The audit-trail mandate: how expert networks are engineering immutable agent logs for buy-side compliance
SEC Rule 17a-4 and MiFID II record-keeping obligations are pulling a new compliance surface into being: cryptographically signed, exportable logs of every agent turn against regulated research content.

When a buy-side analyst prompts Claude to summarize a GLG transcript through an MCP connector, or asks Perplexity to reconcile three Guidepoint interviews against a company's last earnings call, the artifact that gets created is not an email, a chat message, or a call recording. It is a distributed sequence of tool calls, retrieved chunks, and generated outputs, running across at least two vendors' infrastructure, and it is not natively captured by any of the compliance archives the firm has spent the last decade wiring up.
That gap is the story. Our read is that agent-log immutability, meaning cryptographically signed, exportable, tamper-evident records of every agent-mediated interaction with regulated research content, is on its way to becoming a category-level requirement for expert networks, in the same way that WORM-compliant chat archiving became a category-level requirement for Bloomberg and Symphony a decade ago. The regulatory anchors already exist. The technical primitives already exist. What is missing is the last-mile plumbing that connects agent traffic to the compliance stack the buy-side already runs.
The artifact chain has changed
For most of the last decade, the compliance surface for a research interaction was straightforward to reason about. An analyst emailed an expert network moderator to set up a call. The call was recorded, transcribed, and delivered as a PDF or a transcript file. The email lived in the firm's Microsoft or Google archive, ingested by Global Relay or Smarsh. The transcript lived in the expert network's portal and, for firms that pulled it down, in the internal research management system. The audio recording, when retained, lived with the network. Each artifact had a known custodian, a known format, and a known retention path.
MCP breaks this cleanly. When an analyst at a hedge fund runs a prompt against an MCP connector into Guidepoint, GLG, or AlphaSense, the interaction produces at least four artifacts that did not previously exist as discrete objects: the user prompt, the tool-call payload the model sends to the MCP server, the retrieved content chunks the server returns, and the model's generated response. Each of these is a communication in the regulatory sense. Each is tied to an investment decision in the way FINRA and ESMA use that phrase. And none of them is captured by the systems the firm bought to capture Bloomberg messages, Symphony chats, and Teams calls.
This is not a hypothetical gap. Guidepoint has published MCP connectors into Claude and Perplexity. GLG has integrated into Bloomberg's ASKB. AlphaSense has shipped an agentic layer that mediates queries across its transcript and filings corpus. The traffic is running now. The question is whether the log of that traffic is being preserved in a form a regulator will accept two years from now.
What Rule 17a-4 actually says after the 2022 amendment
The 2022 amendment to SEC Rule 17a-4(f) is the pivot point. The original rule, which dates to the paper-and-microfilm era, required broker-dealers to preserve electronic records in a non-rewriteable, non-erasable format. WORM storage. That framing had been under industry pressure for years because it forced firms into a narrow set of archive products and did not map onto how cloud-native storage actually works.
The amendment kept WORM as an option and added an audit-trail alternative. Under the new language, a firm may preserve electronic records using a system that maintains a complete time-stamped audit trail, including all modifications and deletions, provided the audit trail itself is preserved for the full retention period and can be independently verified. The full rule text sets out the specifics.
Read against the MCP artifact chain, this is unusually well suited to cryptographic approaches. A Merkle-tree hash chain of tool-call payloads, where each turn's hash incorporates the previous turn's hash, produces exactly the property the audit-trail alternative asks for: any modification to any historical turn invalidates every subsequent hash, and the chain can be independently verified by anyone holding the root. Signed retrieval provenance, where the MCP server signs the chunk it returned along with a timestamp and a content hash, closes the second half of the loop by binding the model's output to a specific, unmodified piece of source content.

