pomerium · desimone · Jun 18, 2026
@@ -20,6 +20,8 @@ This article describes a use case available to [Pomerium Enterprise](/docs/deplo
 
 Pomerium supports recording, storage, and playback (via Enterprise Console) of interactive SSH sessions for auditing and compliance needs. To enable session recording in Pomerium, you will be required to set up the session recording extension, a cloud or self-hosted blob storage provider, make the relevant policy changes to routes and connect the Pomerium instance to the Enterprise Console.
 
+Once recording is enabled, see [Session Recording for Audit and Compliance](/docs/capabilities/session-recording/compliance) for how to operate it as defensible audit evidence: WORM storage and retention, audit-log correlation, and SOC 2 / PCI DSS / HIPAA / FedRAMP control mappings.
+
 :::danger
 
 Recording SSH sessions carries inherent risk. Anything the user sees in their terminal is recorded as-is without modification or redaction. This can include sensitive information such as private keys, passwords, logs, etc.
@@ -895,11 +897,11 @@ StorageBlobLogs
 
 ### Integrity checks
 
-The following criteria indicate that an object has been accessed or modified outside of Pomerium's chain of custody:
+The following criteria indicate that recording content or metadata may have been accessed or modified outside of Pomerium's chain of custody:
 
 - there is more than one object revision for any session recording object in the remote store
-- there are blob storage access logs that are not annotated with Pomerium access information
-- there are blob storage access logs whose `access_id` or `hmac_user_id` do not match any Pomerium Enterprise audit logs
+- there are blob storage data-read logs for recording content or metadata that are not annotated with Pomerium access information
+- there are blob storage data-read logs whose `access_id` or `user_hmac_id` do not match any Pomerium Enterprise audit logs
 
 ## Recording Contents
 

@@ -34,6 +34,7 @@
     "argjson",
     "argparse",
     "auditability",
+    "auditd",
     "Authorization",
     "Amazonbot",
     "alexl",
@@ -51,6 +52,7 @@
     "caroot",
     "certmanager",
     "CHACHA20",
+    "CMEK",
     "classmethod",
     "cloudrun",
     "cloudsmith",
@@ -83,6 +85,7 @@
     "esgee",
     "exfiltrate",
     "fallbackcerts",
+    "fedramp",
     "Flatpak",
     "FQDL",
     "freeipa",
@@ -222,6 +225,7 @@
     "traefik",
     "unclonable",
     "Unimpersonate",
+    "unredacted",
     "unsandboxed",
     "upsert",
     "urandom",

@@ -62,7 +62,18 @@ const sidebars = {
         'docs/capabilities/kubernetes-access',
         'docs/capabilities/native-ssh-access',
         'docs/capabilities/reverse-tunneling',
-        'docs/capabilities/session-recording',
+        {
+          type: 'category',
+          label: 'Session Recording',
+          className: 'enterprise',
+          link: {type: 'doc', id: 'docs/capabilities/session-recording'},
+          items: [
+            {
+              type: 'autogenerated',
+              dirName: 'docs/capabilities/session-recording',
+            },
+          ],
+        },
         {
           type: 'category',
           label: 'Non-HTTP Protocols',