Privileged Session Recording Governance

2. Summary

Privileged Session Recording Governance requires that every AI agent session involving elevated privileges — production write access, administrative operations, access to sensitive data classifications, cross-workspace access, break-glass emergency access, or any action that exceeds the agent's routine operational permissions — is recorded with sufficient fidelity to reconstruct exactly what the agent did, when, why, and with what effect. The recording is tamper-evident, protected from modification by the recorded agent, retained for the legally required period, and accessible for audit, investigation, and regulatory review. The principle is accountability through observability: if an agent can do something consequential, the organisation must be able to prove exactly what it did. This is not general logging — it is high-fidelity forensic recording of the most sensitive agent operations.

3. Example

Scenario A — Privileged Session Without Recording Prevents Incident Investigation: An AI agent with production write access to the general ledger executes a series of journal entries during a month-end close process. Three weeks later, an internal audit identifies a £4.2 million variance that traces to journal entries posted during that session. The organisation attempts to investigate but finds that the agent's session was not recorded beyond basic action logs. The action logs show that 847 journal entries were posted but do not capture the agent's reasoning, the input data it processed, the intermediate calculations it performed, or the specific source documents it referenced. The investigation cannot determine whether the entries were correct but misclassified, incorrect due to a reasoning error, or the result of manipulated input data. The external auditor qualifies the financial statements.

What went wrong: The privileged session (production write to the general ledger) was not recorded with sufficient fidelity. Basic action logs captured the outputs but not the inputs, reasoning, or context. The organisation could not reconstruct what happened during the session, making investigation impossible and audit qualification unavoidable. Consequence: Qualified financial statements, regulatory scrutiny, £1.8 million in additional audit and investigation costs, CFO personal liability concern under SOX officer certification.

Scenario B — Tampered Session Recording Undermines Regulatory Response: A financial AI agent is investigated by the FCA for potentially manipulative trading patterns. The firm produces the agent's session recordings, but the recordings were stored in a database that the agent's operating team had write access to. The FCA's forensic analysis identifies gaps in the recording timeline and metadata inconsistencies suggesting that records were modified after the fact. The FCA treats the tampered recordings as an obstruction of its investigation and imposes a separate penalty for record-keeping failures in addition to the underlying trading investigation.

What went wrong: Session recordings were stored in a system modifiable by the operational team responsible for the agent. The recordings were not tamper-evident. When regulatory scrutiny arrived, the integrity of the records could not be demonstrated. Consequence: Separate FCA penalty for record-keeping failures (£2.7 million), enhanced scrutiny of all firm AI operations, personal liability proceedings against the head of AI operations under the Senior Managers Regime.

Scenario C — Session Recording Enables Rapid Root Cause Analysis: An AI agent with break-glass emergency access modifies production firewall rules during a security incident. The session is fully recorded: every command issued, every rule modified, the agent's reasoning for each modification, the input data it processed (security alerts, system state), and the timestamps of each action. Post-incident, the security team reviews the recording and identifies that the agent correctly mitigated the primary threat but inadvertently opened a secondary vulnerability by removing a rule that also protected an adjacent system. The team closes the secondary vulnerability within 2 hours of the incident resolution. Without the recording, the secondary vulnerability would have persisted undetected.

What went right: The privileged session was recorded with full fidelity, enabling rapid post-incident analysis. The recording captured not just the actions but the reasoning, enabling the team to understand why the agent made each decision and identify the unintended consequence.

4. Requirement Statement

Scope: This dimension applies to any AI agent session where the agent operates with elevated privileges relative to its routine operational permissions. Elevated privileges include but are not limited to: production write access (AG-302), administrative operations on infrastructure or systems, access to sensitive data classifications (e.g., Confidential, Restricted, classified), cross-workspace access (AG-299), break-glass emergency access (AG-306), access to PII or PHI beyond routine scope, financial transaction authority above routine thresholds, and any action that the organisation's risk classification designates as high-risk. Read-only operations within the agent's routine scope may be excluded from session recording, though organisations should define clear boundaries between routine and elevated operations. The recording obligation attaches to the session, not the individual action — the entire session in which elevated privileges are active is recorded.

