EU AI Act Article 12: a practical guide to AI logging and record-keeping
Buried in the EU AI Act is a requirement that quietly reshapes how you build AI systems: Article 12. It says high-risk AI systems must automatically record events — keep logs — over their lifetime, so what the system did can be traced. From August 2, 2026, this starts to bite. This is a practical, plain-English guide to what Article 12 asks for, whether it applies to you, and how to actually meet it. (General information, not legal advice — whether your system is “high-risk” and how you comply is a determination for you and your counsel.)
What Article 12 actually says
Article 12 requires that high-risk AI systems be designed to automatically record events — “logs” — over the lifetime of the system, to a degree that enables traceability of how the system functioned. Operators are then obliged to keep those logs. The intent is simple: if a high-risk AI system does something consequential, there should be a record good enough to trace and reconstruct what happened.
Does it apply to you?
Article 12 applies to systems the Act classifies as high-risk — broadly, AI used in sensitive contexts like employment, credit, education, critical infrastructure, law enforcement, and more. As AI agents take on more consequential, autonomous action with real data and money, more of them fall within reach of these rules. Whether your specific system is high-risk is a legal determination — but if there's any chance it is, building the record-keeping now is far cheaper than retrofitting it after the fact.
What “traceability” really demands
The hard part of Article 12 isn't storing lines of text — it's producing a record you can trust and reconstruct. That means three things ordinary logging rarely guarantees: completeness (every consequential event captured, not just what a developer remembered to log), integrity (the record can't be quietly altered), and retention (kept for as long as your obligations require). A log you can't trust, or that's missing the one event that mattered, doesn't deliver traceability.
Why ordinary logging falls short
Most teams assume their existing logs cover this. But ordinary application logs are written by the same system you'd be investigating, in whatever shape the developer chose, with no protection against being changed. That's the difference between logs and evidence — and it's exactly the gap that AI agent forensics and tamper-evident logging exist to close.
A practical path to meeting it
You don't need a compliance team to start. Capture every consequential agent action automatically — prompts, tool calls, decisions, outcomes — rather than relying on hand-placed log lines. Store the record in a tamper-evident form so any alteration is detectable. Set retention to match your obligations. And make sure you can reconstruct any incident into a clear timeline and export it for a regulator, auditor, or insurer.
How Opviva supports Article 12
Opviva's Flight Recorder is built to be that record: one line of SDK captures what your AI agents do, the events are hash-chained and append-only so alteration is detectable, retention is configurable, and any session reconstructs into a timeline you can export as a signed evidence bundle. It's the same proof mechanism behind the rest of Opviva — the agent doesn't just claim something happened, it shows you the evidence on a tamper-evident Evidence Canvas. Opviva provides the technical record-keeping capability; whether your system is high-risk and how you meet your obligations is a determination for you and your counsel.
Frequently asked questions
What does EU AI Act Article 12 require?
Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime, to a degree that enables traceability of how the system functioned, and requires operators to keep those logs — so consequential events can be traced and reconstructed.
When does EU AI Act Article 12 take effect?
Obligations for high-risk AI systems under the EU AI Act phase in through 2026, with key requirements applying from August 2, 2026. Exact timing depends on the system's classification — confirm your specific dates with counsel.
Does Article 12 apply to my AI agent?
It applies to systems classified as high-risk under the EU AI Act. Whether your agent qualifies is a legal determination for you and your counsel — but if there's a reasonable chance it does, building automatic, tamper-evident record-keeping now is far cheaper than retrofitting it later.