Our view is that the 2022 amendment was written with encrypted messaging platforms and cloud archives in mind, but it turns out to be almost a perfect fit for agent logs. The regulatory language does not care whether the audit trail is generated by an email server or by a hash chain over LLM tool calls. It cares whether the trail is complete, time-stamped, tamper-evident, and preservable. Those are engineering properties, and they are properties agent infrastructure can be built to have.
FINRA 3110 and MiFID II pull in the same direction
The SEC rule is the storage layer. FINRA and MiFID II are the supervision layer, and they push the same requirement from a different angle.
FINRA Rule 3110 requires member firms to establish and maintain a supervisory system for the activities of each associated person, including a system for the review of incoming and outgoing electronic correspondence and internal communications relating to the member's investment banking or securities business. The rule's implementing guidance has been progressively broadened by FINRA to cover new communications channels as they emerge. Chat platforms. Collaboration tools. Voice. The pattern each time has been the same: once a channel becomes load-bearing for investment decisions, it comes under 3110 scope, and firms that were casual about capturing it retrofit under enforcement pressure.
Agent traffic is the next channel. When an analyst asks an MCP-connected model to summarize an expert transcript and then acts on that summary, the summary is a communication that informed an investment decision. A supervisor who wants to review that analyst's process has to be able to see what was asked, what the model was shown, and what it said back. Without a preserved log of the agent turn, that supervisory review is not possible, and the firm's 3110 program has a hole in it.
MiFID II Article 16(7) imposes the parallel obligation in Europe, requiring investment firms to record telephone conversations and electronic communications that relate to the reception, transmission, and execution of orders. ESMA's Q&A guidance on investor protection has consistently taken an expansive view of what counts as a relevant communication, and there is no principled reason agent turns would fall outside it once the industry treats them as a substitute for the research reading and note-taking they clearly are.
The 2026 exam priorities close the wait-and-see window
We read the SEC's 2026 examination priorities as removing the strategic option of waiting for a first enforcement case to define the rules. The Division of Examinations flagged both electronic communications and AI-tool governance as focus areas for the year, and the pairing is not accidental. Exam staff are already looking for the seam between the two.
In practice this means a registered adviser or broker-dealer whose analysts are using MCP tools against expert-network content in 2026 should expect an examiner to ask, at minimum: what records exist of those interactions, how are they preserved, who has access, and how does the firm's supervisory system review them. A firm that cannot answer those questions because the agent traffic runs through a vendor connector that produces no exportable log has a documentation problem that predates any specific enforcement theory.
The procurement consequence follows from the exam posture. Compliance and technology teams at buy-side firms are now asking vendors, including expert networks, for artifacts that did not appear on RFPs eighteen months ago: signed logs, hash-chain root exports, retrieval provenance manifests, integration paths into the firm's existing Global Relay or Smarsh archive. A vendor that ships an MCP connector without any of this pushes the compliance burden onto the client, and the client's compliance team increasingly says no.
The technical primitives are stable
The engineering side of this is less exotic than the regulatory framing suggests. The primitives are mature and drawn from adjacent domains where tamper-evident logging is already routine.
Merkle-tree hashing of tool-call sequences. Each agent turn (prompt in, tool call out, tool response in, generation out) is serialized, hashed, and linked to the previous turn's hash. The resulting chain has the property that any modification to any historical turn changes every subsequent hash, which is trivially detectable given the current root. This is the same construction used in certificate transparency logs and in every major blockchain, and mature libraries exist in every runtime an agent stack is likely to be written in.
W3C Verifiable Credentials for agent identity. A tool call from an agent to an expert-network MCP server carries a signed credential identifying which agent, on behalf of which user, at which firm, is making the call. The Verifiable Credentials specification is a W3C standard designed for exactly this pattern of cross-domain, cryptographically attributable claims. Expert networks that require signed credentials on inbound MCP requests get an attribution trail that survives the client leaving the firm, the vendor changing the model, and the model provider rotating its keys.
Retrieval provenance manifests. When the MCP server returns a chunk of a transcript in response to a tool call, it signs a manifest binding the chunk's content hash, the source document identifier, the timestamp, and the requesting credential. The manifest can be verified independently of the server, which matters because in an audit context the party asking the question is not the party running the server.
Integration hooks into existing archives. Smarsh's acquisition of Digital Reasoning's Conduct Surveillance business points to the direction the incumbents are moving: absorbing behavioral and content-analysis capabilities that let them ingest and reason over structured logs, not just message text. Global Relay and Bloomberg Vault are on parallel tracks. An expert-network audit-trail export that lands in one of these archives in a format the archive already understands, JSON-Lines with hash chains, signed manifests as attachments, is dramatically easier for a buy-side compliance team to accept than a bespoke portal the vendor asks them to log into.
