The question I get on every audit call is the same one. "What does Article 12 actually require." The follow-up is usually "and what tool do I buy for it." The honest answer to both is uncomfortable. Article 12 requires a set of records that almost no team currently produces. And there is no single tool that ships those records, because the records are a function of the system, not a function of the logger.
This is a long-form attempt to make that uncomfortable answer concrete. I will quote the text, translate it into operator language, walk through the failure modes I have seen this quarter, and lay out the shape of an audit chain that actually survives scrutiny.
What Article 12 actually says.
Strip the legalese. Article 12 of Regulation (EU) 2024/1689 imposes a record-keeping obligation on providers of high-risk AI systems. The operative language requires that high-risk systems be designed to automatically record events ("logs") over the lifetime of the system and that the logging capability enable a level of traceability appropriate to the system's intended purpose.
The article specifies that logs must allow, at minimum:
- Identification of situations that may result in the system presenting a risk under Article 79 or substantial modification.
- Post-market monitoring as referred to in Article 72.
- Monitoring of operation of high-risk AI systems referred to in Article 26(5).
For the remote biometric identification subset of high-risk systems, Article 12(3) is more specific. It requires recording of the period of use, the reference database, the input data leading to a match, and the identification of natural persons involved in the verification.
Then Article 19 piles on the retention requirement: providers must keep the logs that are under their control for at least six months, unless other Union or national law requires longer. The 10-year technical documentation retention in Article 18 is a separate, longer clock that runs from market placement.
That is the whole obligation, and it is more specific than most teams realize on first read.
What "completeness" actually means.
The word "completeness" does not appear in Article 12 verbatim. What the text requires is that logs be sufficient to allow the three things above. In practice, every Notified Body I have spoken to interprets sufficiency the same way: the logs must permit independent reconstruction of every material decision the system made.
That standard is harder than it sounds. It means an auditor, three years after the fact, with only the logs in front of them, has to be able to walk through what the system saw, what it decided, and why. Not just that the API returned 200. The decision, the rationale, the inputs that drove it, the alternatives the system rejected.
This is exactly the decision-log gap I wrote about in April. The call log is the byproduct of running the system. The decision log is the artifact that satisfies Article 12. Most teams have the first and none of the second.
The four failure modes every audit catches.
I have run audits across agencies, contractors, clinics, two e-commerce brands, and a regional bank this year. The failure modes cluster.
Timestamp gaps.
The most common one. The system logs the API call, but the timestamps come from three different clocks, none of them synchronized. Application server. Database. CDN. A regulator asking "when did this decision happen" gets three answers separated by milliseconds, and there is no way to tell which one was authoritative.
Fix: pick one canonical clock, log every event with that clock's value, and store the clock identity alongside the timestamp. NTP-synced UTC with the source noted is what survives. Anything else gets challenged.
Signature absent.
The second most common one. Logs exist, but nothing signs them. The team has integrity by storage policy ("we don't edit logs") rather than integrity by cryptography. A motivated attacker, an unscrupulous insider, or a software bug can rewrite history and nobody can detect it.
Fix: every log record gets signed by a key the system controls. Every periodic batch gets a Merkle root the system publishes. The publication can be to a file on disk, a Git commit, a notary service, or the chain itself. Once a root is out there, it is no longer rewritable. That is the whole property.
Append-only violations.
The third one is more subtle. The logging library appends, sure. But the team has a "scrub" job that runs nightly to delete PII from older records. The scrub is well-intentioned. It also breaks Article 12, because the records as they existed at decision time can no longer be reconstructed.
The Article expects log integrity over the system's lifetime. Scrubbing PII inside the same record is a modification, even if you keep the rest of the record. The correct pattern is a separate redaction layer that returns a redacted view of the original record without mutating the original. The original stays signed and untouched. The redacted view is what gets shown to anybody without a need-to-know.
Chain breaks at process restart.
The one nobody catches until it gets reviewed. The log chain is fine while the process is running. When the process restarts, the new instance starts a fresh chain. There is no continuity between the two. From the outside, you cannot prove that no events were dropped during the restart window.
Fix: persist the last chain root to disk before shutdown, load it on startup, link the new chain's first record to the persisted root. The chain becomes restart-safe. Drops are now visible.
The Merkle chain approach.
