NYDFS 23 NYCRR 500.6: logs do not satisfy AI audit trails

Q: Does the CISO annual certification under § 500.17(b) cover this?

It covers the obligation but not the evidence. § 500.17(b)(1)(i) requires the certification to be based on data and documentation sufficient to accurately determine and demonstrate material compliance. A CISO who certifies § 500.6(a)(2) compliance for AI systems without an evidence trail at the operation level is signing on faith. The 2023 Second Amendment dual-signature rule under § 500.17(b)(2) puts the highest-ranking executive of the Covered Entity on that risk too.

// what is at stake

23 NYCRR § 500.6(a)(2) audit trails must be designed to detect and respond to Cybersecurity Events.
The October 2024 Industry Letter confirms this rule already binds AI systems handling NPI.
An application log that records HTTP method, status code, and latency does not detect a Cybersecurity Event at the operation level.
The CISO and the highest-ranking executive of the Covered Entity co-sign material compliance under § 500.17(b)(2). Both names go on the certification.
Editorial note · the headline sentence is Warrant's reading of § 500.6(a)(2) when applied to AI per the 16 October 2024 Industry Letter. NYDFS did not write the sentence. § 500.6(a)(2) and the Industry Letter Conclusion (both quoted verbatim below) are the load-bearing primary sources.

01 · THE EXACT LINE

The exact line, in context.

23 NYCRR § 500.6(a)(2) · NYDFS Industry Letter, 16 October 2024, second paragraph (Introduction) and "Controls and Measures" section

The October 2024 Industry Letter opens with one sentence that sets everything else. Read it slowly.

"This Guidance does not impose any new requirements beyond obligations that are in DFS's cybersecurity regulation codified at 23 NYCRR Part 500 (the 'Cybersecurity Regulation' or 'Part 500'); rather, the Guidance is meant to explain how Covered Entities should use the framework set forth in Part 500 to assess and address the cybersecurity risks arising from AI." NYDFS Industry Letter · 16 October 2024 · paragraph 2

That sentence is the wedge. The Industry Letter is not a new rule. It applies an existing rule, in effect since 2017 and last amended November 2023, to AI. That rule includes 23 NYCRR § 500.6, the audit trail provision:

"Each covered entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and (2) include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity." 23 NYCRR § 500.6(a)(1)–(2) · Second Amendment · effective 1 November 2023

The two clauses do different work. § 500.6(a)(1) is about reconstructing financial transactions. § 500.6(a)(2) is about detecting and responding to Cybersecurity Events. An AI agent that touches Nonpublic Information is in scope for both, but the (a)(2) clause is the harder test, because Cybersecurity Event under § 500.1(f) is a broad category covering unauthorized access, attempts at it, and tampering with Information Systems.

Read against § 500.6(a)(2), the question for a compliance team is whether today's logs support detection of, and response to, the Cybersecurity Events an AI system can produce. For most teams running production AI, the answer is no. Standard API call logs record traffic. They do not record decisions, authorization checks, or the boundaries of NPI access. LLM inference logs record prompts and completions, sometimes redacted. Neither carries the binding § 500.6(a)(2) requires.

02 · NPI · § 500.1(k)

What NPI means in 23 NYCRR § 500.1(k).

23 NYCRR § 500.1(k), Nonpublic Information definition · Second Amendment, effective 1 November 2023

The Industry Letter uses the term Nonpublic Information, abbreviated NPI, in nearly every paragraph of Sections II and III. The term is defined in 23 NYCRR § 500.1(k), broader than most engineering teams assume.

"Nonpublic information means all electronic information that is not publicly available information and is: (1) business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity; (2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number; (ii) drivers' license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual's financial account; or (v) biometric records; (3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to: (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual." 23 NYCRR § 500.1(k)

Three things follow.

The (1) prong covers any business information whose tampering would materially impact operations. A retrieval-augmented agent reading internal pricing tables is touching NPI under prong (1). A model that ingests internal credit policy is touching NPI under prong (1). Most AI deployments inside a financial services company are in scope before the engineering team realises it.

The (2) prong is the classic PII prong, but the combination test matters. A name plus an account number is NPI. A name plus a security code is NPI. An LLM prompt that quotes a customer email plus the last four digits of a card is NPI under prong (2)(iii).

The (3) prong sweeps in health information. Insurers writing health coverage are in scope. So is a fintech agent that touches a flexible spending account claim, because the claim relates to "payment for the provision of health care." Most production AI agents in NY-licensed financial services touch all three prongs in a single trace. § 500.6(a)(2) attaches to every one of those touches.

03 · OPERATION LEVEL

What the audit trail must capture, at the operation level.

23 NYCRR § 500.6(a)(2) read with § 500.1(f) Cybersecurity Event definition

An audit trail "designed to detect and respond" to a Cybersecurity Event is not the same shape as an application log. The trail must let an investigator answer four questions about each operation an AI agent performed.

