Every Singapore fintech engineering team that uses AWS has CloudWatch. When compliance asks "do we have logs of our AI credit decisions?" the answer is usually yes, CloudWatch, done. That answer is wrong — completely wrong, in the ways that matter most when MAS comes to inspect.
CloudWatch Logs captures what your application emits. Whatever your code writes to stdout, stderr, or a logging library — that is what CloudWatch holds. It is a log aggregation system, and it is excellent at what it does.
But consider what a typical AI credit decision looks like in CloudWatch:
2025-03-14 09:23:41 INFO Application APP-00291847 processed. Score: 0.34. Outcome: DECLINED. 2025-03-14 09:23:41 INFO Model: gpt-4o. Latency: 1247ms.
That is two lines. Maybe four if you log verbosely. That is what most teams have.
Now consider what MAS actually asks for during an inspection under the November 2025 AI Risk Management Guidelines and the FEAT Transparency principle:
CloudWatch gives you none of items 1, 2, 4, or 5. It gives you a partial version of 3. And on item 6, most teams have CloudWatch set to 30 or 90 days because the cost of retaining five years of raw logs at that volume is significant.
The full LLM prompt for a credit decision is typically 2,000 to 8,000 tokens. The full response is another 500 to 2,000. Nobody logs that to CloudWatch. The cost is prohibitive, the signal-to-noise ratio is terrible, and standard logging libraries truncate at 256 or 512 bytes anyway.
So what you have is a summary. An outcome. A score. A model name.
A MAS examiner who asks "show me the exact reasoning your model provided for this declined application" cannot be answered with a score and a latency metric. That is not an explanation. That is a number.
This is the one that surprises people. CloudWatch logs can be modified. An IAM user with appropriate permissions can delete log events, delete log streams, or retroactively alter retention policies. There is no cryptographic chain that would make tampering detectable.
The MAS AI Risk Management Guidelines are explicit about tamper-evidence. An audit trail that can be modified is not an audit trail. It is a log file with an audit-sounding name.
MAS TRM Guidelines require five years of log retention for AI systems in scope. The cost of retaining full CloudWatch logs for five years — uncompressed, unstructured text at production volume — is not trivial. Most engineering teams set 30 or 90 days and move on. Nobody revisits it. Nobody tests what happens at year four when an inspector asks for a decision from 2022.
The answer is: you cannot produce it. The logs are gone.
The FEAT Transparency principle requires that a financial institution be able to explain any AI-driven decision to the affected applicant. The IAC regime means the CCO is personally accountable when that explanation cannot be produced.
The November 2025 AI Risk Management Guidelines add operational requirements: decisions must be logged with enough detail to reconstruct the decision-making process, the logs must be tamper-evident, and they must be retained for the period required by TRM Guidelines.
An audit trail under these requirements has specific properties that CloudWatch does not provide:
CloudWatch is none of these things. It was not designed to be. It is a log aggregation system and it does that job well.
What MAS-compliant AI audit infrastructure looks like in practice:
At the moment of decision — before the response is returned to the caller — the system captures the complete input, the complete output, the model version, the policy version, and the decision outcome. It writes these as a structured record.
That record is SHA-256 hashed and chained to the previous record. The hash of record N includes the hash of record N-1. Any modification to any record in the chain causes every subsequent hash to fail verification. This is the same principle underlying git commits and Bitcoin transactions.
Daily, the chain head is anchored to the Bitcoin blockchain using OpenTimestamps. This creates an externally verifiable timestamp that cannot be backdated. The chain existed before the anchor. The anchor is public and permanent.
The records are stored in immutable append-only storage — S3 Object Lock with compliance mode works well — with retention set to five years or longer.
When a MAS examiner requests documentation for a specific decision, a single API call retrieves the complete record, verifies the hash chain from that record back to genesis, confirms the Bitcoin anchor, and generates a signed Inspection Package PDF. The examiner verifies the chain. The inspection proceeds.
This takes hours, not weeks.
First, stop thinking of CloudWatch as your compliance solution. It is your operational logging system. That is a legitimate and important function. Keep using it for what it does well.
Second, recognize that you have a gap. The gap is not optional. MAS FEAT, IAC, and the November 2025 AI Risk Management Guidelines are not a compliance checkbox exercise. They are enforceable requirements with personal liability attached.
Third, close the gap before the inspection notice arrives. Inspection notices do not come with a six-month remediation window. They come with a request for documentation that you either have or do not have.
Book a demo and we'll show you a live AI decision being logged, hash-chained, replayed, and packaged for a regulator — against your actual use case.
Book a demo →No sales deck. Just a live demonstration of the product doing what this article describes.