4.1. A conforming system MUST record all agent sessions involving elevated privileges with sufficient fidelity to reconstruct the complete sequence of actions, inputs, outputs, reasoning (where available), and system state changes during the session.

4.2. A conforming system MUST store session recordings in a tamper-evident format that detects any post-capture modification, using cryptographic integrity protection (e.g., hash chains, digital signatures, write-once storage).

4.3. A conforming system MUST ensure that the recorded agent and its operating team cannot modify or delete session recordings — recordings are stored in a separate security domain with access restricted to audit, compliance, and security functions.

4.4. A conforming system MUST retain session recordings for the period required by applicable regulations and the organisation's data retention policy, with a minimum of 12 months online and 5 years archived.

4.5. A conforming system MUST include in each session recording: session identifier, agent identifier, privilege level, session start and end timestamps, every action executed (with parameters), every response received, input data processed (or a reference to it), and the outcome of each action (success, failure, or rejection).

4.6. A conforming system SHOULD capture the agent's reasoning chain or decision trace where the agent architecture makes this available (e.g., chain-of-thought outputs, tool selection rationale, intermediate reasoning steps).

4.7. A conforming system SHOULD implement real-time monitoring of privileged sessions, with alerts for anomalous actions during the session rather than exclusively post-session review.

4.8. A conforming system SHOULD protect sensitive data within session recordings through field-level encryption or redaction, ensuring that the recording itself does not become a data leakage vector.

4.9. A conforming system MAY implement session recording replay capability that allows auditors to step through the session chronologically, viewing the agent's inputs, actions, and reasoning at each step.

5. Rationale

Privileged sessions are where the highest-impact agent actions occur. Production writes, administrative changes, break-glass access, and sensitive data operations carry the greatest risk of harm if executed incorrectly and the greatest regulatory scrutiny when incidents occur. Session recording provides three critical capabilities: forensic investigation (understanding what happened after an incident), real-time oversight (monitoring high-risk operations as they occur), and regulatory evidence (demonstrating compliance with record-keeping obligations).

The recording obligation is proportionate to the privilege level. Routine read operations within the agent's normal scope carry low risk and generate high volume — recording everything would be prohibitively expensive and would dilute the signal. Elevated privilege sessions carry high risk and occur less frequently — recording them at high fidelity is both feasible and essential.

Tamper-evidence is non-negotiable for regulatory purposes. A session recording that could have been modified after the fact has no evidentiary value. Regulators treat modifiable records as unreliable, and the absence of tamper-evident records can itself constitute a regulatory violation. The recording must demonstrate, through cryptographic means, that the record as produced for review is identical to the record as captured during the session.

The separation of recording storage from the operational team is equally critical. If the team that operates the agent can modify the session recordings, the recordings cannot be trusted for audit or investigation purposes. The recording system must be architecturally independent — separate infrastructure, separate access controls, separate administrative authority.

6. Implementation Guidance

Session recording for AI agents extends traditional privileged access management (PAM) recording to the AI-specific context: capturing not just actions but reasoning, context, and decision traces.

Recommended patterns:

• Proxy-based session capture. Route all privileged session traffic through a recording proxy that captures the full bidirectional communication between the agent and the systems it accesses. The proxy records every request (agent to system) and every response (system to agent) with timestamps. The agent cannot bypass the proxy because it is the only network path to the privileged resources. This is the AI equivalent of PAM session recording for human administrators.
• Agent-level instrumentation with independent verification. Instrument the agent runtime to emit a structured decision trace: inputs processed, reasoning steps (where available), tool selections, actions taken, and responses received. The trace is emitted to a recording service in real time. An independent verification layer compares the agent's declared actions against the actual system state changes observed through system logs. Discrepancies trigger alerts.
• Write-once append-only storage. Store session recordings in write-once storage (e.g., AWS S3 Object Lock, Azure Immutable Blob Storage, or dedicated WORM storage). Once written, recordings cannot be modified or deleted, even by administrators, until the retention period expires. This provides tamper-evidence through storage-layer enforcement.
• Hash chain integrity. Link session recording entries using a hash chain: each entry includes a cryptographic hash of the previous entry. Any modification to a historical entry breaks the chain, making tampering detectable. For additional assurance, anchor the hash chain periodically to an external timestamping service or blockchain.
• Field-level encryption for sensitive data in recordings. Session recordings of privileged operations may contain sensitive data (customer PII, financial data, classified information). Implement field-level encryption that protects sensitive fields within the recording while allowing non-sensitive metadata (timestamps, action types, success/failure) to be accessed for routine monitoring. Decryption requires elevated access and is itself logged.

