. Attested. The distinction matters because an attestation is a cryptographic commitment that binds a specific output to a specific set of inputs at a specific time. A log entry is a line of text that someone wrote to a file. Examiners are beginning to understand this distinction, and their expectations are shifting accordingly.
SOX Section 302/404: Financial Record Integrity
The Sarbanes-Oxley Act requires publicly traded companies to maintain internal controls over financial reporting. Section 302 requires that the CEO and CFO personally certify the accuracy of financial statements. Section 404 requires an annual assessment of internal controls, including controls over the audit trail itself.
SOX auditors look for tamper-evident audit trails on every system that feeds into financial reporting. This includes not just the general ledger but every upstream system: billing platforms, revenue recognition engines, expense management tools, and the integration pipelines that connect them. If any link in that chain lacks a verifiable audit trail, the entire chain is suspect.
The tamper-evidence standard under SOX is evolving. External auditors from the Big Four increasingly request evidence that audit records are cryptographically signed at creation and that the integrity of historical records can be verified without relying on the producing system. This is the definition of independent verifiability, and it is now a practical requirement for SOX compliance rather than an aspirational goal.
BSA/AML: Five-Year Retention with Teeth
The Bank Secrecy Act and its anti-money laundering regulations impose the most demanding retention requirements in banking. Transaction monitoring audit trails must be retained for a minimum of five years from the date of creation. Suspicious Activity Report (SAR) filing documentation must be retained for five years from the date of filing. Currency Transaction Report (CTR) records follow the same five-year minimum.
But retention is only half the requirement. FinCEN examiners increasingly ask whether retained records can still be verified at the end of the retention period. A five-year-old SHA-256 hash is still verifiable today. But will a five-year-old RSA-2048 signature be verifiable in 2031, when NIST has projected that quantum computers may begin threatening classical cryptographic assumptions? For BSA/AML records created today, the answer must be yes, which means the signature scheme protecting those records must be post-quantum secure.
Banking audit trail minimum standard in 2026: Every access and change event must be captured with who, what, when, and where. Records must be tamper-evident, independently verifiable, and retained for at least five years. AI and model decisions require decision-level attestation. Signature schemes must remain verifiable across the full retention period.
Healthcare: HIPAA Security Rule and the 2026 Update
Healthcare audit trail requirements center on the HIPAA Security Rule, which underwent its most significant revision in over a decade with the 2026 update. The changes eliminate ambiguity that compliance teams have exploited for years.
HIPAA Security Rule 164.312(b): Audit Controls
Section 164.312(b) of the HIPAA Security Rule requires covered entities and business associates to implement "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." This language is intentionally broad. It applies to every system in the environment that touches ePHI, including EHR platforms, clinical imaging systems, pharmacy management systems, patient portals, billing platforms, and the integration engines that connect them.
The "record and examine" language creates a two-part obligation. Recording means capturing a complete audit trail of every access event, every modification, every export, and every deletion. Examining means actively reviewing those records for unauthorized access, anomalous patterns, and policy violations. An audit trail that no one reviews is not compliant with 164.312(b), regardless of how comprehensive the logging is.
Healthcare organizations frequently underestimate the scope of this requirement. It does not apply only to the EHR. It applies to the database server hosting the EHR, the backup system that copies the database, the analytics platform that queries the database, the mobile application that displays patient data, and the API gateway that mediates access to all of the above. Every system that contains or uses ePHI must have its own audit trail, and those audit trails must be reconcilable.
The 2026 HIPAA Update: Encryption Is No Longer Addressable
The most consequential change in the 2026 HIPAA update is the elimination of the "addressable" designation for encryption. Under the previous rule, encryption was an addressable implementation specification, meaning covered entities could choose not to encrypt ePHI if they documented an equivalent alternative measure. In practice, this created a loophole that many organizations drove through at full speed, storing and transmitting ePHI in plaintext while pointing to other controls as compensating measures.
The 2026 update makes encryption a required implementation specification. ePHI must be encrypted at rest and in transit, without exception. This change has a direct impact on audit trail requirements because it means audit records that contain ePHI, including access logs that reveal which patient records were accessed, must themselves be encrypted. The audit trail is now subject to the same encryption standard as the data it monitors.
