Do LangGraph agents need compliance logging beyond LangSmith?

Yes. LangSmith captures execution traces for debugging — spans, token counts, latency, prompt/response pairs. EU AI Act Article 12, HIPAA §164.312(b), SOC 2 CC7.2, and GDPR Article 22 require decision records: per-event entries linking each person affected to the reasoning chain and outcome. LangSmith records are also mutable (can be deleted), stored in a vendor cloud, and not structured as per-person decision records. For production AI systems in regulated industries, LangSmith is necessary for development but not sufficient for compliance — you need a separate decision audit layer.

How do I add audit logging to a LangGraph agent without changing the graph?

Use LangGraph's BaseCallbackHandler to attach audit capture to graph execution. Create a callback class that overrides on_chain_start (captures inputs and timestamp) and on_chain_end (captures outputs). Inside the callback, call Ghost SDK's ghost.capture() with the decision fields. The callback pattern requires zero changes to your graph's node logic — you add it at graph instantiation time via the config parameter. Ghost SDK fires asynchronously, adding under 5ms overhead.

How do I link audit records across a multi-agent LangGraph graph?

Use a decision_id correlation key. Generate a UUID at the orchestrator level and pass it through the config dict to all subgraph invocations. Include the decision_id in every ghost.capture() call across all agents in the pipeline. When you need to reconstruct a complete decision trail — for a regulator, a data subject access request, or an internal audit — querying by decision_id returns all records for that specific decision chain in order, from orchestrator intent through each subgraph's contribution to the final outcome.

What fields must a LangGraph decision record include for EU AI Act compliance?

EU AI Act Article 12 requires logging that enables post-hoc reconstruction of the AI system's operation. For a LangGraph agent, each decision record should include: subject_id (identifier for the person affected), decision_type (what kind of decision this was), timestamp (when the decision was made), context (the complete input state at decision time — all data the agent used), reasoning (the agent's explanation of why it reached this conclusion), action (the chosen decision), confidence (the model's certainty if available), model_version (the LLM API version used — enables detection of behavioral changes from provider updates), and decision_id (to link multi-step decisions). Records should be tamper-evident — Ghost SDK cryptographically signs each record at capture time.

How does LangGraph compliance work for clinical AI under HIPAA?

HIPAA §164.312(b) Technical Safeguards require audit controls recording access and activity. For LangGraph agents processing PHI: subject_id should be an internal patient identifier (not raw PHI in the audit record field), the context field should capture clinical data references rather than raw PHI text, audit records must be retained for at least 6 years, access to audit records must itself be logged, and records must be encrypted in transit and at rest. HIPAA also requires documentation that the audit system itself is secured — Ghost SDK's VPC deployment option satisfies this requirement for organizations that cannot store audit records in a shared cloud.

How to Add Compliance Monitoring and Audit Trails to LangGraph Agents

LangGraph agents need decision audit records — not just LangSmith traces — to satisfy EU AI Act Article 12, HIPAA audit controls, SOC 2 CC7.2, and GDPR Article 22. This guide shows how to add compliance-grade logging to LangGraph using callbacks and state snapshots, with code examples for single agents, multi-agent graphs with decision_id correlation keys, and human override capture. Ghost SDK integrates in under 2 lines of code and adds less than 5ms overhead.

Why LangSmith Traces Do Not Satisfy Compliance

LangSmith captures execution traces — spans for each LLM call, token counts, latency, prompt/response pairs. Compliance frameworks require decision records: per-decision entries that link the person affected (subject_id), the complete context at decision time, the reasoning chain, the chosen action, and the downstream outcome. LangSmith traces are mutable (can be deleted), stored in a vendor-controlled cloud (not under organization control), and organized by execution run rather than by decision event affecting a specific person. EU AI Act Article 12 requires automatic logging enabling post-hoc reconstruction of each operation; HIPAA §164.312(b) requires audit controls linking access to patient records; GDPR Article 22 requires meaningful information about the logic of automated decisions available per data subject. LangSmith satisfies none of these as a primary compliance record.

Adding Audit Logging via LangGraph Callbacks

LangGraph exposes callbacks at the graph, node, and edge level through BaseCallbackHandler. A compliance callback captures state at key decision points without modifying graph logic: on_chain_start captures intent and inputs, on_chain_end captures outputs and timing. Inside the callback, Ghost SDK's fire-and-forget capture() call queues the decision record asynchronously — no blocking, under 5ms overhead. The capture includes: decision_type (what kind of decision), subject_id (who was affected), context (complete input state), reasoning (LLM explanation), action (chosen decision), confidence (model certainty), and metadata (model_version for tracking LLM API updates). This pattern works with any LangGraph node and requires no changes to existing graph logic.

Multi-Agent Graph Compliance with Correlation IDs

LangGraph supports nested subgraphs and multi-agent coordination. When a decision results from multiple agents (orchestrator → specialist → tool), the compliance record must link all steps. The pattern: generate a decision_id at the orchestrator level, pass it through config to all subgraphs, and include it in every Ghost SDK capture() call. This creates a linked audit trail for the complete decision chain. When a regulator requests the complete decision trail for a specific case, retrieving all records with the same decision_id returns the full reasoning path from orchestrator intent to final decision.

Human Override Capture for LangGraph

EU AI Act Article 14 requires human oversight capability with documented override procedures. GDPR Article 22(3) requires human review rights for automated decisions. Ghost SDK's capture_override() method records human corrections: original_decision_id (linking to the AI decision), reviewer_id (who reviewed), original_action (what the AI decided), corrected_action (what the human changed it to), and reason (why the correction was made). Override records satisfy the Article 14 documentation requirement and are exported as JSONL in OpenAI fine-tuning format — human corrections that improve agent behavior over time.