None of these is a research problem. All of them are shipping problems, meaning the question is which vendors put them into production first and how they package the export for the compliance teams on the other side of the connector.
Where the incumbents and challengers sit
The expert-network incumbents (GLG, Guidepoint, AlphaSense, Third Bridge) have compliance surfaces that were built for the human-mediated call model. Vetting workflows, MNPI screens, moderator training, transcript delivery portals. That surface is real and defensible for its original scope. What it does not yet fully cover is the MCP-mediated query, where the client-side actor is a model rather than a human analyst, and where the artifact is a tool-call sequence rather than a call recording.
Our read is that the network with the tightest audit-trail shipping story on its MCP connector wins a procurement advantage that is difficult to reverse. A compliance officer who has approved one vendor's signed-log export format has a sunk cost in that format. Adding a second vendor with a different format doubles the review burden. Adding a third with no format at all fails the review.
The archival incumbents are moving. Smarsh's Digital Reasoning acquisition gave it the behavioral-surveillance layer that reads over logs rather than raw text, which is the shape agent traffic actually arrives in. Global Relay and Bloomberg Vault have both been public about extending capture into collaboration and voice, and agent traffic is the natural next channel. The open question is whether they extend by building native agent-log capture themselves, or by defining an ingestion format and letting the expert networks and model providers hand them signed exports.
The challengers, Hebbia and Rogo among the more visible, have the advantage of building for the MCP-native shape from the start. Their disadvantage is that they do not yet have the buy-side compliance-officer relationships the incumbents have accumulated over twenty years. Whichever side moves fastest on the shipping specifics, hash-chain root export, signed retrieval manifests, integration into Global Relay and Smarsh, sets the format everyone else has to be compatible with.
The counterargument
The honest counterargument is that regulators have not yet brought an enforcement case that turns specifically on missing agent logs, and until they do, the industry could plausibly muddle through on the theory that the model provider's own logs (Anthropic's, OpenAI's, Perplexity's) will satisfy examiner questions about what the analyst was shown and what the model said back.
We find this thin for two reasons. First, the model provider's logs are not designed for regulated-industry preservation. They exist for the provider's own operational purposes, they are subject to retention policies set by the provider, and they are not signed in a way that supports independent verification by a client's compliance team. A firm that relies on them is one policy change away from a gap. Second, the model provider's logs do not capture the expert-network side of the interaction with any specificity. They record that a tool call was made to a URL and that a response came back. They do not record what document was retrieved, what version of that document was retrieved, or whether the same tool call today would return the same content. That provenance lives on the expert-network side, and only the expert-network side can sign it.
The muddle-through path also assumes the first enforcement case will be gentle. Historically it has not been. FINRA's off-channel communications enforcement wave, which produced billions of dollars in fines against major dealers, was the industry's most recent object lesson in what happens when a communications channel becomes load-bearing before its capture is solved. The firms fined were not doing anything novel. They were using WhatsApp and personal text messages the way everyone was using them. The enforcement did not care.
What this means for the buy-side procurement conversation
The practical consequence for the buy-side is a checklist that did not exist eighteen months ago. When a hedge fund or asset manager evaluates an expert network's MCP connector today, the compliance-side questions our clients tell us they are being asked to answer are converging on the following shape.
Does the connector produce a per-turn log that includes the prompt, the tool call, the retrieved content identifier, the retrieved content hash, and the generated response? Is the log signed by the expert network, with a verifiable key? Is the log exportable in a format the firm's existing archive (Global Relay, Smarsh, Bloomberg Vault) can ingest? Is there a hash-chain root the firm can independently verify to detect tampering? Is the retention period configurable to match the firm's own retention policy, and does it default to at least the SEC's six-year minimum? Does the expert network provide a Verifiable Credentials interface that lets the firm bind agent identity to user identity in a way that survives model-provider changes?
A vendor that answers yes to all of these ships a connector that a buy-side compliance team can approve in a review meeting. A vendor that answers no to most of them ships a connector that becomes the compliance team's problem, and compliance teams have finite tolerance for other people's problems.
Powering institutional-grade transcription for expert networks.
INFLXD provides AI-powered, human-edited transcription with sub-1% error rates for the world's leading expert networks and financial research firms.
Visit inflxd.com →Keep reading.

7 Ways Buy-Side Firms Vet Expert Credentials Before an Engagement
A practical map of the verification steps research teams and expert-network operators run before a paid consultation clears compliance.

Inside the Accenture Ventures stake in AlphaSense: how a strategic investment became an agentic-workflow distribution channel
A corporate-venture check turned a Big Four consulting firm into a delivery channel for AI-native primary research.

7 Ways Buy-Side Firms Structure Expert-Network Call Prep in the Agent Era
How research analysts at hedge funds and PE shops are re-engineering the hour before an expert call, from MCP transcript retrieval to compliance gating.

