EU AI Act enforcement starts August 2. if you're running high-risk agents, the logging deadline is now
August 2, 2026 is 61 days away. That's the date the European Commission's enforcement powers for Chapter V of the EU AI Act enter application — and the date Article 12 logging mandates become actionable penalties.
The penalty structure: up to 15 million euros or 3% of worldwide annual turnover, whichever is higher. That's not a compliance department problem. For any company shipping agents in the EU, it's an engineering problem that should have started six weeks ago.
what Article 12 actually says
The regulation requires that high-risk AI systems "shall technically allow for the automatic recording of events (logs) throughout their operational lifetime." What that means in practice: every decision point that affects a human outcome — each tool call, each retrieval step, each model inference that feeds a consequential output — needs a structured, tamper-evident log entry.
Not console.log. Not CloudWatch streams you search by hand. Auditor-grade records that prove what your agent did, when, and why, retrievable without three engineers and a day of work.
There's also no finalized technical standard yet. The Commission deliberately left implementation to technologist-led bodies, which means the spec is evolving. Building to a finalized standard isn't an option — building to the spirit of the requirement and being able to demonstrate that to an auditor is.
who is actually in scope
This is where most teams make the mistake of assuming they're fine. Article 6 and Annex III define the high-risk categories. They include: AI systems used in employment decisions, educational access, credit scoring, biometric identification, and critical infrastructure management. A general-purpose coding assistant isn't high-risk. That same assistant with access to HR records or medical data probably is.
The classification isn't always obvious. A customer service agent that influences credit limit decisions or flags accounts for review may be in scope even if the original design intent was narrower. The question isn't what the agent was designed to do — it's what it actually does to a human's access to services, employment, or financial products.
what the compliance work looks like
Retrofitting Article 12 compliance into a production agent architecture means touching every layer: tool call wrappers, retrieval steps, LLM invocation points. Then you need a log sink with delivery guarantees (not best-effort), a signing mechanism that doesn't blow out your latency budget, and a retrieval interface that produces structured reports on demand.
Most teams estimate 6-12 weeks of engineering time if they start now. That estimate grows if the agent architecture hasn't been documented and the classification work hasn't been done. Teams that start in July are starting a fire drill.
The right first step is a classification pass: map every agent you're running against the Annex III categories, identify what's in scope, and then scope the logging infrastructure work to match. Building Article 12 infrastructure for an agent that isn't high-risk is wasted engineering. Not building it for one that is creates the penalty exposure.
That classification pass is what the BizSuite ai-audit is built around — a 2-hour working call to go through your agent architecture, produce the Annex III classification, and deliver a prioritized compliance plan within 48 hours. $997. One deliverable, not a retainer. So you know exactly where to point your engineers before August 2.
Top comments (0)