may 6 - aws mcp server hit ga. coding agents now have iam-scoped access to the entire aws control plane. it's a serious unlock for productivity. it's also a compliance landmine for any team that hasn't thought about logging. what most teams shipped on day 1 iam role for the mcp server s3 bucket for cloudtrail logs a vague intention to 'figure out the audit story later' what an eu ai act article 12 audit asks for which agent invoked which tool, with what input, producing what output, at what timestamp a hash chain that proves the log wasn't tampered with after the fact 6 months of retention, exportable in a format the auditor can subpoena cloudtrail logs the api call. it doesn't log the agent's intent, the prompt that produced the call, or the chain of tool invocations that led to it. the 4-hour fix // before every mcp tool call await bizsuite . audit . log ({ agent_id , tool , input , prompt_hash , parent_invocation_id , timestamp }); Enter fullscreen mode Exit fullscreen mode wrap the mcp invocation.…