Enforcement begins August 2, 2026 — 10 weeks away.
AISG ships Article 12 compliance today. Hash-chained, tamper-evident audit records on every request. No configuration needed.
EU AI Act Compliance Logging
Tamper-evident, hash-chained audit records on every AI request processed by AISG. No prompt content stored — only SHA-256 fingerprints. Exportable as JSONL. Verifiable with a single API call.
What Article 12 Requires
The EU AI Act's Article 12 mandates that high-risk AI systems include “automatic recording of events” (logging) throughout their lifetime. The regulation requires:
Event identification
Unique IDs and timestamps for every operation
Input/output traceability
Ability to trace what data entered and left the system
System version tracking
Which build/version processed each request
Deployer identification
Which project and API key initiated the request
Safety measure documentation
What policies and security checks were applied
Tamper evidence
Proof that logs have not been modified after the fact
How AISG Implements It
Every request — whether it succeeds, gets blocked by DLP, hits a budget limit, or triggers loop protection — generates an audit record automatically. No configuration needed.
Audit Record Fields
| Field | Article 12 Mapping | Description |
|---|---|---|
| audit_id / timestamp | Event identification | Unique ID and ISO 8601 timestamp |
| system_version | System traceability | Git SHA of the build that processed the request |
| project_id / api_key_id | Deployer identification | Which project and key initiated the call |
| model / provider | AI system identification | Which model and provider handled the request |
| input_fingerprint | Input traceability | SHA-256 hash of the prompt (not the content) |
| output_fingerprint | Output traceability | SHA-256 hash of the response (not the content) |
| policy_version / dlp_action | Safety measures | Which policy version was active and what action was taken |
| violations_summary | Safety measures | Count of detected PII entities by type |
| outcome / status_code | Result classification | success, blocked, or error with HTTP status |
| prev_hash / record_hash | Tamper evidence | SHA-256 hash chain linking each record to the previous one |
Hash Chain — Tamper Evidence
Each audit record includes the SHA-256 hash of the previous record for that project. This creates a verifiable chain — if any record is modified or deleted, the chain breaks and verification fails at the exact point of tampering.
Record 1: prev_hash="genesis" → record_hash="a3f7..."
Record 2: prev_hash="a3f7..." → record_hash="b8c2..."
Record 3: prev_hash="b8c2..." → record_hash="d1e9..."
↑ ↑
Includes hash of Record 2 New hash computed from
all fields + prev_hashPrivacy by Design
No prompt or response content is stored. Only SHA-256 fingerprints of the input and output are recorded. This proves what was processed without exposing what was said. If an auditor needs to verify a specific request, the original application can recompute the fingerprint and match it against the audit record.
Export & Verification
JSONL Export
Export audit records as JSONL (one JSON object per line) with optional date range filtering. Available via the API or the “Audit Log” button in the project dashboard.
curl -H "Authorization: Bearer oah_your_key" \
"https://api.aisecuritygateway.ai/projects/proj_abc/audit/export?from=2026-05-01T00:00:00Z&to=2026-05-31T23:59:59Z" \
-o audit-may-2026.jsonlChain Verification
Verify the integrity of the hash chain with a single API call. Returns the number of records checked and whether the chain is intact.
curl -H "Authorization: Bearer oah_your_key" \
"https://api.aisecuritygateway.ai/projects/proj_abc/audit/verify"
# Response:
{
"status": "valid",
"record_count": 1247,
"verified_through": 1246,
"chain_intact": true
}Dashboard Export
In the project dashboard, click Audit Log in the toolbar. Select a date range and click Export JSONL. Use Verify Chain to confirm integrity without downloading.
What Gets Logged
Audit records are created at every decision point in the request lifecycle:
Successful completion
Full record with I/O fingerprints, tokens, costs, DLP action
DLP block — text PII
Violations summary, policy version, entity types detected
DLP block — image OCR
Image PII violations, OCR scan results
DLP block — injection
Injection pattern matched, category
Budget exhaustion
Balance at time of block
Recursive loop
Fingerprint, hit count, cooldown applied
Retention & Storage
| Property | Value |
|---|---|
| Retention | Lifetime of your account, minimum 10 years per Article 12 |
| Storage | Dedicated DynamoDB table (OSHUB_AuditLog) |
| Encryption | AES-256 at rest (AWS SSE) |
| Deletion protection | Enabled (CloudFormation DeletionPolicy: Retain) |
| Point-in-time recovery | Enabled |
GDPR & Right to Erasure
Audit records contain only SHA-256 fingerprints, not prompt content or personal data, and are therefore outside the scope of GDPR Article 17 (right to erasure) requests. No personally identifiable information is stored in audit records — only cryptographic hashes, metadata (model, provider, timestamps), and policy outcomes.
EU AI Act Timeline
August 1, 2024
EU AI Act entered into force
February 2, 2025
Prohibited AI practices apply
August 2, 2025
General-purpose AI rules apply
August 2, 2026
High-risk AI system obligations apply (including Article 12)
August 2, 2027
Full enforcement for all AI systems
Related Documentation
Join the Community