How to Set Up AI Usage Alerts and Compliance Reports
Build an audit trail for every AI API call. Activity logging, compliance reports, zero-data mode, and team access controls — everything you need for AI governance.
The problem: "how do you govern AI usage?"
Regulators are asking this question. Your security team is asking it. Your auditors are asking it. And if you're routing AI calls directly to OpenAI, Anthropic, or Google, you don't have an answer.
The EU AI Act requires risk assessment and transparency for AI systems. SOC 2 expects access controls and audit trails for sensitive data flows. Your own internal security policies likely mandate logging for third-party API usage. But right now, your AI traffic goes straight to providers with no centralized record of what was sent, what came back, or who authorized it.
You need a governance layer — not another compliance spreadsheet.
The solution: Grepture as an AI governance layer
Grepture is an AI gateway that sits between your application and every LLM provider. Every request flowing through the proxy is logged with operational metadata. On top of that, you get compliance reports, a full activity audit trail, team access controls, and zero-data mode for regulated environments.
No agents to install. No code instrumentation. Route your traffic through the proxy and governance is built in.
What gets recorded
For every request that passes through the proxy, Grepture captures:
- HTTP method and status code — what was called and whether it succeeded
- Latency — how long the provider took to respond
- Model — which LLM handled the request
- Token counts — input tokens, output tokens, total
- Cost — calculated from each provider's model-specific pricing
- Detection rule matches — which rules fired and what actions were taken
- Request ID — unique identifier for tracing individual calls
Optionally, the full request and response bodies are stored and inspectable in the traffic log. If your compliance requirements prohibit storing content, zero-data mode (covered below) keeps bodies in memory only.
Setting up the gateway
Setup takes three steps. If you've used any of the provider-specific guides, this is the same pattern.
1. Install the SDK
npm install @grepture/sdk
2. Get your API key
Sign up at grepture.com/en/pricing and copy your API key from the dashboard.
3. Route your AI traffic through the proxy
import OpenAI from "openai";
import { Grepture } from "@grepture/sdk";
const grepture = new Grepture({
apiKey: process.env.GREPTURE_API_KEY!,
proxyUrl: "https://proxy.grepture.com",
});
const openai = new OpenAI({
...grepture.clientOptions({
apiKey: process.env.OPENAI_API_KEY!,
baseURL: "https://api.openai.com/v1",
}),
});
This works with any provider — OpenAI, Anthropic, Google, Azure. See the SDK docs and provider-specific guides for detailed setup.
Once traffic flows through the proxy, every request is logged automatically. No additional configuration needed for basic governance.
Activity logging (Business+)
The Activity Log in the dashboard provides a full audit trail of every administrative change made to your Grepture account:
- Rule changes — creation, updates, and deletions of detection rules
- Team changes — member additions and removals
- Settings changes — configuration updates, mode toggles, key regeneration
Each entry records who made the change and when. This is the audit trail your compliance team needs to demonstrate that AI governance controls are actively managed, not just configured once and forgotten.
Access the activity log from the dashboard sidebar. Entries are retained for the lifetime of your account.
Compliance reports (Business+)
The Reports page in the dashboard lets you generate two types of compliance reports:
Simple report
A summary of traffic volume, detection activity, and rule performance over a given period. Use this for weekly standups, internal reviews, or quick status checks with your security team.
Complete report
A detailed compliance report exported as a PDF. This includes granular findings — detection counts by category, rule match rates, traffic patterns, and a breakdown of actions taken. Use this for auditor requests, quarterly reviews, or regulatory submissions.
Both reports pull from the same operational metadata captured by the proxy. If zero-data mode is enabled, reports reflect metadata only — no request or response content is included.
Zero-data mode (Business+)
For regulated environments where persisting request content is not an option, zero-data mode ensures that request and response bodies never leave memory.
When enabled:
- Request and response bodies are processed in-flight only — never written to disk or database
- Headers, URLs, and query parameters are not stored
- Detection rules still fire normally — PII detection, redaction, blocking all work during processing
- Only operational metadata is persisted: HTTP method, status code, latency, token counts, cost, and rule matches
Toggle zero-data mode in the dashboard under API settings. This gives you full governance visibility — who called what model, when, at what cost, and which rules matched — without storing any content.
Team access controls
Grepture supports team-based access with two roles:
| Role | Permissions |
|---|---|
| Owner | Full access — manage rules, settings, billing, and team members |
| Member | View and manage rules, view traffic and settings |
From Settings in the dashboard, owners can:
- Invite members by email — new members receive an invitation to join the team
- Revoke access — remove team members instantly
- Manage pending invitations — view and cancel outstanding invites
This separation means your engineering team can manage detection rules and monitor traffic, while billing and team administration stay with designated owners. For compliance purposes, every team change is recorded in the activity log.
Detection rules for compliance
Beyond PII and secrets detection, Grepture includes AI-powered rules designed for compliance monitoring:
- Compliance detection — flags healthcare, financial, legal, and insurance domain violations in AI traffic
- DLP (Data Loss Prevention) — detects source code, credentials, internal documents, and financial data leaving your organization through AI calls
- Toxicity detection — identifies toxic, threatening, or hateful content
For governance workflows where you want visibility without blocking production traffic, use the Log only action. This records detections with configurable severity levels (info, warn, critical) and custom labels — giving your compliance team full visibility while keeping traffic flowing.
All AI detection models run on Grepture infrastructure. No data is forwarded to additional third parties.
Integrating with existing workflows
The traffic log and compliance reports are designed to feed into your existing compliance processes:
- Traffic log — filterable by model, status, cost range, and time window. Use it as the source of truth for AI usage across your organization.
- Compliance reports — export PDFs for auditor requests or attach them to your existing compliance documentation.
- Activity log — demonstrates ongoing governance of AI controls for SOC 2 or internal audit reviews.
All data is hosted in the EU, which simplifies GDPR compliance for organizations subject to data residency requirements.
Next steps
- View pricing — Business plan includes compliance reports, activity logging, and zero-data mode
- Read the configuration docs — detection rules, actions, and zero-data mode setup
- Explore the dashboard — traffic log, reports, team management, and API settings
- Set up observability — unified logging across all AI providers