AFFIXIO
EU AI Act Article 12
EU AI Act Article 12 Logging Guide 2026
Article 12 is a design obligation: high-risk AI must automatically record events over the system lifetime with traceability appropriate to purpose. Manual spreadsheets after the fact do not satisfy the requirement.
At a glance
- Article
- EU AI Act 2024/1689 Article 12
- Deadline
- 2 December 2027 (Annex III stand-alone)
- Requirement
- Automatic tamper-evident logging
- Deployer retention
- Minimum six months per log entry
- AffixIO model
- Merkle proof-not-log audit
- Reviewed
- 12 July 2026
EU AI Act Article 12 requires high-risk AI systems to log events automatically with tamper-evident integrity for the system lifetime. AffixIO provides proof-not-log audit: signed allow or deny digests in a Merkle tree regulators can verify without database admin access.
Article 12 of Regulation (EU) 2024/1689 is a design obligation for high-risk AI systems. Logging must be automatic, complete enough for post-market monitoring, and tamper-evident over the system lifetime. This guide helps providers and deployers plan architecture before the December 2027 deadline for Annex III stand-alone systems.
What Article 12 requires
Providers must build logging capabilities into the system before market placement. Logs must support:
- Identifying situations that may present risks under Article 79 (serious incidents).
- Post-market monitoring under Article 72.
- Deployer operational monitoring under Article 26(5).
- Minimum six-month retention per log entry for deployers, unless sector rules require longer.
Why mutable application logs fail reviews
Spreadsheets and editable log lines do not demonstrate that a decision was recorded at the time it occurred. Auditors expect evidence that entries were not altered after the fact. Append-only Merkle trees with inclusion proofs let regulators verify decision integrity without admin access to your SIEM.
SIEM remains essential for operations. Article 12 evidence is about decision integrity at the AI boundary. Read proof-not-log vs SIEM.
Logging design checklist
- Capture allow and deny outcomes automatically at inference or action time without operator paste steps.
- Record model version, policy version, and input digest sufficient to reconstruct the decision context.
- Store entries in an append-only structure. Merkle roots can anchor to external witnesses.
- Enable independent verification via inclusion proofs. Use the Merkle verifier.
- Define retention aligned to six-month deployer minimum and GDPR erasure workflows.
- Separate PII from audit digests. Proof-not-log stores metadata, not raw prompts by default.
- Document remote biometric identification fields if Annex III point 1(a) applies.
- Run the Article 12 readiness checker and sandbox reproduce before external audit.
Remote biometric identification (Annex III 1a)
Additional minimum log fields include: period of use, reference database, matched input data, and identity of personnel verifying matches. Plan field-level minimisation and access controls before go-live.
AffixIO proof-not-log model
Each verify decision appends a digest to a Merkle audit tree. Export the root and inclusion proofs for regulator replay. Read proof-not-log audit and the compliance hub.
Frequently asked questions
Is six months enough retention?
It is the statutory floor for deployers. Sector rules or GDPR may require longer.
Does AffixIO log prompts?
Audit trees store proof digests and verdict metadata by default, not raw conversation content.
When should we start?
Logging must be designed in now for systems shipping before December 2027.
Who is the provider vs deployer?
Providers design logging into the system. Deployers must retain logs at least six months and monitor operation.
Do we log raw prompts?
Minimise PII. AffixIO stores proof digests and verdict metadata by default, not conversation content.
Can we use blockchain instead of Merkle?
Tamper-evident append-only structures matter. Merkle trees with inclusion proofs are sufficient without public chains.
When must embedded high-risk systems comply?
2 August 2028 for AI embedded in regulated products.
How do we test logging before audit?
Reproduce sandbox verify flows and verify Merkle inclusion with the public tool.