Skip to content

Audit and usage reporting

This page shows you how to review what’s happening in your workspace — who did what, how the safety review behaved, and how much of your monthly allowance your people are using — and how to export those records for an audit. By the end you’ll know where each record lives, how to read it, and how to get it out of the product when compliance asks.

Who this is for: workspace administrators and the compliance, security, or IT owners who support them. Some of these records are visible to oversight reviewers (the Governance Manager role) without giving them the ability to change anything — exactly the separation you want for an auditor.


  • You have the right role. To review and export the oversight record, you need at least the Governance Manager role. To read the access audit and change settings, you need a Tenant Admin (or higher) role. If you can’t see the governance or audit views, ask your tenant administrator to grant access — see Users and roles.
  • You know what you’re after. Audits usually ask one of three questions: who was granted access to what?, was content reviewed for safety?, or how much are we using? Each has its own record, described below.
  • You know your reporting window. Most exports are filtered by date range, so have your start and end dates ready.

The four records, and where each one lives

Section titled “The four records, and where each one lives”

Everything below is kept for you automatically. This table tells you which record answers which question, who can see it, and whether it can ever be altered.

RecordAnswersWho can review itCan it be edited or deleted in‑product?
Access audit (role and access changes)Who assigned or removed which role, and whenTenant Admin and aboveNo. It’s immutable — no one can edit or delete entries from inside the product.
Safety review record (governance)What was checked on each message, and what was heldGovernance Manager and aboveNo. Each review is recorded as it happened.
Settings historyWhat workspace setting was changed, by whom, and whenTenant Admin and aboveNo. It’s append‑only — entries can be added, never altered or removed.
UsageHow much of your monthly allowance is consumed, by user and by projectEach user sees their own; admins see the orgUsage is a running count, not an editable log.
Consent historyWhich optional activities each user turned on or offThe user (their own); admins (org defaults)It’s a per‑user history of changes.

This is the record most compliance and security reviewers care about: for every message, Chat records what its safety review checked and whether anything was held.

  1. Open the governance area from Settings → Governance. Reviewers with the Governance Manager role land here without needing any settings access.
  2. Look at the overview first. It shows how well your published assistants are covered by a safety profile — each shows as protected, a gap (published but missing or with a broken safety profile), or unknown (no profile attached). Resolve gaps from Governance and policy.
  3. Drill into the safety review events. Each event corresponds to one safety check on one message. You can narrow the list by:
    • whether content was allowed or held,
    • whether personal data was detected, and
    • which review point ran the check (incoming message, retrieved evidence, assembled request, or final answer).
  4. Read a held event. A “held” event means the safety review stopped that piece of content. Often this is a cautious hold (the safety service was briefly unavailable on a cautious checkpoint) rather than a real violation — the event tells you which.

For how the four review points work and how to tune which safety profile applies, see Governance and policy.


When an auditor asks “who gave this person admin?” or “who changed our consent defaults?”, these are the records that answer it.

  1. Open the administration area as a Tenant Admin (or higher).
  2. For access changes, review the role-and-access audit. Each entry records the action (a role assigned or removed, an access grant added or revoked), who did it, who it affected, and exactly when. Entries are written automatically and can’t be edited or removed.
  3. For configuration changes, review the settings history. It’s append-only, so you see the full sequence of changes to your workspace settings over time, with the actor and timestamp on each.

Usage answers “how much are we consuming, and who’s driving it?” Your allowance is set by your plan and shared across your organization.

  1. For a personal view, any user can open Settings → Token Usage to see their own consumption against their limit.
  2. For the org view, open the usage area as an administrator. You can see consumption rolled up by user and by project against your shared monthly allowance.
  3. Watch your headroom. Your plan sets a monthly ceiling for the organization, and the usage view is how you see — ahead of time — when a person or project is approaching it, so you can plan rather than be surprised. To give one person or project more room, adjust their allowance; to raise the organization’s overall ceiling, move up a plan yourself from Settings → Plan (Solo through Business Plus are self-serve; Enterprise is arranged with your account team). See Model access and tiers.

When compliance or an external auditor needs the record out of the product:

  1. Decide which record you need — the safety review record, the access audit, or the settings history — using the table above.
  2. Confirm your role. Exporting the oversight record requires the Governance Manager role (or higher). This lets a dedicated reviewer pull the evidence without holding any power to change settings or moderate conversations.
  3. Set your reporting window. Filter to the date range the audit covers before exporting, so the export contains exactly the period in question.
  4. Apply any filters you need — for the safety record, you can scope to held content, personal-data detections, or a specific review point.
  5. Export, then hand off. The export is your evidence package for that window.

Worked example: prepare a quarterly access-and-safety review

Section titled “Worked example: prepare a quarterly access-and-safety review”

Your compliance team runs a quarterly review covering “who got new access?” and “did anything unsafe get through?”

  1. Give your two reviewers the Governance Manager role (see Users and roles). They can now review and export the oversight record without being able to change a single setting.
  2. Set the window to last quarter in the governance events view.
  3. Pull the safety record. Filter to held events and to personal-data-detected events for the quarter, and export both — that’s the “did anything unsafe get through, and was personal data caught?” evidence.
  4. A Tenant Admin pulls the access audit for the same window — every role and access change, with actor and timestamp — answering “who got new access?”
  5. Check coverage as of today. Confirm every published assistant shows as protected, not gap, so next quarter starts clean.
  6. Hand the package to compliance. Three exports — held safety events, personal-data detections, and access changes — cover the review, and none of them could have been altered inside the product.

The result: a complete, tamper-resistant evidence package, produced by reviewers who can see everything and change nothing.


I can’t see the governance or audit views at all. You don’t have a role that grants access. Oversight (review and export) needs the Governance Manager role; the access audit and settings history need Tenant Admin or higher. Ask your tenant administrator — see Users and roles.

My hold rate looks far too high. You’re probably counting skipped reviews as denials. Skipped means the check didn’t apply to that message — it’s not a violation. Filter to held content only, and exclude skipped, for an accurate figure.

A safety event shows content was held, but the content looks fine. That’s usually a cautious hold on one of the later review points (assembled request or final answer): if the safety service is briefly unavailable there, Chat holds the response rather than risk sending something unreviewed. The event distinguishes a cautious hold from a genuine violation. If legitimate content is held repeatedly, check that the assistant has the right safety profile — an overly strict profile can be the cause (see Governance and policy).

An administrator says they can’t delete an old audit entry. That’s by design. The access audit and the settings history can’t be edited or deleted from inside the product — that immutability is what makes them trustworthy in an audit. Long-term archival is handled by your operations team.

Our usage numbers and a user’s personal view don’t match. The org view rolls usage up across everyone against your shared allowance; an individual’s Settings → Token Usage shows only their own consumption. They’re measuring different scopes, not disagreeing.


  • Governance and policy — set the safety profiles and consent defaults that the safety record reflects.
  • Users and roles — assign the Governance Manager (oversight) and administrator roles that control who can review and export.
  • Model access and tiers — your plan, your monthly allowance, and how response modes affect usage.
  • Tenant isolation — how your records and data stay separate from every other organization’s.