Anti-patterns to avoid:

• Action-only logging without context. Recording only the actions taken without the inputs processed or reasoning applied. Action logs show what happened but not why, making root cause analysis impossible.
• Recordings stored in the agent's operational database. Storing session recordings in a database that the agent's operational team manages, administrates, or has write access to. The operational team has an inherent conflict of interest in maintaining recordings that may reveal operational failures.
• Mutable storage for recordings. Storing recordings in a standard database or file system where records can be modified or deleted. Without write-once or cryptographic integrity protection, the evidentiary value of the recordings is undermined.
• Recording everything without prioritisation. Recording every agent operation at full fidelity regardless of privilege level generates enormous volume, increases storage costs, and makes it harder to locate the high-value recordings. Prioritise recording fidelity for elevated privilege sessions.
• Session recording as the only control. Session recording is an assurance control, not a preventive control. Recording a privileged session does not prevent harmful actions during that session. Recording must complement preventive controls (AG-302, AG-304) — it does not replace them.

Industry Considerations

Financial Services. MiFID II Article 16(7) requires firms to record telephone conversations and electronic communications relating to transactions. For AI trading agents, session recording extends this obligation to the agent's decision process. The FCA expects that firms can reconstruct the rationale for every trade, including trades executed by AI agents. Session recordings must be retained for 5 years (7 years at FCA request).

Healthcare. HIPAA audit controls (§164.312(b)) require mechanisms to record and examine activity in information systems containing ePHI. Session recording for AI agents accessing ePHI implements this requirement. Recordings containing ePHI must themselves be protected as ePHI.

Government and Defence. Audit requirements for classified system access typically require keystroke-level recording. AI agent session recording should capture the equivalent fidelity: every input processed, every action taken, and every output produced. Retention periods for classified systems may be indefinite.

Maturity Model

Basic Implementation — Privileged agent sessions are logged with action-level detail: action type, timestamp, target resource, success/failure. Logs are stored in a centralised logging system with access controls separating operational and audit access. Logs are retained for 12 months online. Limitations: no reasoning or context capture; log storage is mutable (not tamper-evident); no real-time monitoring of privileged sessions.

Intermediate Implementation — Privileged sessions are recorded with full fidelity: actions, inputs, outputs, and reasoning traces (where available). Recordings are stored in write-once storage with hash chain integrity. The recording system is architecturally separate from the operational team's infrastructure. Real-time monitoring generates alerts for anomalous actions during privileged sessions. Session recordings are searchable by agent, time period, action type, and privilege level. Field-level encryption protects sensitive data within recordings.

Advanced Implementation — All intermediate capabilities plus: session recording has been verified through independent adversarial testing including tamper attempts, recording bypass attempts, and evidence reconstruction challenges. Session replay capability enables auditors to step through sessions chronologically. Automated anomaly detection analyses privileged sessions against behavioural baselines and flags deviations. External timestamping services anchor recording integrity. The organisation can demonstrate to regulators that any privileged agent action can be fully reconstructed from the recording.

7. Evidence Requirements

Required artefacts:

• Session recording policy. Documentation defining which sessions are recorded, the fidelity level, the recording architecture, and the retention period.
• Recording integrity evidence. Demonstration that recordings are tamper-evident — hash chain verification results, write-once storage configuration, or equivalent integrity protection evidence.
• Access separation evidence. Documentation demonstrating that the recording storage is in a separate security domain from the operational team, with access restricted to audit, compliance, and security functions.
• Sample session recordings. A sample of session recordings demonstrating the captured fidelity: actions, inputs, outputs, reasoning, timestamps, and outcomes.
• Retention compliance evidence. Demonstration that recordings are retained for the required period and that no recordings have been deleted or modified before the retention period expired.

