Enforcement begins August 2, 2026 — 10 weeks away.
AISG ships Article 12 compliance today. Hash-chained, tamper-evident audit records on every request. No configuration needed.
EU AI Act Compliance Logging
Tamper-evident, hash-chained audit records on every AI request processed by AI Security Gateway (AISG). No prompt content stored — only SHA-256 fingerprints. Exportable as JSONL. Verifiable with a single API call.
What Article 12 Requires
The EU AI Act's Article 12 mandates that high-risk AI systems include “automatic recording of events” (logging) throughout their lifetime. The regulation requires:
Event identification
Unique IDs and timestamps for every operation
Input/output traceability
Ability to trace what data entered and left the system
System version tracking
Which build/version processed each request
Deployer identification
Which project and API key initiated the request
Safety measure documentation
What policies and security checks were applied
Tamper evidence
Proof that logs have not been modified after the fact
How AISG Implements It
Every request — whether it succeeds, gets blocked by DLP, hits a budget limit, or triggers loop protection — generates an audit record automatically. No configuration needed.
Audit Record Fields
| Field | Article 12 Mapping | Description |
|---|---|---|
| audit_id / timestamp | Event identification | Unique ID and ISO 8601 timestamp |
| system_version | System traceability | Build version identifier for the deployment that processed the request |
| project_id / api_key_id | Deployer identification | Which project and key initiated the call |
| model / provider | AI system identification | Which model and provider handled the request |
| input_fingerprint | Input traceability | SHA-256 hash of the prompt (not the content) |
| output_fingerprint | Output traceability | SHA-256 hash of the response (not the content) |
| policy_version / dlp_action | Safety measures | Which policy version was active and what action was taken |
| violations_summary | Safety measures | Count of detected PII entities by type |
| outcome / status_code | Result classification | success, blocked, or error with HTTP status |
| prev_hash / record_hash | Tamper evidence | SHA-256 hash chain linking each record to the previous one |
Hash Chain — Tamper Evidence
Each audit record includes the SHA-256 hash of the previous record for that project. This creates a verifiable chain — if any record is modified or deleted, the chain breaks and verification fails at the exact point of tampering.
Record 1: prev_hash="genesis" → record_hash="a3f7..."
Record 2: prev_hash="a3f7..." → record_hash="b8c2..."
Record 3: prev_hash="b8c2..." → record_hash="d1e9..."
↑ ↑
Includes hash of Record 2 New hash computed from
all fields + prev_hashPrivacy by Design — Still Stateless
No prompt or response content is stored — ever. AISG's core processing remains fully stateless: prompts are scanned, redacted or blocked, and forwarded in real time. Nothing is persisted during request processing.
Compliance logging records only operational metadata — not data:
What IS stored
- SHA-256 fingerprints (one-way hashes)
- Model, provider, timestamps
- Token counts, costs
- Policy outcomes (redact/block/allow)
- Violation counts by entity type
- Hash chain for tamper evidence
What is NOT stored
- Prompt text or content
- Response text or content
- User identities or PII
- API keys (only prefix)
- IP addresses
- Message history or conversation context
SHA-256 fingerprints are one-way: you cannot reconstruct the original prompt or response from its hash. If an auditor needs to verify a specific request, the original application can recompute the fingerprint and match it against the audit record — but the audit system itself never has access to the content.
Export & Verification
JSONL Export
Export audit records as JSONL (one JSON object per line) with optional date range filtering. Available via the authenticated API or the “Audit Log” button in the project dashboard. Full API endpoint documentation is available in your project dashboard after sign-in.
Chain Verification
Verify the integrity of the entire hash chain with a single authenticated API call. The verification endpoint returns the number of records checked and whether the chain is intact — confirming that no records have been modified, deleted, or inserted after the fact.
{
"status": "valid",
"record_count": 1247,
"verified_through": 1246,
"chain_intact": true
}Dashboard Export
In the project dashboard, click Audit Log in the toolbar. Select a date range and click Export JSONL. Use Verify Chain to confirm integrity without downloading.
What Gets Logged
Audit records are created at every decision point in the request lifecycle:
Successful completion
Full record with I/O fingerprints, tokens, costs, DLP action
DLP block — text PII
Violations summary, policy version, entity types detected
DLP block — image OCR
Image PII violations, OCR scan results
DLP block — injection
Injection pattern matched, category
Budget exhaustion
Balance at time of block
Recursive loop
Fingerprint, hit count, cooldown applied
Retention & Storage
| Property | Value |
|---|---|
| Retention | Lifetime of your account, minimum 10 years per Article 12 |
| Storage | Dedicated cloud-native database with deletion protection enabled |
| Encryption | AES-256 at rest |
| Deletion protection | Enabled — audit records cannot be deleted via application or API |
| Point-in-time recovery | Continuous backups with point-in-time restore |
GDPR & Right to Erasure
Audit records contain only SHA-256 fingerprints, not prompt content or personal data, and are therefore outside the scope of GDPR Article 17 (right to erasure) requests. No personally identifiable information is stored in audit records — only cryptographic hashes, metadata (model, provider, timestamps), and policy outcomes.
EU AI Act Timeline
August 1, 2024
EU AI Act entered into force
February 2, 2025
Prohibited AI practices apply
August 2, 2025
General-purpose AI rules apply
August 2, 2026
High-risk AI system obligations apply (including Article 12)
August 2, 2027
Full enforcement for all AI systems
Related Documentation
Join the Community