What was accessed. The specific NPI element. Not a request body hash. A reference to the Customer ID, the Account ID, the document slug, the row in the source-of-truth system. If the agent fetched the customer's last twelve transactions, the audit trail records those twelve specific transaction IDs, not "GET /transactions returned 200 in 84ms."
By which agent. The model identifier, the orchestrator version, and where applicable the foundation model provider. "claude-opus-4-7" is acceptable. "AI" is not. "OpenAI gpt-4o-2024-08-06" is acceptable. "the chatbot" is not. § 500.11 third-party service provider governance attaches to the foundation model provider.
Under what authorization. The policy, the role, the purpose limitation under which the agent was permitted to take the action. An agent that accessed an account number is in scope for § 500.7 access privileges and the audit trail must record the authorization that the access satisfied. Without this, an investigator cannot tell legitimate access from compromised access.
When. A timestamp the Covered Entity cannot retroactively change. The five-year retention clock under § 500.6(b) is meaningless if the timestamps inside the audit trail can be edited after a Cybersecurity Event.

Contrast this with the standard API call log a typical AI deployment produces. The API gateway records timestamp, method, path, status, latency, request size. The LLM inference log records prompt tokens, completion tokens, model id, and a redacted prompt body. Neither shape answers the four questions at the operation level. The gateway log knows a request returned 200. It does not know what was accessed or under what authorization. The inference log knows the model returned a completion. It does not know what the agent then did, or whether the action stayed inside purpose.

This is what NYDFS means when it requires Covered Entities to apply Part 500 to AI. The audit trail rule is operation-shaped. Standard API call logs and LLM inference logs are traffic-shaped. Necessary for SRE. Not sufficient for § 500.6(a)(2).

04 · MAP TO § 500.6

How the requirement maps to existing audit trail rules.

23 NYCRR § 500.6(a)–(b) audit trail and retention

The mapping is direct. NYDFS did not write a new rule. It took the existing one and confirmed it applies to AI.

§ 500.6(a)(1) requires audit systems designed to reconstruct material financial transactions. For an AI agent that takes a lending decision, this maps to the action chain. The agent retrieved the application. The agent retrieved the credit bureau pull. The agent ran the affordability check. The agent recommended approval at a specific rate. Each of these is an action on a financial transaction and the (a)(1) clause attaches.

§ 500.6(a)(2) requires audit trails designed to detect and respond to Cybersecurity Events. For the same agent, this maps to the authorization chain. The agent had role X. Role X was permitted to read application data under purpose Y. The action stayed inside purpose Y. If the agent had instead read an account number unrelated to the application, that would be unauthorized access, a Cybersecurity Event under § 500.1(f), and the (a)(2) clause attaches.

§ 500.6(b) requires the Covered Entity to maintain records under (a)(1) for at least five years and records under (a)(2) for at least three years. An audit trail that lives inside an application log rotation policy of 30 days does not satisfy. The retention clock attaches the moment the trail begins.

The Industry Letter does not lengthen the clock or change the structure. It identifies AI as a class to which the existing structure applies. That is the regulatory shift on 16 October 2024. A small shift on paper. A large one in practice, because the rule, applied honestly to a 2026 AI deployment, demands an audit trail of a shape almost no production AI system produces today.

05 · EVIDENCE PACKAGE

What an evidence package that satisfies looks like.

23 NYCRR § 500.6(a)(2) audit trail · § 500.17(b) certification · sample at /samples/us-fintech.pdf

An evidence package for a single AI-driven action is not a log file. It is a record mapped to a specific EU AI Act obligation, and it is independently verifiable without contacting Warrant, so the timestamp is not under the Covered Entity's own control.

The Warrant format produces one PDF per trace. Each action gets a row carrying actor, subject, inputs, outputs, authorization assessment, and the regulator obligation it maps to. An investigator can prove the package existed at time T without trusting the Covered Entity's clock.

A sample for a NY-licensed small-business underwriting agent is at /samples/us-fintech.pdf. Package id 041f2335488dd56f. The verification page at /verify?id=041f2335488dd56f confirms the package is independently verifiable without contacting Warrant. The Part 500 obligation mapping is at /regulators/nydfs-part-500. The companion US bank model-risk obligation is read at SR 11-7 / SR 26-2, line by line.

