35 M€
Maximum fine for non-compliance with provider obligations
Every action your high-risk AI system takes — captured, hash-chained, and ready as an auditor-acceptable evidence pack in one click. No spreadsheet rebuilds, no consultant retainers, no rewrites when guidance evolves.
Article 12 of Regulation (EU) 2024/1689 requires providers and deployers of high-risk AI systems to maintain automatic event logs. The obligations are operational, not paper-based — and the penalty regime is at the higher end of EU regulatory law.
Maximum fine for non-compliance with provider obligations
Of global annual turnover — whichever is higher
Minimum log retention period mandated by the Article
Article 12 mandates automatic event logging for the full operational lifetime of a high-risk AI system. The Commission and the AI Office have published guidance clarifying what counts as adequate — Agent Audit is engineered against those requirements.
Records must be generated automatically while the system is operating. They cannot be reconstructed after the fact from disparate sources. Agent Audit captures events at the SDK boundary, in real time.
Logs must support identification of situations that may result in the AI system presenting a risk under Article 79 or undergoing substantial modification. Agent Audit's decision-drift detection and material event surfacing are built for this requirement.
Logs must include the period of recording, reference data used, search parameters, and the natural persons involved in the verification of results. Agent Audit's receipt schema captures all of these as first-class fields.
Records must be kept for a period appropriate to the intended purpose, and at minimum six months unless otherwise specified by Union or Member State law. Agent Audit retains receipts for seven years by default, configurable per data class.
Logs must be made available to national competent authorities on request, in a form they can interpret. Agent Audit's Article 12 evidence pack renders to PDF in the format the AI Office's pilot reviews have indicated as auditor-acceptable.
We've engineered the Article 12 evidence pack from the regulation itself, the AI Office's published guidance, and conversations with external auditors at compliance review pilots. One click renders it from your live receipts.
System name, period, issuer, integrity status. Three-officer sign-off block ready for compliance, DPO and InfoSec.
Annex IV-style technical documentation: provider, risk class, framework, model versions, tool inventory, data classifications touched.
Throughput, decision distribution, tool usage, operating cost, by-week breakdown for the period under review.
Auto-detected windows where decision outcomes diverged from the system's rolling baseline, with affected receipt references.
Unauthorised tool-call attempts and data-class escalations requiring human review, with timeline and resolution per event.
Hash-chain verification, signing key fingerprint, machine-readable manifest, auditor sign-off section.
Provisions of the EU AI Act apply in stages. Prohibitions began February 2025; obligations on providers and deployers of high-risk AI systems — including Article 12 record-keeping — apply from 2 August 2026. Most large-scale general-purpose AI obligations are already in force as of August 2025.
Annex III lists eight categories of high-risk systems including biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services (including creditworthiness assessment), law enforcement, migration, and administration of justice. AI used for claims triage at an insurer or for KYC at a financial institution is typically in scope.
Yes — extraterritorially. UK-based providers whose AI systems are placed on the EU market, or whose outputs are used in the EU, are in scope. UK firms also face parallel domestic obligations: ICO Article 22 of the UK GDPR for automated decision-making, FCA SYSC for operational resilience of AI-driven services, and the UK AI Regulation framework in consultation.
For non-compliance with the obligations on providers of high-risk AI systems (which includes Article 12), administrative fines reach up to €15 million or 3% of total worldwide annual turnover, whichever is higher. For non-compliance with prohibitions under Article 5, fines reach up to €35 million or 7%. For supplying incorrect information, up to €7.5 million or 1%. Member States can apply higher amounts.
The honest answer: no general-purpose observability or SIEM tool today produces output in the format the AI Office has signalled as adequate. Datadog, Splunk and similar log HTTP-level activity but do not capture per-agent decisions, classifications, or chain integrity in a regulator-presentable structure. Drata, Vanta and equivalent compliance automation platforms address static control evidence (SOC 2, ISO 27001) — not runtime AI action records.
We walk through your current AI agent inventory, identify Article 12 gaps against your stack, and produce a sample evidence pack against a representative slice of your operations. You leave with a clear go/no-go on readiness.
Start free