| UI or UX | UI + UX - Governed audit evidence surface for security, compliance, forensic, and administrative review | UI + UX - Searchable and exportable record of system, user, or administrative events | UI + UX - Inspectable record of generated AI output, prompt context, model, sources, tools, user actions, versions, and downstream use | UI + UX - Durable snapshot browser for previous document, file, page, object, or configuration versions | UI + UX - Durable user-opened notification history and action drawer |
| UI guidance | Render audit logs as governed evidence records with audit ID, effective time, actor, actor type, action, protected object, result, source system, IP or session context, retention class, export status, and permission scope. | Render activity logs as evidence-oriented records with event time, actor, action, object, source system, scope, result, and technical context such as IP address or location when available. | Render AI output audit trail as an answer-level evidence record that connects prompt snapshot, response snapshot, model version, source snapshot, retrieved context, tool calls, safety events, user actions, approvals, edits, exports, and retention state. | Render version history as a durable snapshot browser with the current version, previous version list, author, timestamp, named version labels, autosaved version labels, changed summary, retention status, compare affordance, preview, and restore action. | Provide a persistent notification entry point, usually a bell or inbox control, with a count that represents new unseen notifications rather than every unread item forever. |
| UX guidance | Use audit log when the product must support security review, compliance obligations, forensic investigation, privileged-action review, or administrator accountability with retained evidence. | Use activity log when users need to investigate, audit, verify, or troubleshoot actions across accounts, objects, systems, settings, or security boundaries. | Use AI output audit trail when users must investigate, prove, review, dispute, export, or comply with how a generated AI output was created and used. | Use version history when users need to find a known good state, understand what changed between saved states, recover from bad edits, cite a prior version, name a meaningful milestone, or restore content without guessing. | Use a notification center when users receive enough asynchronous system or collaboration updates that they need a durable place to review, triage, and act later. |
| Good UI | A security audit log shows a role escalation with audit ID, UTC effective time, actor session, target account, old role, new role, source IP, retention class, legal-hold badge, and Export evidence action. | An organization audit log table shows timestamp, actor, action, target object, app, IP address, result, and a Details drawer with before and after fields. | A policy answer drawer shows prompt snapshot, model version, response ID, retrieved sources, tool calls, safety filter result, generated text, user edits, approval, copy, export, and retention window. | A document side panel marks v42 as Current, lists v41, v38 named Pre-launch copy, and v35 autosaved, and opens a compare preview before Restore this version. | A bell opens a drawer with Unread and All filters, showing comment mentions, approval requests, export results, and background-job failures in newest-first order. |
| Bad UI | A settings page lists Admin changed something with no stable audit ID, actor session, object, result, retention policy, or export trail. | A page titled Activity shows vague entries such as Changed settings with no actor, target, timestamp, or source. | A chat transcript shows only the final answer with no prompt, source snapshot, model, tool calls, user actions, or applied output history. | A History panel lists Edited, Edited, Edited with no version number, author, content preview, compare result, or restore consequence. | A red badge says 42 forever because opening the drawer, reading items, and viewing related work never update the count. |
| Good UX | An investigator filters privileged actions, opens one audit record, verifies the chain of custody, exports the exact scoped result set, and sees which fields are redacted by administrative-unit scope. | An admin filters to failed SSO events, expands one entry, copies the event ID, exports the filtered range, and sees that records older than 180 days require a different archive. | A support lead opens a disputed customer reply, sees the exact AI draft, prompt, source article versions, editor changes, approver, sent timestamp, and retention status, then exports the evidence bundle. | A designer names the last approved file version, compares it against the current version, confirms restore, and sees that the restore created v43 while keeping v42 available. | Opening the notification drawer clears the new-notification badge while unread items remain available for later triage. |
| Bad UX | A reviewer assumes no event happened because their restricted scope hides system-account records without saying so. | A user marks a notification read and the corresponding activity evidence disappears from the only log. | A user regenerates an answer and the product overwrites the previous version, leaving no way to prove which output was copied. | A user tries to recover yesterday's copy but only sees a chronological activity log with no previewable previous version. | A payment failure that blocks the current checkout is only stored in the notification center and never appears in the task. |
| Best fit | The product must support security investigations, compliance review, legal discovery, privileged-action review, or enterprise governance. | Users need to inspect recorded user, admin, system, security, or integration events. | A generated AI output can influence compliance, customer communication, security, legal, finance, operations, code, policy, or other high-trust work. | Users edit documents, files, pages, design files, records, configurations, or published content over time. | Users receive multiple asynchronous updates across objects, jobs, collaborators, approvals, or reminders. |
| Avoid when | Users only need recent collaboration updates or a lightweight activity feed. | The goal is only to show a readable milestone history for one case or process. | Users only need to read the current answer and inspect citations in the moment. | The product only has an event log with no saved content snapshots. | The product has only occasional current-action feedback that a toast or inline status can handle. |
| Required state | Default audit-log search state with visible query, result count, scope, timezone, retention class, and evidence coverage. | Default log state with event records, result count, visible timezone, retention window, and permission scope. | Generated output state with response ID, timestamp, user, conversation or thread ID, and model version. | Default state with current version, previous version list, author, timestamp, and change summary. | Closed entry-point state with zero, new-unseen, and unread-but-seen counts. |
| Accessibility burden | Use table or structured record semantics so audit ID, actor, action, object, timestamp, result, scope, and retention are perceivable together. | Use table or structured list semantics so actor, action, object, timestamp, result, and scope are perceivable together. | Expose output ID, version, timestamp, actor, action, source status, tool status, redaction status, and retention state as text, not color alone. | Use structured list, table, or tab semantics so version number, current status, author, timestamp, and label are read together. | Give the entry-point control an accessible name that includes new or unread count without relying only on a red dot. |
| Common misuse | Rebranding a recent-activity feed as an audit log without retention, custody, or governed evidence fields. | Calling a social feed or notification drawer an activity log without event evidence. | Calling a chat transcript an audit trail when it does not preserve source, tool, model, action, approval, or version evidence. | Calling an activity log or audit trail version history when it has no previous content snapshots. | Treating the badge count, unread count, and total notification count as one number. |