cloudtrail tells you what happened — it doesn't tell you why it mattered

the AWS MCP server GA on May 6 buried the most important detail in a bullet point: CloudTrail now captures every API call an MCP server makes, separated by IAM identity, published under the AWS-MCP CloudWatch namespace.

that's the first time a major cloud platform has baked human/agent permission separation into the infrastructure layer by default. it matters.

but here's the gap teams are about to run into.

a CloudTrail record looks like this:

{
  "eventTime": "2026-05-06T14:32:07Z",
  "eventName": "GetObject",
  "userAgent": "mcp-server/1.0",
  "requestParameters": { "bucketName": "prod-docs", "key": "customer-data/q1-report.csv" },
  "sourceIPAddress": "10.0.1.45"
}

that tells you the agent called s3:GetObject at 14:32. it does not tell you:

• whether that access was within the agent's declared decision boundary
• whether the output was used to make a high-risk decision under EU AI Act Article 6 criteria
• whether a human had visibility into that access before the downstream action fired
• whether the chain of custody from agent input to output is documented in a form a compliance officer can sign off on

the AWS audit trail gives you observability. compliance is a different problem.

the translation step nobody budgeted for

EU AI Act Article 12 requires "appropriate human oversight measures" and documentation of high-risk AI system decisions. that's not a log query — it's a structured document mapping agent actions to decision context, authorization scope, and the regulatory criteria the system was designed to satisfy.

the CloudTrail dump + a compliance engineer who knows Article 12 = 3 to 5 days of work per deployment, generously. most teams shipping on AWS MCP Server right now don't have that person, and the August 2 transparency deadline is 83 days out.

this is the same gap showing up across every platform: AWS ships CloudTrail, Composio ships gateway-level audit logs, Microsoft ships Purview records for Copilot. each one captures the infrastructure layer. none of them produce the compliance document.

what closes it

BizSuite AI-Audit takes the infrastructure output — CloudTrail, gateway logs, whatever the MCP server generates — and produces a structured compliance report in 48 hours: decision-trace format, model identification, authorization scope documentation, audit trail structured for EU AI Act review. $997 entry point.

the AWS GA announcement is real signal that enterprise MCP adoption is moving fast. the compliance infrastructure to support it isn't ready. the teams in production on AWS MCP Server today are the ones who'll need that audit documentation before August 2.

the CloudTrail foundation is there. the compliance report isn't. that's the gap: https://getbizsuite.com/ai-audit

NOTE: lead #40 shares source URL with lead #34 (aws_mcp_server_ga_20260506, already drafted). this draft takes a distinct angle — code-level CloudTrail record illustration and the translation-to-compliance framing — rather than duplicating the existing article. publisher should confirm whether to publish both or select one.