The audits I run at BizSuite aren't for companies that hate AI. They are for companies already running it, often in production, often across three or four tools, and usually without a clear picture of what the system is actually doing.
I went back through the last twelve and looked for what stuck. There was one thing.
Every one of them had a call log. None of them had a decision log.
A call log tells you what the agent hit. The API it touched. The payload. The timestamp. Most teams have this by accident. Sentry has it, Datadog has it, even Vercel has it. It is the byproduct of just running a system.
A decision log is different. It tells you why the agent made that call and not the other three it could have made. It is the record of the choice, not the record of the action. When a regulator shows up, or a customer disputes a charge, or a partner asks "why did your bot deny my claim," nobody wants the call log. Everyone wants the decision log.
Twelve out of twelve didn't have it. Not because they didn't care. Because no tool in their stack produces it.
What a decision log actually looks like.
The minimum viable decision log has four fields:
- Input state — what the agent knew at the moment it acted. Not the final context it built, the raw state it started from.
- Options considered — the branches the agent evaluated, even the ones it discarded. "Why not" matters as much as "why."
- Chosen branch with rationale — one sentence the agent (or wrapper around it) produces when it commits to an action.
- Outcome reference — the call log entry that resulted, so the two logs can be joined.
That is it. No AI governance framework, no $40K consulting engagement, no enterprise platform. Four fields, written at the moment of the decision, stored in whatever you already have.
Why the EU AI Act lands here first.
The Act's Annex III covers credit scoring, employment screening, education access, critical infrastructure. It does not require "AI ethics." It requires that a notified body be able to reconstruct the decision. That is exactly the decision-log requirement, written in legal prose.
If your agent handles any Annex III workflow, August 2, 2026 is the deadline. After that date, a call log alone is failure. The audit will ask the same question I ask: "Show me why it picked this outcome over the alternatives." If the team can only produce the API request, the audit ends there.
The one thing to do this week.
Before you buy another compliance tool or hire a fractional AI officer, look at the most important agent decision your business made in the last 30 days. Pull up the logs. See if you can answer the question "why this and not that" from the data alone.
If you can't, you have a decision-log gap. Everything else follows from fixing it.
A closing admission.
I missed this pattern for the first three audits. I kept chasing model bias and prompt quality because those are the things the press writes about. The actual failure was one layer up, in the harness the models sat inside. It took the fourth engagement to see it, and the pattern has been unbroken since.
The takeaway isn't that the Act is coming. It is that when it comes, the teams that survive will be the ones who already write down why, not the ones who write better prompts.