Tensor AnalyticsTM
AI in operationsConceptAdvanced

Audit trails for AI: what DPDP, CCPA, and the EU AI Act actually require

Keshab S·29 Apr 2026·12 min

Three regulations, one operational reality

If your company operates in India, the United States, and the European Union, and you use AI to make or recommend operational decisions, you are subject to three overlapping but not identical audit trail requirements. India's Digital Personal Data Protection Act, 2023 (DPDP Act) took effect in 2024 with a phased compliance timeline. The California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) has been enforceable since 2023, with automated decision-making provisions active since 2024. The EU AI Act entered force in August 2024 with phased application through 2026.

None of these frameworks explicitly say "your AI system must have an audit trail" in those words. But all three, read carefully, require the same operational capability. You must be able to show, for any decision your AI system influenced, what the system proposed, what information it used, who approved or modified the decision, and when each step happened. If you cannot produce this record on demand, you are non-compliant in at least one jurisdiction and probably all three.

This article covers what each framework actually requires, where the requirements differ, and what to build if you want a single audit trail that satisfies all three. It is written for operations and technology leaders, not lawyers, but the regulatory references are specific so your legal team can verify the analysis.

What the DPDP Act requires

The DPDP Act, passed by the Indian Parliament in August 2023, is India's first comprehensive data protection law. The Act itself is relatively short and principle-based. The detailed compliance requirements are in the DPDP Rules, which were notified in January 2025 with compliance deadlines through 2026.

Two sections of the Act are directly relevant to AI audit trails. Section 8, which sets out the obligations of Data Fiduciaries (the entities that determine the purposes and means of processing personal data), requires that processing be fair, reasonable, and transparent. For AI systems that process personal data, transparency requires the ability to explain what the system did. Section 11 requires consent to be free, specific, informed, and unambiguous, and Section 14 requires that consent can be withdrawn, which means you must be able to identify and reverse processing that was based on withdrawn consent.

The DPDP Rules, in the provisions on reasonable security practices (Rule 8 of the draft rules), require Data Fiduciaries to maintain records of processing activities. For AI systems, this means a record of what data was input, what the system produced, and what action was taken. The Rules also require a grievance redressal mechanism (Section 10 of the Act), which means a Data Principal can ask "what did your AI system do with my data," and you must be able to answer.

Operationally, the DPDP requirement translates to: for every AI-influenced decision that touches personal data, log the input data, the AI output, the human action taken (approve, modify, reject), the actor, and the timestamp. Retain for the period specified in your data retention policy, which under the Rules should align with the purpose limitation principle.

What CCPA/CPRA requires

The CCPA, as amended by the CPRA in 2020, gives California residents specific rights regarding automated decision-making. The regulations implementing these provisions, finalized by the California Privacy Protection Agency in 2024, require businesses that use automated decision-making technology to provide consumers with information about the logic involved and the outcomes produced.

Specifically, the CCPA regulations (Section 7000 series of the CPPA regulations) require businesses to, upon consumer request, disclose the categories of personal information used in the automated decision, the system's output or decision, and the rationale for the decision in plain language. This is not possible without an audit trail. If a consumer asks "why did your system recommend X," and you cannot produce the input data, the model output, and the human decision record, you cannot comply with the request.

The CCPA also requires businesses to conduct risk assessments for automated decision-making technology that presents significant risk to consumers (Section 7150 series). The risk assessment must document the system's logic, the data used, the outputs produced, and the human oversight measures in place. This is a documentation requirement, not just an operational one, but the underlying capability is the same. You need an audit trail.

CCPA's requirements apply to any business that processes California residents' personal data and meets certain thresholds (revenue, data volume, or data sale). For a manufacturer selling into California, or employing California residents in operations roles where AI assists planning, the requirements apply.

What the EU AI Act requires

The EU AI Act, which entered force on August 1, 2024, takes a risk-based approach. AI systems are classified into four risk categories: unacceptable (banned), high-risk (strict requirements), limited-risk (transparency requirements), and minimal-risk (no specific requirements).

Most operational AI in manufacturing, including demand forecasting and supply chain planning systems that affect employment, resource allocation, or access to services, will be classified as high-risk under Annex III of the Act. High-risk AI systems are subject to the most extensive requirements, including (Article 12) automatic logging of events during operation.

Article 12 specifically requires high-risk AI systems to keep logs that ensure a level of traceability appropriate to the intended purpose. The logs must allow monitoring of the AI system's operation, and must be kept for a period appropriate to the system's purpose and the applicable law. For operational AI in a manufacturing context, this means logging every forecast generated, every exception raised, every override applied, and every approval decision, with timestamps and actor identification.