This creates a practical challenge: how do you make audit records both encrypted and independently verifiable? The traditional approach of encrypting the log file and controlling access to the decryption key does not satisfy independent verifiability because verifying the integrity of a record requires decrypting it, which requires the key, which requires the infrastructure you are trying to verify. Cryptographic attestation solves this problem by generating a verifiable proof of the record's integrity at creation time, allowing the proof to be verified without ever decrypting the underlying record.
PHI Access Logging and Breach Notification
HIPAA requires that every access to protected health information be logged. This is not a sampling requirement. It is a complete capture requirement. Every view, every query, every export, every print, every copy must be recorded with the identity of the user, the time of access, the specific records accessed, and the action performed.
The breach notification rule at 164.408 makes the stakes explicit. When a potential breach occurs, the covered entity must determine within 60 days whether the breach actually exposed ePHI, who was affected, and what information was compromised. This determination depends entirely on the audit trail. If the audit trail is incomplete, the entity must assume the worst case and notify every potentially affected individual. If the audit trail has been tampered with, the entity cannot make any determination at all, and the regulatory consequences escalate dramatically.
The six-year retention requirement under HIPAA applies to policies, procedures, and documentation, including audit trail documentation. For practical purposes, most healthcare organizations retain audit records for six years from the date of last activity on a patient record, which can extend the effective retention period to a decade or more for patients with chronic conditions.
Healthcare audit trail minimum standard in 2026: Complete capture of every ePHI access event. Encrypted at rest and in transit. Independently verifiable for breach determination. Six-year minimum retention for documentation. Audit trails must be reconcilable across all systems that contain or use ePHI.
Insurance: NAIC Model Law and AI Transparency
Insurance audit trail requirements are fragmented across state-level regulations, but the NAIC Model Laws provide the baseline that most states adopt. Two developments in 2025 and 2026 have significantly raised the bar.
NAIC Insurance Data Security Model Law
The NAIC Insurance Data Security Model Law, adopted in some form by the majority of U.S. states, requires insurers to implement a comprehensive information security program that includes audit trail capabilities. Section 4(D) specifically requires "audit trails within the information security program designed to detect cybersecurity events." This language focuses audit trail requirements on security event detection, but state department of insurance examiners interpret it broadly.
In practice, DOI examiners expect insurers to maintain audit trails across three domains: policyholder data access, claims processing, and underwriting decisions. For policyholder data, the requirement mirrors HIPAA in many respects: every access to personally identifiable information must be logged with the identity of the accessor, the time of access, and the records viewed. For claims processing, the audit trail must document the complete lifecycle of each claim from first notice of loss through final payment or denial, including every human decision and every automated decision along the way. For underwriting, the audit trail must capture the factors considered, the models applied, and the rationale for the final decision.
NAIC Model Bulletin on AI: Auditability of Algorithmic Decisions
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, issued in late 2024 and adopted by a growing number of states through 2025 and 2026, imposes explicit auditability requirements on AI-driven insurance decisions. The bulletin states that insurers must be able to "provide an explanation of any AI-driven decision to a regulator upon request" and that the insurer must maintain documentation sufficient to "allow a regulator to understand the basis for the decision."
This requirement goes beyond logging the inputs and outputs of a model. It requires the insurer to demonstrate that the model version used for a specific decision was the model version in effect at the time, that the input data was the data available at the time, and that no post-hoc modification has occurred to either the model or the data. In other words, the audit trail must provide temporal integrity: proof that the record accurately represents what happened at the time it happened.
For insurers deploying machine learning models for claims triage, fraud detection, or pricing, this requirement means every inference must be attested with a timestamp and a binding to the model version and input data. Retrospective reconstruction of what a model would have decided is not sufficient. The audit trail must capture what the model actually decided, when it decided it, and with what inputs.
Cyber Insurance Underwriting: The Auditor Becomes the Audited
An emerging requirement in the insurance industry comes from the cyber insurance market itself. Carriers writing cyber insurance policies increasingly require policyholders to demonstrate continuous attestation of security controls as a condition of coverage. But carriers must also demonstrate their own security posture to reinsurers, creating a recursive audit trail requirement that extends through the entire insurance value chain.
Several major reinsurers now require cedents to provide cryptographic proof of their security control effectiveness, updated monthly. This means the insurer's own audit trail must not only capture security events but also generate periodic attestations that can be independently verified by the reinsurer without granting the reinsurer direct access to the insurer's systems. This is a direct use case for post-quantum cryptographic attestation: a 74-byte proof that can be transmitted to a reinsurer, stored indefinitely, and verified at any future date without relying on the insurer's infrastructure.