The pattern that holds up under audit is straightforward. Every event the system records gets a hash. The hash includes the previous event's hash, so the chain is tamper-evident. Every n events (or every k minutes), the chain produces a root: the hash of the entire chain up to that point. The root gets published somewhere external — a Git commit, an S3 bucket with object-lock, a public ledger, an email to the compliance officer.
Verifying the chain later is then a closed-form computation. Take the events, hash them in order, compare the final root to the published root. If they match, no event has been altered or dropped. If they do not match, the auditor can binary-search the divergence point to find the first tampered record.
The math is the easy part. The discipline is publishing the root. A chain that never produces an external root is just a log file with extra steps. The publication is what makes it falsifiable from the outside.
What the export bundle looks like.
An auditor showing up to verify an Article 12 system will not read your live logs. They will ask for an export bundle. The shape of the bundle I recommend, and the one MnemoPay's audit primitive produces:
article12-bundle/
mission.json (declared purpose, intended use, risk class)
events.ndjson (every recorded event in order)
events.csv (same events in tabular form for human review)
chain.json (chain roots over time, with publication metadata)
manifest.json (file hashes, signing key, export timestamp)The bundle is signed as a unit. The auditor verifies the manifest signature, hashes each file, and compares against the manifest. Then they walk the chain. The whole verification can be automated. The whole thing can be reproduced by any third party who has the public key.
This is not a novel architecture. It is the same chain-of-custody pattern courts have accepted for digital evidence for the last decade. The reason it is novel for AI logging is that nobody has bothered to package it for AI workloads yet. The Act is what creates the demand.
The deadlines that actually bite.
| Date | What lands |
|---|---|
| Aug 2, 2025 | General-purpose AI, governance, penalties scaffolding. |
| Aug 2, 2026 | Annex III high-risk classification enforceable. Article 12 logging required in production. |
| Aug 2, 2027 | Annex I embedded high-risk systems (medical devices, machinery, toys, etc.). |
The 2026 date is the one that matters for any agent operator running an Annex III workflow today. Credit scoring, employment screening, education access, biometric identification, critical infrastructure, essential services. The fuller breakdown of what August 2 actually is covers the five-deadline stack, but Article 12 is the one with the longest preparation time.
The retention clock under Article 19 is six months minimum for logs. The technical documentation under Article 18 is ten years from market placement. These two clocks run in parallel. Most teams budget for neither.
What regulators actually look at.
I have asked this question of two former Notified Body assessors and one Member State market surveillance officer. The composite of their answers:
They look at three things, in order.
First, can you produce records on demand. Not "we have logs somewhere." Can you, in a fifteen-minute window during the inspection, produce the events for a specific decision the system made on a specific date. If the answer is "we have to query our log warehouse and it will take a day," the audit is already in trouble.
Second, can the records be verified for integrity. Hashes. Signatures. Chain roots. The assessor does not need to understand the cryptography to ask the question. They need to know whether somebody could have edited the records and what would have happened if they tried.
Third, do the records actually answer the operative question. The operative question is the one in the complaint, the dispute, or the suspected risk event. The records have to permit reconstruction of the specific decision. Not the system in general. The decision in question.
Marketing language about "AI governance frameworks" does nothing here. The assessor is looking for evidence. The shape of evidence is the audit chain.
The honest take on what to do this week.
If you operate an Annex III system and you do not yet have an Article 12-shaped log, the work is bounded.
- Define the events. What does your system decide. What inputs feed those decisions. Write the schema.
- Pick a canonical clock. Pick a signing key. Pick a chain root publication target.
- Wire the event emission into the decision path, not the API path. The API call is downstream of the decision. The decision is what Article 12 asks about.
- Build the export bundle generator. The bundle is the auditor-facing artifact. It is also the dry-run artifact that proves the chain works.
- Set a quarterly drill. Once a quarter, an internal team requests the bundle for a randomly chosen historical decision. If the bundle generates and verifies, the system is audit-ready for that quarter.
None of those steps require a $40K compliance platform. They require somebody writing the schema and somebody wiring the emission. The platform you buy after that is a convenience, not a substitute.
This is the same lane MnemoPay's audit primitive sits in. The SDK ships buildArticle12Bundle(), which generates the bundle above directly from the agent's existing receipt chain. It is one line if you are already wired into the SDK. If you are not, the same shape of bundle can be built by hand. The math does not care about the implementation.
The closing line I give every operator on this: regulators do not want philosophy. They want records. You either have them, or you do not. The two-year grace period that ended on August 2, 2026 was always for building the paper trail. Article 12 is the trail.