EU AI Act Article 12 Logging Requirements for ChatGPT API

May 29, 2026·7 min read·compliance

The EU AI Act's Article 12 requires “automatic recording of events” for high-risk AI systems. If you use the ChatGPT API (or any LLM API) as part of a system deployed in the EU for hiring, credit scoring, healthcare, or education, you need compliant logging before August 2, 2026.

Does Article 12 Apply to Your ChatGPT API Usage?

Article 12 applies to high-risk AI systems as defined in Annex III of the AI Act. If your ChatGPT API integration falls into any of these categories, you need compliant logging:

Employment & HR — resume screening, interview analysis, performance evaluation
Credit & insurance — creditworthiness assessment, risk scoring, claims processing
Education — student assessment, admission decisions, learning path optimization
Healthcare — diagnostic assistance, treatment recommendations, triage
Law enforcement & migration — risk assessment, document analysis
Critical infrastructure — safety-related decision support

Note: If you use ChatGPT for internal chatbots, customer support summarization, or marketing copy generation, Article 12 likely does not apply — these are not high-risk use cases under Annex III. However, logging is still good practice for audit and governance.

What Article 12 Requires You to Log

Article 12(1) states the system must have “logging capabilities that enable the recording of events relevant to identify risk-related situations.” For ChatGPT API integrations, this means logging:

Required Field	What to Record	ChatGPT API Source
Timestamp	ISO-8601 UTC timestamp	Your application layer
Input reference	SHA-256 hash of the prompt (not raw text)	Hash the messages array
Output reference	SHA-256 hash of the completion	Hash response.choices[0].message.content
Model version	Model ID used	response.model field
Token usage	Input, output, total tokens	response.usage object
User/session ID	Pseudonymized identifier	Your auth layer
Decision context	What the output was used for	Your application logic
Risk flags	Any content policy violations	DLP/firewall layer

Key Compliance Requirements

Tamper-evident

Logs must be immutable — hash-chaining (each record references the previous record's hash) prevents retroactive modification.

Retention

Retain for the lifecycle of the AI system plus a reasonable period. Store at least 10 years minimum to cover the full system lifecycle and potential regulatory inspection windows.

Accessible on request

National authorities can request logs during market surveillance. Export must be available within 24 hours.

Privacy-preserving

Do NOT log raw prompts containing personal data. Use SHA-256 fingerprints of content, not the content itself.

Build It Yourself vs. Use a Compliance Gateway

You can implement Article 12 logging in your application code (wrap every API call with a logging layer) or use an AI gateway that handles it automatically.

DIY: Manual logging wrapper

import hashlib, json, datetime
from openai import OpenAI

client = OpenAI()

def logged_completion(messages, model="gpt-4.1", **kwargs):
    input_hash = hashlib.sha256(
        json.dumps(messages, sort_keys=True).encode()
    ).hexdigest()

    response = client.chat.completions.create(
        model=model, messages=messages, **kwargs
    )

    output_hash = hashlib.sha256(
        response.choices[0].message.content.encode()
    ).hexdigest()

    log_entry = {
        "timestamp": datetime.datetime.utcnow().isoformat() + "Z",
        "model": response.model,
        "input_fingerprint": input_hash,
        "output_fingerprint": output_hash,
        "tokens": {
            "input": response.usage.prompt_tokens,
            "output": response.usage.completion_tokens,
        },
    }
    # TODO: Write to tamper-evident log store
    # TODO: Implement hash-chaining
    # TODO: Handle retention & export
    return response

This works for a proof of concept, but production compliance requires tamper-evident storage (hash-chaining), export APIs for regulatory inspection, deletion protection, and retention policies. That's significant infrastructure to build and maintain.

Gateway approach: Two lines of code

AI Security Gateway automatically generates hash-chained, tamper-evident audit logs for every API call. Enable it by changing your base URL — no additional logging code needed.

Gateway: Automatic compliance logging

from openai import OpenAI

client = OpenAI(
    base_url="https://api.aisecuritygateway.ai/v1",
    api_key="aisg_your_key_here",
)

# Every call is automatically logged with:
# - SHA-256 input/output fingerprints (not raw content)
# - Hash-chained tamper-evident records
# - Exportable via authenticated API
# - Deletion-protected storage
response = client.chat.completions.create(
    model="gpt-4.1",
    messages=[{"role": "user", "content": "Analyze this application..."}]
)

Compliance Timeline

Aug 1, 2024EU AI Act entered into force

Feb 2, 2025Prohibited AI practices enforcement began

Aug 2, 2025General-purpose AI obligations began

Aug 2, 2026High-risk AI system obligations begin (Article 12 enforcement)

Be compliant before August 2, 2026

AI Security Gateway provides hash-chained, tamper-evident audit logs that satisfy Article 12 requirements. Set up in 10 minutes. Export audit trails on demand.

Start Free Full Compliance Guide

Join the Community

GitHub LinkedIn X (Twitter)YouTube