Article 12 and the Logging Mandate: What the EU AI Act Actually Requires

Article 12 does not ask whether you intend to keep logs. It requires that high-risk AI systems technically allow for automatic recording from day one. Here is what that means in practice.

Article 12 and the Logging Mandate: What the EU AI Act Actually Requires

When GDPR arrived, the organisations that had mistaken documentation for capability were the ones that struggled the most. They had policies about data retention but no technical controls enforcing those policies. They had breach notification procedures but no systems capable of detecting a breach in time to use them.

The EU AI Act is heading for a similar reckoning. And Article 12 is where most organisations will feel it first.

Article 12

High-risk AI systems shall technically allow for the automatic recording of events over the lifetime of the system.

  • Technically means the logging capability must be built into or applied to the system itself. A manual process for exporting logs, or a human who periodically reviews AI outputs and writes notes, does not satisfy this requirement.
  • Automatic means logs are generated without operator intervention at the moment events occur. Scheduled exports do not count. Human-triggered captures do not count.
  • Lifetime means from the moment a high-risk AI system is deployed until it is decommissioned. Not from the point at which you decided to start logging or your compliance program went live.

Article 26(6) requires automatically generated logs to be retained for a minimum of six months. For biometric identification systems, additional specific data must be captured including precise usage periods, reference databases consulted, and the identities of individuals responsible for verifying results.

Who This Applies To

The first question many organisations ask is whether Article 12 applies to them. The answer, for most enterprises using AI in operational contexts, is yes.

Under Annex III of the Act, high-risk includes any operation where AI affects hiring, finances, access, healthcare, resource allocation, or fundamental rights. This covers recruitment screening tools, credit and insurance models, employee performance management systems, customer service AI with access to account data, and healthcare triage or administration tools.

The regulation draws a clear line between providers, who build and place AI systems on the market, and deployers, who use those systems within their own operations. Most European enterprises are deployers. Deployers must ensure that logs are kept in formats suitable for analysis and must retain them in a way that supports regulatory review and investigation.

If you are a deployer using a third-party AI system, the obligation to ensure logging is in place does not disappear. You need to verify that the systems you use can generate the required logs, and that those logs are accessible to you when needed.

The Six Gaps Most Organisations Have Right Now

Based on what we see across enterprise environments, these are the most common Article 12 failures:

  1. Fragmented log sources. AI usage is spread across multiple systems, some cloud-hosted, some embedded in SaaS tools, some running in developer environments. Each generates logs in different formats, stored in different places without a unified view and no reliable way to produce a complete picture when required.
  2. Incomplete coverage. Logging may exist for officially sanctioned AI systems but not for the shadow AI running alongside them. An organisation that logs its approved AI but cannot account for the screening browser extension used by three team members has a compliance gap.
  3. Log integrity. Article 12 says nothing about how to protect records from tampering. A log file can be modified, overwritten, or deleted without trace unless it is secured through mechanisms independent of the system that generated it. If logs need to hold up in regulatory or judicial proceedings, chain of custody matters.
  4. Insufficient retention. Many organisations apply general IT log retention policies that fall short of six months, or apply the six-month requirement inconsistently across systems.
  5. No connection to monitoring. Logs that sit in a storage system and are never reviewed until something goes wrong are not a monitoring system. Article 26 requires deployers to actively monitor AI systems for performance and anomalies. 
  6. Discovery gaps. You cannot log what you cannot see. The organisations most exposed under Article 12 are those that do not have a complete picture of their high-risk AI deployments in the first place.

The 15-Minute Discovery Standard

There is a practical metric that every CISO and GRC leader should apply to their organisation's AI readiness. How long does it take to produce a complete, verified inventory of all AI systems currently in use across your environment?

If the answer is days or weeks, you are working from a compliance model that cannot keep pace with how AI is actually being adopted inside your organisation. If the answer is never, or only through a manual survey process, you have a fundamental gap.

FireTail deploys automated discovery across cloud infrastructure, browser-based activity, and application-layer integrations. Within 15 minutes, you have a living inventory. That inventory drives everything else, automatic log capture from every discovered system, centralised retention with tamper-evident storage, real-time alerting on anomalous activity, and the audit-ready reporting that demonstrates compliance to regulators.

FireTail captures the specific data Article 12 requires for high-risk systems. Interaction timestamps, input data classifications, output records, and human review events. Logs are centralised, retained, and exportable for regulatory review.

The Enforcement Timeline

The EU AI Act entered into force on August 1, 2024. The full obligations for high-risk AI systems become applicable on August 2, 2026. Prohibited practices have been enforceable since February 2025. 

National Competent Authorities across EU member states will move into active enforcement mode after that August 2026 date.

The organisations that will be best positioned have automated, continuous logging in place now, generating the six months of retained audit trail the regulation requires before enforcement begins. If you start your logging program the day the Act is enforced, you are already behind.

Article 12 reflects what the regulation is actually trying to achieve: the ability to understand, retrospectively and in real time, what high-risk AI systems are doing and what impact they are having. Manual documentation is no longer enough.

Lina Romero

EU AI Act
AI Governance
AI Security
April 16, 2026

Are You EU AI Act Ready?

It's the final coundown to the enforcement deadline on 2nd August 2026. Is your organisation fully compliant? Find out now.
Schedule an EU AI Act Readiness Assessment

Related posts

Beyond the Spreadsheet: Why Manual AI Audits Are an EU AI Act Compliance Liability
April 16, 2026

Beyond the Spreadsheet: Why Manual AI Audits Are an EU AI Act Compliance Liability

Manual audits were the gold standard for SOC 2 and ISO 27001, but they are the wrong tool entirely for the EU AI Act. Read on to find out why.

Read more
The Shadow AI Trap: Why Your AI Inventory is Your Biggest EU AI Act Compliance Risk
April 16, 2026

The Shadow AI Trap: Why Your AI Inventory is Your Biggest EU AI Act Compliance Risk

More than 80% of employees use unapproved AI tools at work. For European organisations facing the August 2026 enforcement deadline, this statistic is a legal liability.

Read more
Beyond the Spectacle - RSAC 2026 and The 5 Layers of AI Security
March 31, 2026

Beyond the Spectacle - RSAC 2026 and The 5 Layers of AI Security

Jeremy takes a look back at RSAC 2026, sharing his key observations on the 50/50 split between securing AI and applying it, the rise of "EDR for AI agents," and his framework for the 5 Layers of AI Security.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!