best places to place security checking procedures

I am in the process of makeing a database security system for my application
I am useing a tokenized style security system and each token has the ability
to do both auditing when the security function is used and the ability to
allow/disallow the use of the function.

the monitored states are for adding and editing.

I want the ability to 'audit' changes even when the user does is not
'allowed' to do that function.  the only way I can think of doing this is a
'validation' for the state change of the datasets that are in use... but I
do not know of a event that will allow me to do my own custom 'validation'
for that state change....
does anyone have any ideas how I could acomplish this?