EU AI Act Article 12 takes effect August 2. here's what "automatic recording of events" actually requires

Article 12 requires automatic recording of events over the system's lifetime. full obligations apply August 2, 2026. penalties up to 15 million EUR or 3% of worldwide turnover.

those three sentences are from the Help Net Security breakdown of EU AI Act logging requirements. they're accurate. but they skip the detail that makes the requirement hard to satisfy: the EU AI Act doesn't define a technical standard for what "automatic recording" means.

there's no NIST-equivalent specification. no ISO standard finalized as of May 2026. what exists is Article 12's text, the three categories of log data it defines, and a lot of interpretive guidance from law firms — most of which says "you need to log things, tamper-evidently, and be ready to show them to an auditor."

so let's make the requirement concrete.

the three categories Article 12 actually specifies

Article 12(2) defines three log categories for high-risk AI systems:

1. situations where the system might present a risk or undergo a substantial modification
2. data for post-market monitoring
3. data for operational monitoring by deployers

translation: you need to log when something goes wrong or changes, you need to log how the system performs over time, and you need to log what operators can see about how it's behaving day-to-day.

for an AI agent, this means:

• every action the agent takes that has real-world consequence (tool calls, API charges, data writes)
• the context at time of action (what the agent knew, what it was authorized to do)
• the outcome (did the task complete, was the spend within bounds, were there anomalies)
• a tamper-evident record linking those three together

the "tamper-evident" requirement is the hard part. a database log isn't sufficient if an operator can edit it. what Article 12 points toward — even without an explicit technical standard — is an append-only, cryptographically-secured audit log.

what most agent deployments are missing

the current state of most agent audit logs is: stdout, maybe piped to a database, with no tamper protection, no structured schema for regulatory review, and no version control to show what the agent's behavior policy was at time of action.

that passes a developer audit. it fails a regulatory one.

the specific gap: Article 12 requires that logs be retained and that they be usable for post-market monitoring and incident reconstruction. if an agent misbehaves in month 8 of deployment, you need to be able to reconstruct what it did in month 3 and show that the behavior was consistent with its documented risk classification. printf logs don't give you that.

what Article 12-compliant logging looks like

a compliant architecture has four components:

1. structured event schema — every agent action logged with consistent fields (agent_id, action_type, authorized_scope, timestamp, outcome, anomaly_flag)
2. immutable append-only storage — no delete, no edit, hash-chained so tampering breaks the chain
3. risk event triggers — automatic flagging when the system encounters a situation in category 1 (risk or substantial modification)
4. audit export capability — ability to produce a human-readable report from the logs for a regulatory inspection

that's not a 6-month project. it's a 2-week integration if you use an SDK that ships those primitives.

the 48-hour audit

BizSuite's AI Audit is a $997, 48-hour delivery structured around Article 12 gap analysis. it maps your current logging architecture against the three categories, identifies what's missing, and delivers a remediation checklist.

if you're already compliant, you'll get confirmation. if you're not, you'll know exactly what to fix — with 65 days left before the deadline.

the audit isn't a platform. it's the thing you do before you decide whether you need one.