Insurance audit trail minimum standard in 2026: Cybersecurity event detection audit trails per NAIC Model Law. Decision-level auditability for AI-driven underwriting and claims. Temporal integrity proving decisions were made with stated inputs at stated times. Continuous attestation capability for cyber insurance and reinsurance relationships.
Government: FedRAMP, FISMA, NIST 800-53, and CMMC
Government audit trail requirements are the most prescriptive of any industry, with NIST Special Publication 800-53 providing the control catalog that FedRAMP, FISMA, and CMMC all reference.
NIST 800-53 AU Controls: The Control-by-Control Breakdown
The AU family of controls in NIST 800-53 Revision 5 defines the most detailed audit trail requirements in any regulatory framework. Five controls are critical for understanding what government systems must implement:
AU-2 (Event Logging) requires the organization to identify the types of events that the system must be capable of logging. For FedRAMP High systems, this includes successful and unsuccessful authentication attempts, privilege escalation events, data access events, data modification events, data deletion events, system configuration changes, and administrative actions. The list is not optional. Every event type must be logged.
AU-3 (Content of Audit Records) specifies what each audit record must contain: the type of event, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals, subjects, or objects associated with the event. For FedRAMP Moderate and High baselines, the additional requirement AU-3(1) mandates that audit records include additional detail such as the specific command executed, the full text of the query, or the before-and-after values of modified fields.
AU-6 (Audit Record Review, Analysis, and Reporting) requires the organization to review and analyze audit records for indications of inappropriate or unusual activity. For FedRAMP High, this review must occur at least weekly, with automated analysis tools supplementing human review. The review itself must be documented, creating an audit trail of the audit trail review.
AU-9 (Protection of Audit Information) requires that audit records be protected against unauthorized access, modification, and deletion. For FedRAMP Moderate and High, this includes the requirement that audit records be stored in a location separate from the system that generated them and that the integrity of the records be cryptographically verified. The enhancement AU-9(3) adds the explicit requirement for cryptographic mechanisms to protect the integrity of audit information.
AU-11 (Audit Record Retention) requires the organization to retain audit records for a defined period sufficient to support after-the-fact investigations. For most federal systems, this means a minimum of one year online and three years in archive. For systems processing classified information or financial data, retention requirements can extend to seven years, ten years, or permanently.
FedRAMP Continuous Monitoring
FedRAMP imposes a continuous monitoring requirement on all authorized cloud service providers. This includes monthly vulnerability scans, annual security assessments, and continuous audit trail monitoring. The ConMon requirement is not a one-time check. It is an ongoing obligation that requires CSPs to demonstrate, every month, that their audit trail infrastructure is functioning correctly and that no gaps exist in the record.
The FedRAMP PMO has increasingly focused on the integrity of audit records during annual assessments. Third-party assessment organizations (3PAOs) now routinely test whether audit records can be modified by system administrators, whether deleted records can be detected, and whether the provenance of each audit record can be independently verified. The bar for passing these tests has risen every year since 2023.
CMMC 2.0: Defense Contractor Audit Trails
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework extends NIST 800-171 requirements to all defense contractors handling Controlled Unclassified Information (CUI). The audit trail requirements in CMMC Level 2 mirror NIST 800-171's AU controls, which are derived from NIST 800-53 but scoped for non-federal systems.
The practical impact of CMMC 2.0 is that defense contractors must now implement the same caliber of audit trail infrastructure that federal agencies use. This includes cryptographic integrity verification, independent storage, and retention periods that match the contract period plus the standard investigation window of three to five years. For major defense programs with 20-year lifecycles, this means audit records created today must remain verifiable for 25 years or more.
Executive Order 14028: Software Supply Chain Provenance
Executive Order 14028 on Improving the Nation's Cybersecurity, issued in 2021 and implemented through a series of OMB memoranda through 2025, introduced the concept of software supply chain provenance audit trails. Every software component used in a federal information system must have a verifiable provenance: where the source code came from, how it was built, what dependencies it includes, and who signed each release.
This requirement created a new category of audit trail that most organizations had never considered. It is not enough to log access events and data modifications. The software itself must carry an attestation of its integrity, and that attestation must be independently verifiable at any point in the future. Software Bill of Materials (SBOM) requirements are the first step. Cryptographic attestation of build provenance is the next, and multiple federal agencies now require it for new contracts.