The EU AI Act also requires (Article 14) human oversight of high-risk AI systems, and (Article 15) accuracy, robustness, and cybersecurity. The logging requirement supports both. Without logs, you cannot demonstrate that human oversight occurred, and you cannot diagnose accuracy or robustness failures.

Where the three requirements differ

The three frameworks require similar capabilities but differ in three practical ways.

Scope of personal data. The DPDP Act applies to personal data, which is defined broadly as any data about an identifiable individual. CCPA applies to personal information, which has specific enumerated categories. The EU AI Act applies to AI systems regardless of whether they process personal data, but the logging requirement is strictest for high-risk systems. For a demand forecasting system that processes only SKU-level demand data (no personal data), the DPDP Act and CCPA may not apply, but the EU AI Act still might, if the system is classified as high-risk because it affects resource allocation.

Retention period. The DPDP Rules require retention only as long as necessary for the stated purpose. CCPA requires retention of consumer request records for 24 months. The EU AI Act requires logs to be kept for "a period appropriate to the intended purpose," which member states may specify. In practice, a 36-month retention covers all three, with the ability to delete earlier if the purpose has expired.

Access rights. Under DPDP, a Data Principal can request access to their personal data and processing information. Under CCPA, a consumer can request information about automated decisions. Under the EU AI Act, the logs are primarily for regulatory oversight, not individual access, though GDPR (which applies alongside the AI Act) gives individuals similar access rights. The operational capability is the same. You need to be able to query the audit trail by individual, by decision, and by time period.

What to build

A single audit trail design satisfies all three frameworks. The minimum requirements are:

Log every AI-influenced decision. Every time the AI system proposes an action (a forecast, an exception, an override recommendation), log the input data reference, the system output, the proposed action, and the timestamp. Every time a human acts on that proposal (approve, modify, reject), log the human action, the actor identity, the modification if any, the rationale if captured, and the timestamp.

Make the log append-only. The log must not be editable. Use an append-only data structure, ideally with cryptographic integrity (hash chaining or a merkle tree) so that any retroactive modification is detectable. This is required by the EU AI Act's emphasis on traceability and strongly implied by the DPDP Act's reasonable security practices.

Make the log queryable. You must be able to query by actor, by decision type, by time period, and by affected individual (where personal data is involved). This supports DPDP access requests, CCPA automated decision requests, and EU AI Act regulatory inspections.

Retain for 36 months. This covers CCPA's 24-month minimum, the DPDP Act's purpose-limitation principle (with a reasonable ceiling), and the EU AI Act's "appropriate period." Beyond 36 months, delete unless a specific legal hold applies.

Separate the log from the operational system. The audit trail should not be in the same database as the planning system. If the planning system is compromised or corrupted, the audit trail must survive. At minimum, the log should be in a separate database with separate access controls. Ideally, the log should be in a write-once-read-many storage layer that cannot be modified even by database administrators.

The takeaway

Three regulatory frameworks, written for different jurisdictions and different primary concerns, converge on the same operational requirement. If you use AI to influence operational decisions, you must be able to show what the AI proposed, what human did, and when. This is true whether the decision is a demand forecast, a supply plan, an inventory policy, or a hiring recommendation.

The organizations that will struggle in 2026 and 2027 are not the ones without AI. They are the ones with AI and no audit trail. The DPDP Rules phased compliance ends in 2026. CCPA automated decision regulations are already enforceable. The EU AI Act high-risk system requirements apply from 2026 to 2027 depending on system type. The window to build the audit trail is now.

Build it once, build it properly, and it satisfies all three jurisdictions. Build it poorly, or not at all, and you are one consumer complaint or regulatory inspection away from a problem that costs more than the audit trail would have.

Sources and further reading

The DPDP Act 2023 is available on the Ministry of Electronics and Information Technology website. The DPDP Rules draft was notified in January 2025. The CCPA regulations are on the California Privacy Protection Agency website. The EU AI Act text is on EUR-Lex. The MIT Center for Transportation and Logistics publishes reference material on supply chain data governance. Nicolas Vandeput's work on inventory optimization covers operational data structures in depth. For legal interpretation specific to your business, consult a qualified privacy lawyer in each jurisdiction.

ComplianceAudit trailDPDP ActCCPAEU AI ActAI agents
Written by Keshab S
See it in practice

Run GrepEye on your data.

Reading about planning is useful. Running the platform on your own demand data is better. Book a walkthrough. We'll show you the full IBP pipeline with your numbers.