AI Governance
EU AI Act Article 12: Logging & Record-Keeping Requirements, Explained (2026)
July 1, 2026 · 6 min read
Article 12 turns “trust us” into “show us the logs.” Here’s what it requires and how to produce the evidence without a six-month project.
Article 12 of the EU AI Act (Regulation 2024/1689) requires that high-risk AI systems automatically record events — logs — over their lifetime. The intent is traceability: if something goes wrong, or an auditor asks, you can reconstruct what the system did and what data moved through it. It is one of the most concrete, testable obligations in the entire regulation.
What Article 12 actually requires
- Automatic recording of events (“logs”) throughout the system’s lifecycle, by design.
- Logging appropriate to the intended purpose and risk of the system.
- Traceability of the system’s functioning to support post-market monitoring and incident investigation.
- Records kept for an appropriate period and available to authorities on request.
In practice, that means you cannot satisfy Article 12 with a written policy. You need machine-generated, timestamped records of relevant events — and for generative AI, one of the most relevant events is sensitive data leaving for a model.
How Article 12 connects to ISO 42001 and the NIST AI RMF
The good news: these frameworks reinforce each other. ISO/IEC 42001 Annex A covers event logging (A.6.2.8) and responsible use; the NIST AI RMF asks you to measure and manage data-leakage risk. Build the logging once and it counts toward all three. An AI Management System is the natural home for these records.
Generating the logs without a six-month project
A pragmatic place to start is the data-egress event: a record, every time a secret or piece of PII is caught before it reaches a public model. Prompt Guard produces exactly that — an immutable, timestamped control event carrying non-sensitive previews (never the raw value), mapped to Article 12, ISO 42001 and the NIST AI RMF. Pushed into CATAAM, the events become continuous, queryable evidence rather than a claim. The full mechanism is in this walkthrough.
Produce Article 12 evidence automatically
See Prompt Guard →Frequently asked questions
- What does Article 12 of the EU AI Act require?
- Article 12 requires high-risk AI systems to automatically record events (logs) throughout their lifecycle, appropriate to the system’s purpose and risk, to ensure traceability for post-market monitoring and incident investigation. Records must be retained and made available to authorities on request.
- How do I generate logs for EU AI Act compliance?
- You need machine-generated, timestamped records of relevant events rather than a written policy. For generative AI, logging data-egress events — when secrets or PII are prevented from reaching a public model — is a concrete, high-value starting point that also satisfies ISO 42001 event-logging and NIST AI RMF data-leakage controls.
- Does Article 12 overlap with ISO 42001?
- Yes. ISO/IEC 42001 Annex A includes event logging (A.6.2.8) and responsible-use controls that map closely to Article 12. Implementing logging inside an ISO 42001 AI Management System lets the same records satisfy the EU AI Act, ISO 42001 and the NIST AI RMF.