EU AI Act Article 12: What AI Teams Need to Log Before August 2026

What Article 12 Actually Says

Article 12 is titled “Record-keeping” and requires high-risk AI systems to be designed with logging capabilities that enable the recording of events relevant to:

• Identifying each operation (unique IDs, timestamps)
• Tracing inputs and outputs without necessarily storing the content itself
• Tracking system versions across the lifecycle
• Documenting safety measures that were applied
• Proving tamper evidence — demonstrating logs haven't been altered

The key insight most teams miss: you don't need to store the actual prompts and responses. You need to prove what was processed and what safety measures were applied, in a way that can be verified after the fact.

Three Mistakes Teams Make

1. Storing raw prompts “for compliance”

Some teams respond to Article 12 by logging every prompt and response verbatim. This creates a new GDPR problem — you're now storing personal data (which may have been in the prompts) in your audit logs. The correct approach is to store cryptographic fingerprints (SHA-256 hashes) of the content, not the content itself.

2. Using application-level logging

Application logs (stdout, CloudWatch, Datadog) are mutable. Your ops team can modify them. An attacker with access can delete entries. Article 12 requires logs that are “appropriate to the intended purpose of the high-risk AI system” — which regulators interpret as tamper-evident.

3. Setting a 90-day TTL

The regulation doesn't specify a retention period, but the intent is lifecycle-long record-keeping. If you set a 90-day TTL on your audit logs, you'll have gaps in your compliance trail when an auditor asks for records from six months ago.

What a Compliant Audit System Looks Like

Based on the regulation text and emerging regulatory guidance, a compliant system needs:

How to Be Compliant in 10 Minutes

If you're using AI Security Gateway as your LLM proxy, compliance logging is already active. Every request — successful completions, DLP blocks, budget rejections, loop detections — automatically generates a hash-chained audit record.

# Every request through AISG automatically generates an audit record.
# No configuration needed. Just use AISG as your proxy.

from aisg import AISG
client = AISG(api_key="oah_your_key")

# This request generates an audit record with:
# - SHA-256 fingerprint of the prompt
# - SHA-256 fingerprint of the response
# - Model, provider, tokens, cost, DLP action
# - Hash-chained to the previous record
response = client.chat.completions.create(
    model="oah/llama-4-maverick",
    messages=[{"role": "user", "content": "Summarize this contract..."}],
)

# Export audit records as JSONL with date range filtering
curl -H "Authorization: Bearer oah_your_key" \
  "https://api.aisecuritygateway.ai/projects/proj_abc/audit/export\
?from=2026-01-01T00:00:00Z&to=2026-06-30T23:59:59Z" \
  -o compliance-h1-2026.jsonl

# Prove to auditors that no records were tampered with
curl -H "Authorization: Bearer oah_your_key" \
  "https://api.aisecuritygateway.ai/projects/proj_abc/audit/verify"

# {"status":"valid","record_count":4821,"chain_intact":true}

Key Dates

• August 1, 2024: EU AI Act entered into force
• February 2, 2025: Prohibited AI practices apply
• August 2, 2025: General-purpose AI rules apply
• August 2, 2026: High-risk AI obligations (including Article 12) — 10 weeks away
• August 2, 2027: Full enforcement for all AI systems

Bottom Line

Article 12 compliance isn't optional, and it isn't hard — if you use the right architecture. Hash-chained, append-only audit records with cryptographic fingerprints satisfy every requirement without storing sensitive content. The deadline is August 2, 2026. If you're routing AI requests through any proxy or gateway, make sure it's generating compliant audit trails today.