Retention requirements:

• Session recordings: minimum 7 years for regulated financial services (MiFID II: 5 years, extensible to 7); minimum 5 years for other regulated sectors; minimum 3 years otherwise. Online (immediately accessible): minimum 12 months.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. For financial services, MiFID II requires production within 72 hours.

8. Test Specification

Test 8.1: Recording Completeness for Privileged Sessions

• Stimulus: Execute a privileged session with a defined sequence of 10 actions (5 reads, 3 writes, 2 administrative operations). Review the session recording.
• Expected behaviour: All 10 actions are recorded with full metadata: action type, parameters, timestamp, target resource, outcome, and the session's privilege level.
• Pass criteria: 10 out of 10 actions are present in the recording with complete metadata.
• Fail criteria: Any action is missing or has incomplete metadata.

Test 8.2: Tamper Evidence Verification

• Stimulus: Retrieve a session recording. Modify one entry (e.g., change a timestamp or action parameter). Verify the integrity check.
• Expected behaviour: The integrity check (hash chain verification, digital signature validation, or write-once storage audit) detects the modification.
• Pass criteria: The tampering is detected by the integrity verification mechanism.
• Fail criteria: The modification is not detected.

Test 8.3: Recording Independence From Operational Team

• Stimulus: Using the operational team's highest-privilege credentials, attempt to modify or delete a session recording.
• Expected behaviour: The modification or deletion is blocked. The operational team does not have write or delete access to session recordings.
• Pass criteria: No modification or deletion of session recordings succeeds using operational team credentials.
• Fail criteria: Any modification or deletion succeeds.

Test 8.4: Recording Bypass Prevention

• Stimulus: Attempt to execute privileged actions without generating a session recording — by bypassing the recording proxy, disabling the instrumentation, or routing traffic around the recording layer.
• Expected behaviour: Privileged actions cannot execute without generating a recording. The recording layer is in the mandatory path for all privileged operations.
• Pass criteria: No privileged action executes without a corresponding recording.
• Fail criteria: Any privileged action executes without being recorded.

Test 8.5: Sensitive Data Protection in Recordings

• Stimulus: Execute a privileged session that processes sensitive data (e.g., customer PII). Review the session recording for sensitive data handling.
• Expected behaviour: Sensitive fields are encrypted or redacted in the recording. Non-sensitive metadata (timestamps, action types) is accessible without elevated access.
• Pass criteria: Sensitive data in recordings is protected through encryption or redaction.
• Fail criteria: Sensitive data is stored in plaintext in session recordings without protection.

Test 8.6: Retention Period Enforcement

• Stimulus: Attempt to delete a session recording that is within its retention period. Verify that recordings older than the retention period are purged per policy.
• Expected behaviour: Deletion within the retention period is blocked. Recordings beyond the retention period are purged as scheduled.
• Pass criteria: No recording is deleted before its retention period expires. Recordings are purged after the retention period per policy.
• Fail criteria: A recording is deleted before its retention period expires, or recordings persist indefinitely beyond the required period.

Test 8.7: Real-Time Monitoring Alert Generation

• Stimulus: During a privileged session, execute an action that matches a defined anomaly pattern (e.g., bulk data access exceeding a threshold, administrative action outside business hours).
• Expected behaviour: A real-time alert is generated during the session, not after session completion.
• Pass criteria: The alert is generated within the configured detection window during the active session.
• Fail criteria: No alert is generated, or the alert is generated only after session completion.

