aws ships mcp audit trails — here's what's still missing

aws made its MCP server generally available on May 6. the announcement leads with something that matters: CloudTrail now captures every API call an MCP server makes, published under the AWS-MCP CloudWatch namespace, with IAM policies separating human permissions from agent permissions.

that's not a minor feature. it's the first time a tier-1 cloud has built agent/human permission separation into the infrastructure layer by default.

but there's a gap between "we have CloudTrail logs" and "we have compliance documentation" — and that gap is exactly what teams running high-risk AI deployments are going to hit in the next 90 days.

what aws gives you

CloudTrail captures the API layer. you get a record of what the MCP server called, when, and with which IAM identity. the AWS-MCP CloudWatch namespace surfaces latency and call volume. you can distinguish agent-initiated calls from human-initiated calls in the log.

that's solid observability infrastructure. it's what you'd want for debugging and cost attribution.

what it doesn't give you

a compliance officer reviewing a high-risk EU AI Act deployment doesn't need a CloudTrail dump. they need a structured document that maps to the Act's transparency requirements: what was the model, what was its authorization scope, what decisions did it make that affected the output, and is there a tamper-evident record of that chain?

the AWS audit trail tells you the agent called s3:GetObject at 14:32:07. it doesn't tell you whether that access was within the agent's declared decision boundary, or whether the output constituted a "high-risk AI decision" under Article 6.

that reconstruction is still manual. someone has to take the CloudTrail log, map it back to the agent's task context, and produce documentation that a compliance team can actually review and sign off on.

the pattern across every major platform right now

this is the same gap showing up everywhere. AWS ships CloudTrail. Composio ships gateway-level audit logs for MCP. Microsoft ships Purview records for Copilot. each platform logs the infrastructure layer — and each compliance team is left doing a translation step from "log" to "audit documentation."

a reasonable estimate: that translation step takes 3-5 days per deployment, assuming someone on the team knows what EU AI Act Article 12 actually requires. most teams don't have that person.

what closes the gap

BizSuite AI-Audit takes the infrastructure log — CloudTrail, gateway logs, whatever the MCP server produces — and generates structured compliance documentation in 48 hours: decision-trace format, model identification, authorization scope documentation, audit trail structured for EU AI Act review. $997 flat entry point.

the AWS GA announcement is a signal that enterprise MCP adoption is real. the compliance infrastructure to support it is not ready. the teams shipping agents into production on AWS right now are the ones who are going to need audit documentation before August 2.

if you're building on AWS MCP Server, the CloudTrail foundation is there. the compliance report isn't. that's the 48-hour window: https://getbizsuite.com/ai-audit

NOTE: score is 84, one point under the article threshold of 85. recommended_touch is article. Following the lead's recommended_touch since the AWS GA signal is strong tier-1 validation and the ai-audit product fit is direct. Publisher to confirm before ship.