Hi,
Since we have AI tools in place and also Rovo enabled within our organisation, from a Security and Governance perspective, how do we ensure that Users actually review the content that is published.
For example, for a use case where Users generate content in Claude or ChatGPT and then copy it over to a newly created page on Confluence, the page ID is published on the audit logs within Atlassian. But if a User creates a Confluence page directly from Claude/ChatGPT, the audit log only mentions that mcp tool was invoked, but there are no details about the page created.
Hence, from an admin perspective, it is difficult to identify AI generated content. Our goal is to ensure that users will review the content they generate and hence we want to put guardrails in place to ensure it is done.
Has anyone any ideas on how to achieve this?
Best regards,
Mini
Hi Mini,
The Confluence audit log does capture the page creation, you can combine that with automation rules for labeling/notifications and page approvals for a solid review workflow.
1) Cross-reference wth the Confluence audit log
Even when a page is created via MCP, the Confluence-level audit log still records a page_created event with the user who triggered it, the page title, space, and timestamp. So the data is there, it's just in a different log than the org-level one.
2) Use Confluence Automation to flag new pages
Set up an automation rule that triggers on "Page created" and automatically:
Adds a label like "needs-review"
Sends a notification to a reviewer or admin
Posts a comment prompting the author to confirm they've reviewed the content
This creates an enforceable review step regardless of how the page was created.
3) For Premium/Enterprise plan, use Page Approvals
If you're on Premium or Enterprise, enable Page Approvals on key spaces. This prevents content from being considered "approved" until a designated reviewer signs off, which is perfect for AI-generated content governance.
I hope this can assist you with your inquiries.
Bestest regards,
Peter Tran
Hi Peter,
Thank you for the reply.
Labels was the approach we were contemplating, but we only want to label AI generated pages and not all new pages.
We are on Confluence Standard.
For the page generated by AI tool, in the Audit log, I only see "action": "mcp_tool_invoked" and I do not see any other corresponding log in Atlassian. And hence, no page ID.
Best Regards,
Mini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mini,
That clarifies up for me.
Unfortunately, on Standard plan, there's no automation way to distinguish whether a page was created by a human or via an MCP tool call, since the mcp_tool_invoked audit event doesn't include the resulting page ID.
You can either:
1) Push for the audit log gap to be fixed -> Raise this on the Atlassian feedback portal.
Specifically, request that MCP audit events include the output resource ID (e.g., the created page ID). That would let admins correlate the MCP invocation with the actual page and automate labeling from there. But this way might take a long time to develop.
2) If you have the technical resources
You could build a lightweight script that periodically calls the The Confluence Cloud REST API and cross-references creation timestamps with mcp_tool_invoked audit log entries. If a page creation timestamp closely matches an MCP invocation by the same user, flag it.
It's a effort workaround, but it bridges the gap until Atlassian adds the page ID to the audit event.
I wish everything works out well for you!
Best regards
Peter Tran
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
I have another question -
Lets take 3 use cases
Use Case 1 - I generate a Confluence like content on Claude. I create a page on Confluence and then paste the content from Claude into the newly created Confluence page. I see the Audit event with "action": "confluence_page_ai_content_generated".
Use Case 2 - I create a Confluence page directly from Claude. I see the Audit event with "action": "mcp_tool_invoked".
Use Case 3 - I create a page in Confluence directly but using Create with Rovo and click on Add to Confluence. I didnt really see a corresponding entry in the audit log. Strange.
I dont know if being on Confluence Standard filters out audit logs? Can you check the above use cases and see your audit logs?
Best regards,
Mini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mini,
1. Use Case 1: I tried this and it worked. When you paste AI-generated content into a manually created Confluence page, Confluence detects it and logs confluence_page_ai_content_generated. This confirms that Confluence does have some built-in AI content detection at the product level. 😊
2. For Use Case 2:
As we discussed, the mcp_tool_invoked event is logged at the organization-level audit log (admin.atlassian.com → Insights → Audit log), but it doesn't include the resulting page ID. However, the page creation itself should still appear in the Confluence product-level audit log (Confluence admin → Monitoring → Audit log) as a separate event. Are you checking both logs? They're in different places:
Org audit log: admin.atlassian.com → Insights → Audit log
Confluence audit log: Confluence admin (⚙️) → Monitoring → Audit log
-> Note: You should raise this as well.
3. Use Case 3: This is the most concerning one. I'd strongly recommend reporting this as a bug to Atlassian Support.
I had trouble reproducing this reliably on my end as well. When a page is created via Rovo's native "Add to Confluence," it appears the audit trail is inconsistent. This looks like a genuine product gap.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
This has been most helpful! Thank you for testing the use cases.
For Use Case 2, I only see the mcp_tool_invoked, there is no entry in the Confluence audit log (maybe due to being on Standard)
I will report both to the Atlassian support.
Best wishes,
Mini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Peter's approach is the right shape here — the page-created automation with a review label, plus a native review marker. A couple of specifics to add.
Page-created events do get logged, but in the org-level audit log at admin.atlassian.com, under Audit log. The per-space Confluence audit log only covers space and admin config, so it won't show them. If all you're seeing is the MCP action with no page name, that's the in-app data setting. Open the Audit log's Settings and turn on storing in-app data, and page titles start appearing on those entries. That activity logging needs Guard Premium or Cloud Enterprise.
On enforcing review, Confluence Cloud has no native pre-publish approval gate. That part's a Marketplace app (Comala Document Management does this). Natively you get the Verified status, applied by the page owner or a space admin. Catch is the creator counts as the owner, so it can't force an independent reviewer by itself. Pair it with the automation label and a Page Properties Report to audit what's still unreviewed.
And on the "AI or other assistants" part, nothing tags a page as AI-made. Rovo you can lock down at the source (Rovo access, plus who can create and run agents), but a page written through Claude or ChatGPT over MCP uses that person's API token and just shows as them, so the review step is your backstop there.
Best, Gabriela
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter and Gabriel,
Thank you very much for your inputs. I really appreciate it.
It seems with Confluence Standard we are limited.
Best regards,
Mini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.