> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-cxp-655.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit AI tool usage

> What C1 logs for every AI tool call and AI system event, and where to find audit export options.

<Note>
  **Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.
</Note>

Every tool call that flows through C1 MCP is logged. This page covers what's captured and how to export it for long-term retention, SIEM ingestion, or compliance reviews.

## What gets logged

Each tool call produces one audit log entry with:

| Field             | Example                                                                                                                  |
| :---------------- | :----------------------------------------------------------------------------------------------------------------------- |
| **Timestamp**     | `2026-05-07T14:23:11Z`                                                                                                   |
| **End user**      | The C1 user the AI client is bound to                                                                                    |
| **AI client**     | Client ID and display name                                                                                               |
| **MCP server**    | Registered server name                                                                                                   |
| **Tool**          | Tool name (for example, `github_create_issue`)                                                                           |
| **Result**        | Success / denied / error                                                                                                 |
| **Denial reason** | Populated when result = denied (for example, "tool not in user's access profile", "kill switch active", "client closed") |
| **Latency**       | Round-trip time for the call                                                                                             |

In addition to tool call events, the following non-call events are also captured:

* Access request submitted / approved / denied
* Tool approved / disabled / classification changed
* MCP server registered / removed / auth changed
* AI client registered / state changed (active → hidden → closed → deleted)
* Kill switch flipped (tenant, server, tool, or client level)
* Tenant defaults changed

## Export the audit log

AI tool usage events are included in the C1 system log. To set up export to S3 or another data source for SIEM ingestion, see [System logs](/product/admin/system-log).
