If monitoring asks "is the system healthy now?", audit asks "who did what?" These are fundamentally different questions. CPU at 80% is faceless data; "who deleted the production S3 bucket at 3 AM yesterday?" is responsibility tracking. AWS has CloudWatch for the former and CloudTrail — an audit log recording every API call in an account — for the latter. And to automatically respond to recorded events is EventBridge — AWS's serverless event bus. Combine these two and security automations like "detect root account login, alert instantly" emerge.