Home  ›  Resources  ›  Article 12 checklist

EU AI Act Article 12 — 23-point operational readiness checklist.

The same checklist we use when running readiness reviews with beta users. Takes about 20 minutes to work through honestly. Free, no email gate.

System inventory

  1. You have a written inventory of every AI / agent system in production, including the ones that have crept in via shadow IT.
  2. Each system has a named business owner, technical owner, and compliance owner.
  3. Each system is classified against Annex III of the EU AI Act with a defensible rationale (whether high-risk or not).
  4. For each high-risk system, you have a current intended-purpose statement aligned with Article 13(2).

Logging

  1. For each high-risk system, logs are generated automatically at the time of action (not reconstructed from disparate sources after).
  2. Each log entry includes: timestamp, agent identifier, session identifier, action type, action name, resource touched, data classification.
  3. The logging captures sub-agent invocations and tool calls (not just top-level requests).
  4. The logging captures decision metadata where the system makes a binary or graded decision: outcome, confidence, reason.
  5. The logging captures errors, retries, and policy-guard interventions (e.g., denied tool calls).

Data handling

  1. PII is redacted before the log entry is created, at the source — not in a downstream pipeline.
  2. You have a hash of the raw input/output so verification is possible without storing the raw data.
  3. Your sub-processor list explicitly covers any third party that processes log data, even briefly.
  4. Data residency for the log store is explicit and matches your customer-facing DPA commitments.

Integrity

  1. Logs are tamper-evident — either hash-chained, Merkle-tree, or signed in a way that makes retroactive editing mathematically detectable.
  2. The integrity proof can be verified independently by a third party (auditor, regulator) from a read-only copy of the log data, without your assistance.
  3. Signing keys, if used, are managed under a documented procedure (rotation, custody, audit trail).

Retention

  1. Retention period is documented per data class, with the legal basis for each retention duration.
  2. Retention period is at least 6 months for all AI Act-relevant logs (longer where FCA SYSC, MIFID II, or sector-specific obligations apply).
  3. Cold storage preserves the integrity proof (the hash chain replays correctly from a Parquet archive, for example).

Output

  1. You can produce a regulator-readable evidence pack for any defined (system, period) pair in less than one working day.
  2. The pack format has been reviewed by your external auditor or compliance partner for adequacy.
  3. You have run the production of a pack end-to-end at least once (don't wait for the regulator's first request).

Governance

  1. You have a written AI governance policy, a named accountable officer, and a documented review cadence (quarterly minimum). The board has reviewed and minuted it within the last twelve months.

Want help running this against your stack? →