DEV Community

t49qnsx7qt-kpanks
t49qnsx7qt-kpanks

Posted on

Article 12 Logging Is the EU AI Act Requirement Most Teams Are Ignoring

Article 12 Logging Is the EU AI Act Requirement Most Teams Are Ignoring

the compliance conversation around the EU AI Act has been dominated by risk classification — am i high-risk or not? that question matters, but it's eating attention that should go to a more immediate problem: the logging requirement is mandatory, it has a hard deadline, and most agent codebases fail it right now.

August 2, 2026. penalties: up to 15 million euros or 3% of worldwide annual turnover.

what Article 12 actually says

Article 12 of the EU AI Act mandates that "high-risk AI systems shall technically allow for the automatic recording of events (logs) throughout their operational lifetime."

three words in that sentence matter: automatically, recording, throughout.

automatically means the logging can't be manual. you can't say "our team reviews outputs and writes incident notes." the system itself must generate structured, machine-readable records.

recording means the logs are retained — not streamed and discarded, not sampled at 1%, but stored in a form that can be produced on regulatory request.

throughout means for the entire operational lifetime of the system, not just during incidents or peak load.

the regulation goes further. logs must enable:

  • tracing back to the specific input that produced a specific output
  • verifying that the system operated within its intended parameters at the time of a given decision
  • identifying whether a human oversight mechanism was triggered (and what the human did)

the gap between observability and compliance

most engineering teams read "logging" and think "we have that." you probably do — you have application logs, you have error tracking, you might have LLM call traces in Langfuse or Weights & Biases.

none of that is Article 12 logging unless you've designed it to be.

the difference: observability answers what's broken. compliance logging answers what did the system decide, on what inputs, for which user, at what time, and what was the human oversight status — and it answers that in a format a regulator can audit.

specifically, Article 12 logs need to include:

  • the period of each use of the system (start/end timestamps per session)
  • the reference database against which input data was checked (if applicable)
  • input data where technically feasible to store it
  • whether the human oversight mechanism was invoked, and by whom

most LLM tracing tools capture a subset of this. none of them produce the audit-ready package the regulation requires.

what remediation looks like

the fix is a structured logging layer that sits on top of your existing infrastructure. you're not rebuilding your observability stack — you're adding a compliance sink that captures the specific fields Article 12 requires, in a format you can export on demand.

the harder part is retroactive documentation. Article 12 requires logging throughout the operational lifetime, which means you need a record of what the system was doing before you added the compliance sink. for systems already in production, that gap has to be addressed in your technical documentation — acknowledging the period before compliance implementation and documenting the system's behavior during that period through other means (sampling, retrospective analysis, deployment records).

the hardest part for most teams: identifying what counts as a "high-risk AI system" under your specific deployment context. the regulation's Annex III list is the starting point (employment decisions, educational assessment, law enforcement, credit scoring, etc.), but the boundaries are genuinely ambiguous in agentic systems that touch multiple domains.

the practical path

the audit-first approach: before you build a logging layer, you need to know what your system's actual risk classification is, what Article 12 specifically requires for your context, and what your current gap looks like against those requirements. building compliance infrastructure without that clarity wastes engineering cycles on the wrong things.

the BizSuite AI Audit does exactly that step: a 2-hour working session with your team, a technical gap analysis against the EU AI Act's specific requirements for your system, and a prioritized remediation plan delivered in 48 hours. $997 flat.

61 days to August 2. if you're running agents in production and you haven't done this analysis, now is the window.

https://getbizsuite.com/ai-audit.html

Top comments (0)