What the EU AI Act Requires for AI Agent Logging

The EU AI Act’s high‑risk regime now reaches AI agents that influence credit scoring, recruitment, insurance pricing or emergency triage. Under Articles 12 and 13, providers must embed automatic logging that captures risk‑triggering events, post‑market performance data, and operational metrics for the entire lifespan of the system. Unlike traditional application logs, these records must be generated without human intervention and preserved for at least six months in a format regulators can audit. The regulation stops short of prescribing a data schema, leaving firms to design their own evidence‑ready pipelines.

Technical teams quickly discover that ordinary logs lack the tamper‑evidence required for regulatory proof. If a regulator can’t verify that logs haven’t been altered, their evidentiary value evaporates. A growing solution is cryptographic signing: each agent action is signed by an external key, chained to the previous entry, and stored in an immutable ledger. This approach, demonstrated in projects like Asqav, satisfies the Act’s intent by making any modification instantly detectable. Whether using NIST FIPS 204 post‑quantum signatures or conventional ECDSA, the core principle—sign‑outside‑the‑agent, chain‑the‑receipts—remains the same.

While the Act’s enforcement date of August 2 2026 looms, the technical standards that will formalise logging requirements—prEN 18229‑1 and ISO/IEC DIS 24970—are still drafts. Companies that implement robust, signed logging now will avoid costly retrofits when the standards finalize. The penalty ceiling of €15 million (about $16 million) or 3 % of worldwide turnover underscores the financial stakes, especially for large enterprises. Start‑ups and SMEs may see reduced fines, but the proportionality rule still demands demonstrable compliance. Proactive logging not only mitigates risk but also builds trust with regulators and customers in an increasingly AI‑driven market.