Conformance Scoring

• Score 0: No privileged session recording exists — elevated privilege operations are not recorded beyond basic system logs.
• Score 1: Privileged sessions are logged with action-level detail, but logs are stored in mutable systems accessible to the operational team — recording exists but lacks integrity protection and access separation.
• Score 2: Privileged sessions are recorded with full fidelity in tamper-evident, write-once storage with access separation from the operational team — structural recording with integrity protection.
• Score 3: Verified by independent adversarial testing — an independent party has confirmed that recordings cannot be tampered with, bypassed, or deleted, and that any privileged action can be fully reconstructed from the recording.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
MiFID II	Article 16(7) (Record-Keeping of Transactions)	Direct requirement
FCA SYSC	9.1.1R (Record-Keeping)	Direct requirement
SOX	Section 802 (Criminal Penalties for Altering Documents)	Supports compliance
HIPAA	§164.312(b) (Audit Controls)	Direct requirement
NIST SP 800-53	AU-3 (Content of Audit Records), AU-9 (Protection of Audit Information)	Direct requirement
EU AI Act	Article 12 (Record-Keeping)	Direct requirement
GDPR	Article 30 (Records of Processing Activities)	Supports compliance
DORA	Article 10 (Detection)	Supports compliance

MiFID II — Article 16(7) (Record-Keeping of Transactions)

Article 16(7) requires investment firms to arrange for records to be kept of all services, activities, and transactions sufficient to enable the competent authority to fulfil its supervisory tasks. For AI trading agents, this extends to the agent's decision process — not just the trades executed but the reasoning, inputs, and decision logic that led to each trade. Session recordings of AI agent trading sessions provide the evidence base for regulatory reconstruction of trading decisions. Recordings must be retained for 5 years, extensible to 7 years at the FCA's request.

EU AI Act — Article 12 (Record-Keeping)

Article 12 requires providers of high-risk AI systems to ensure that the AI system is designed and developed with capabilities enabling automatic recording of events (logs). The logs must be sufficient to enable monitoring of the AI system's operation and to facilitate post-market monitoring. Privileged session recording implements Article 12 for the most consequential agent operations, providing the log fidelity needed for both operational monitoring and post-incident investigation.

SOX — Section 802 (Criminal Penalties for Altering Documents)

Section 802 imposes criminal penalties for knowingly altering, destroying, or concealing records with the intent to impede a federal investigation. Tamper-evident session recordings protect the organisation against Section 802 liability by ensuring that recordings cannot be altered — the integrity protection makes any alteration detectable, and write-once storage prevents deletion. This provides both a compliance safeguard and a legal defence.

NIST SP 800-53 — AU-3, AU-9

AU-3 requires audit records to contain sufficient content to establish the type of event, time, source, outcome, and identity. AU-9 requires protection of audit information from unauthorised access, modification, and deletion. Session recordings with full fidelity satisfy AU-3, and tamper-evident storage with access separation satisfies AU-9.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Accountability — loss of ability to investigate incidents, satisfy regulatory inquiries, or demonstrate compliance for privileged operations

Consequence chain: Failure of privileged session recording does not directly cause an operational incident — it prevents the organisation from understanding, investigating, and responding to incidents that occur during privileged sessions. The consequence materialises when an incident occurs and the organisation cannot reconstruct what happened. For financial services, inability to reconstruct an AI trading agent's decisions may constitute a MiFID II violation (£millions in fines). For SOX-regulated firms, inability to explain AI-generated financial entries may lead to audit qualification and officer liability. For healthcare, inability to explain AI actions on patient records may constitute a HIPAA audit control violation. Beyond regulatory consequences, the absence of recordings prevents organisational learning — the organisation cannot improve its governance controls if it cannot understand how they failed. The blast radius extends to organisational trust: if the organisation cannot demonstrate what its AI agents did, stakeholders (regulators, clients, partners, employees) cannot trust the AI programme.

Cross-references: AG-302 (Production Write Isolation Governance) provides the preventive controls that session recording complements for production writes. AG-304 (Just-in-Time Secrets Issuance Governance) defines the privilege issuance events that trigger recording obligations. AG-306 (Break-Glass Containment Governance) defines emergency access sessions that require the highest recording fidelity. AG-013 (Data Sensitivity and Exfiltration Prevention) ensures that session recordings themselves do not become data leakage vectors. AG-162 (Least-Agency Provisioning) minimises the frequency of elevated privilege sessions, reducing recording volume.