EU AI Act Article 12: making audit logs a first-class product feature

EU AI Act Article 12 requires high-risk AI systems to maintain detailed logs of every decision and action, exportable for regulator review.

if your AI agent handles payments, it's almost certainly a high-risk system under the Act.

that means logging can't be an afterthought — it has to be a first-class product feature.

here's what Article 12 compliance looks like for agent payment systems:

1. log every decision — not just executed transactions, but every proposed transaction, policy check, approval decision, and abort reason
2. tamper-evident storage — the log has to be immutable. if you edit or delete an entry, the regulator needs to be able to detect it.
3. exportable audit bundles — the log has to be exportable as a structured file (JSON, CSV, etc.) that a third-party auditor can review without accessing your production system.
4. retention requirements — logs have to be kept for a minimum period (often 6 months to 2 years depending on the use case).

the technical piece is making the log tamper-evident. mnemopay uses a merkle chain: each log entry is a leaf node, and the root hash gets signed and timestamped. if anyone tries to edit or delete an entry, the hash chain breaks.

the audit bundle exports as a single JSON file with the full chain and all signatures. a third-party auditor can verify the chain without trusting your infrastructure.

i built this into mnemopay from day one because Article 12 compliance isn't optional if you're shipping agent payment tools into the EU market.

if you're building AI systems that touch money, treat audit logs as infrastructure, not a feature you bolt on before launch.