NYDFS obligation	Warrant evidence field	Status
§ 500.6(a)(1) reconstruct material financial transactions	trace.actions[*] (per-action subject, inputs, outputs, ts) bound into a record mapped to a specific EU AI Act obligation	live
§ 500.6(a)(2) audit trails to detect and respond to Cybersecurity Events	trace.actions[*].authorization (within_purpose, preconditions_met, human_oversight_appropriate, reversible, justification) per action	live
§ 500.6(b) retention (five years for (a)(1), three years for (a)(2))	Per-trace existence record, independently verifiable without contacting Warrant at time T, plus the Covered Entity's own evidence storage	live
§ 500.11 third-party AI governance (foundation model providers in scope)	trace.actions[*].actor (model identifier, e.g., claude-opus-4-7) + trace.model_provider	live
§ 500.17(b)(2) dual-signed CISO and highest-ranking executive certification	Per-trace evidence package, aggregable by the CISO into a § 500.17(b) certification roll-up. Cross-trace inventory roll-up ships v0.5.	aggregation roadmap

06 · DO THIS WEEK

Three things compliance teams should do this week.

Operational checklist · 23 NYCRR § 500.6(a)(2) and § 500.17(b)

The October 2024 Industry Letter has been in force for nineteen months. The compliance work it implies is overdue at most Covered Entities. Three steps this week.

Inventory every production AI system that touches NPI. Pull the model id, the orchestrator name, the foundation model provider, and the primary use case. The Industry Letter's risk assessment expectation under § 500.9 cannot be satisfied without a written inventory. Treat this as the single source of truth the CISO will sign on next April 15 under § 500.17(b)(1)(i).
Read your existing logs against the four-question test. For one production AI agent, take a single action and ask whether the log answers the four questions in this post. What was accessed. By which agent. Under what authorization. When. If the log does not answer at the operation level, the gap is your § 500.6(a)(2) gap and it is the gap a regulator examining a Cybersecurity Event will surface first.
Decide whether to build the evidence pipeline in-house or use a vendor. The build is not trivial. Operation-level capture, a record mapped to a specific EU AI Act obligation, and evidence the regulator can verify independently without contacting the vendor. The buy is faster. Either way, the deliverable is a per-action evidence record mapped to a specific obligation, not a streaming log feed. Pick one path this week and put a date on it.

07 · FAQ

Questions a compliance officer asks first.

FAQ · sourced from inbound from NY-licensed Covered Entities Apr to May 2026

Is this requirement only for NY-licensed financial services entities?

Direct enforcement reaches every Covered Entity under 23 NYCRR § 500.1(e). That includes NY-chartered banks, NY-licensed insurers, virtual currency licensees under Part 200, and NY-licensed lenders. The functional reach is wider, because national TPSPs serving a Covered Entity inherit the audit trail expectation through § 500.11 third-party service provider security policy.

Does the requirement apply retroactively to existing logs?

No. § 500.6(a)(2) is forward-looking. The audit trail must be in place on a going-forward basis. Existing application logs do not need to be re-signed. The five-year retention clock in § 500.6(b) starts when the audit trail begins to satisfy the rule, not when the legacy logs were originally written.

What about foundation model providers? Are they in scope?

Yes, through § 500.11 third-party service provider governance. The October 2024 Industry Letter identifies supply chain vulnerabilities as one of four AI risk categories. A foundation model provider that processes NPI on a Covered Entity's behalf is a TPSP under § 500.1(s) and the Covered Entity's audit trail must record the model identity and the model provider per action.

Does the CISO annual certification under § 500.17(b) cover this?

It covers the obligation, not the evidence. § 500.17(b)(1)(i) requires the certification to rest on data and documentation sufficient to demonstrate material compliance. A CISO who certifies § 500.6(a)(2) compliance for AI without an operation-level evidence trail is signing on faith. The 2023 dual-signature rule under § 500.17(b)(2) puts the highest-ranking executive of the Covered Entity on that risk too.

When is the next NYDFS guidance update expected?

Unknown. NYDFS has not published a calendar for AI guidance refreshes. Watch the Cybersecurity Resource Center page and the NYDFS press archive. The agency tends to issue guidance after a material incident, so the trigger is unpredictable. The October 2024 letter explicitly notes that AI risks will evolve and that Covered Entities should review programs at regular intervals.

How do i produce a satisfying audit trail today?

Drop your AI agent's execution trace at warrant.build/demo. Warrant produces a PDF mapped to § 500.6(a)(2) per action. Sample at /samples/us-fintech.pdf. Each package is independently verifiable without contacting Warrant at /verify.

08 · READ THE SOURCE

Read the source directly.

// per-obligation Warrant evidence field mapping at /regulators/nydfs-part-500 · download sample US evidence package · package id 041f2335488dd56f · independently verifiable without contacting Warrant at /verify?id=041f2335488dd56f

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. For correspondence · [email protected]. Editorial commentary on regulatory text. Not legal advice. The headline sentence "standard API call logs and LLM inference logs do not satisfy this requirement" is Warrant's reading of 23 NYCRR § 500.6(a)(2) when applied to AI systems per the 16 October 2024 Industry Letter. NYDFS did not write that sentence. The regulation, read straight, says it.

Standard API call logs do not satisfy 23 NYCRR § 500.6.