Government audit trail minimum standard in 2026: Comprehensive event logging per AU-2. Six-element audit records per AU-3. Weekly review with documentation per AU-6. Cryptographic integrity protection per AU-9. Retention of one to three years minimum, with 25+ years for long-lifecycle programs. Software supply chain provenance attestation per EO 14028.
Cross-Cutting Themes: What Every Framework Now Demands
Four themes appear across all four industries and every framework examined above.
From log retention to proof of integrity. Every framework is moving beyond the question of whether logs exist. The question is now whether the integrity of those logs can be independently verified. This shift disqualifies audit trail implementations that rely on database access controls or append-only storage claims. The proof must be cryptographic, and it must be verifiable without access to the producing system.
From periodic review to continuous attestation. Annual assessments and quarterly reviews are giving way to continuous monitoring and real-time attestation. FedRAMP requires monthly evidence. Cyber insurance reinsurers require monthly attestation. The NAIC Model Bulletin implies ongoing auditability, not just point-in-time documentation. Organizations that generate audit attestations only when an examiner asks for them are already behind.
From classical signatures to post-quantum durability. Retention periods across these frameworks range from five years for BSA/AML records to 25 or more years for defense programs. NIST has projected that cryptographically relevant quantum computers may emerge within the next decade. Any audit record signed with RSA or ECDSA today may be unverifiable, or worse, forgeable, before its retention period expires. Post-quantum signature schemes are no longer a future consideration. They are a present requirement for any audit trail with a multi-year retention obligation.
From single-purpose logging to universal attestation. Organizations operating across multiple regulated industries, a bank that also offers insurance products, a healthcare system that processes government claims, a defense contractor that handles financial data, face the impossible task of maintaining separate audit trail systems for each regulatory framework. The operational cost is staggering, and the risk of gaps between systems is high. A single attestation primitive that satisfies all frameworks simultaneously eliminates both the cost and the risk.
Summary: Requirements Mapped to H33-74 Coverage
| Framework | Retention | Key Requirement | H33-74 Coverage |
|---|---|---|---|
| FFIEC / OCC | 5+ years | Independently verifiable, tamper-evident records | 74-byte attestation with three PQ signature families, verifiable without producing system |
| SOX 302/404 | 7 years | Tamper-evident audit trails for financial records | Cryptographic binding at creation, immutable proof of record integrity |
| BSA/AML | 5 years | Transaction monitoring trails, quantum-durable signatures | Post-quantum signatures remain verifiable across full retention window |
| HIPAA | 6 years | Complete PHI access logging, encrypted, independently verifiable | Attestation verifiable without decrypting underlying ePHI |
| NAIC Model Law | Varies by state | AI decision auditability with temporal integrity | Timestamped attestation binding model version, inputs, and outputs |
| NIST 800-53 AU-9 | 1-3 years (online/archive) | Cryptographic integrity protection of audit records | Three independent PQ signature families satisfy AU-9(3) |
| FedRAMP | Continuous + annual | Monthly evidence of audit trail integrity | Automated monthly attestation generation and verification |
| CMMC 2.0 | Contract + 3-5 years | Defense-grade audit trails for CUI | 74-byte proofs verifiable for 25+ years under PQ assumptions |
| EO 14028 | Software lifecycle | Supply chain provenance attestation | Build provenance attested and independently verifiable |
H33-74 satisfies the audit trail requirements across all four industries with a single primitive. Each attestation is 74 bytes: 32 bytes anchored on-chain, 42 bytes in Cachee. Three post-quantum signature families ensure that the attestation remains verifiable even if one or two of the underlying mathematical assumptions are broken by future advances in quantum computing or classical cryptanalysis. The attestation is independently verifiable, meaning any party can confirm the integrity of a record without access to the system that produced it, without a decryption key, and without trusting the attesting organization.
For compliance teams managing audit trail requirements across multiple frameworks, this eliminates the need to maintain separate attestation systems for banking, healthcare, insurance, and government obligations. One attestation per record. One verification method for every examiner. One cryptographic commitment that satisfies every framework in the table above.
See How H33-74 Satisfies Your Audit Trail Requirements
Walk through your specific regulatory obligations with our team. We will map your framework requirements to H33-74 attestation capabilities in a 30-minute technical session.
Schedule a Demo