EU AI Act Article 12: Logging & Audit Trail Requirements
Article 12 of the EU AI Act requires high-risk AI systems to automatically record events for the lifetime of the system. This page covers exactly what your audit trail must capture, retention rules, and how Article 11 + Annex IV technical documentation interact.
Ultimo aggiornamento: April 29, 2026 · 10 min read
What Article 12 Requires
High-risk AI systems must, by design, allow for the automatic recording of events ('logs') over the lifetime of the system. Logs must enable traceability sufficient for post-market monitoring, regulatory inspection, and human oversight under Article 14.
Article 12 is one of the few EU AI Act obligations that demands a technical capability rather than just process documentation — your AI system must literally produce these records as it operates.
What Your Audit Trail Must Capture
Article 12 logs must capture sufficient detail to reconstruct how and why decisions were made:
- Event-level logging with reliable timestamps
- Inputs received by the AI system and outputs produced
- Internal process steps (deliberation, intermediate decisions, policy evaluations)
- Human-in-the-loop actions: approvals, overrides, escalations
- System state data sufficient to reproduce the decision context
- Anomaly events and their handling
Technical Requirements
The regulation specifies several technical properties your logging infrastructure must satisfy:
- Automatic logging — manual log entries don't satisfy Article 12
- Reliable, complete event recording
- Tamper-evident, secure storage
- Retention period proportional to intended purpose and risk profile
- Exportable in formats suitable for regulatory review
Common Compliance Gaps
Based on our work with enterprise AI teams, these are the most frequent Article 12 compliance gaps:
- Logging outputs only, not the reasoning that produced them
- Missing or incomplete human-override records
- Mutable log storage that doesn't satisfy tamper-evidence
- Retention periods too short for regulatory inspection
- No structured export — only ad-hoc database queries
Article 11 + Annex IV Technical Documentation
Article 11 requires technical documentation that, together with Article 12 logs, demonstrates conformity.
Annex IV specifies the structure: system description, intended purpose, design choices, training and testing data, validation procedures, monitoring, and the logs themselves. Treat the two as one workstream.
How AIAgentree Implements Article 12
AIAgentree was built from the ground up for Article 12 compliance:
- Decision-trace capture — every input, intermediate step, output recorded
- Reasoning steps preserved alongside outputs
- Human-override tracking with who/when/why metadata
- Cryptographic hash-chain integrity for tamper-evidence
- One-click export in formats designed for regulatory review (PDF, JSON, CSV)
Frequently Asked Questions
How long must Article 12 logs be retained?
The EU AI Act does not specify a fixed period; logs must be retained for a duration proportional to the AI system's intended purpose and risk profile. Most providers align with sector-specific retention rules (financial services, healthcare) and treat the longest applicable period as the floor.
Do I need to log every model inference?
Article 12 requires logging events that enable traceability of decisions. For consequential decisions affecting people's rights or safety, that effectively means every inference. For purely internal helper tasks, lighter-weight aggregated logging may suffice — document the rationale either way.
Are logs themselves personal data under GDPR?
Often yes, especially when they include input data tied to identifiable individuals. Treat Article 12 log retention and access controls as a joint EU AI Act / GDPR Article 32 problem.
Fonti
- Regulation (EU) 2024/1689, Article 12 — artificialintelligenceact.eu/article/12
- Article 11 + Annex IV — artificialintelligenceact.eu/article/11