the 66-day window: what eu ai act article 12 actually requires from your agent infrastructure

most teams deploying ai agents in 2026 have a compliance plan. very few have compliance infrastructure.

that's the gap. august 2 is when eu ai act enforcement reaches high-risk ai systems — agents included. three governance frameworks now shape the baseline for what "compliant" means at the technical level: the eu ai act, nist ai rmf, and iso/iec 42001. gartner is projecting 80% of organizations will have formalized ai governance policies by end of 2026. policies are the easy part. the harder part is what article 12 actually asks for in the code.

article 12(2) breaks down into three log categories: situations where the system might present a risk, data for post-market monitoring, and data for operational monitoring. a plain reading says you need timestamped, tamper-resistant event records covering every decision the agent made — inputs, outputs, parameters, and the rationale chain that produced the output. the article specifies logs must cover the full lifetime of the system, not just production incidents.

this creates a technical problem most teams haven't hit yet. current observability stacks — datadog, grafana, whatever you're running — are designed for infrastructure telemetry, not audit defensibility. they're mutable. if a regulator asks you to demonstrate that a specific agent decision at 14:32:07 on march 4 was made with these inputs and no other, a mutable log is the wrong answer. you need a chained record where every entry points to the hash of the prior entry and the chain itself is verifiable without trusting the logging system.

there's a second layer article 12 surfaces that's easy to miss: the log has to be automatically recorded over the system's lifetime. "automatically" is doing real work there. manual audit trail population — where a human or a post-hoc script writes the compliance record — doesn't satisfy the requirement because it doesn't prove the record matches what the system actually did.

the infrastructure pattern that satisfies this is a write-time stamping primitive: every agent operation emits a sha-256 signed event that chains to the prior event before the operation completes. the stamp is proof, not documentation. it exists whether the team remembers to log it or not.

i built gridstamp for this layer. every agent action — tool call, decision branch, state transition — gets a tamper-evident stamp written at op time, chained to the prior event, flushed to an append-only log. at 14.55M operations in fleet simulation, the p99 latency is 3ms. 221 tests. it drops underneath an existing agent runtime without a rewrite.

the practical path to article 12 readiness before august 2 is three steps: audit what your current logs actually prove (can you produce a cryptographically verifiable chain of every decision your agent made last week?), identify where the chain breaks (usually: tool calls that aren't logged, reasoning steps that aren't captured, logs that overwrite on rotation), and add write-time stamping to close those gaps.

the window is 66 days. the teams that treat this as a documentation project are going to have a bad september.

more at https://getbizsuite.com/ai-audit