EU AI Act - Regulation (EU) 2024/1689

Article 12 - Record-keeping

Article 12(1) requires that high-risk AI systems technically allow for the automatic recording of events (‘logs’) over their lifetime. The clause is about reconstructability: a deployer must be able to show, after the fact, what the system did and under which conditions.

What Article 12(2) asks for

Logging capabilities that enable identification of situations that may result in the AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification, facilitate Article 72 post-market monitoring, and monitor the operation of high-risk AI systems referred to in Article 26(5).

For Annex III point 1(a) biometric-identification systems, Article 12(3) adds

Period of each use (start and end date and time), the reference database against which input data was checked, the input data for which the search led to a match, and identification of the natural persons involved in verifying the results.

Receipt-field mapping

request_hashReconstructable record of the input (SHA-256 over canonical request bytes)
model + outcomeWhat the system did and which model produced it
policy_appliedWhich policy was in force at decision time
timestampStart and end of the operation
signature + public_keyNon-repudiable evidence the deployer emitted the record
attestation_id + prev_attestation_idHash chain that detects after-the-fact tampering

Receipts are emitted per request and verifiable against the published public key without access to the deployer’s systems. That is the practical bar Article 12 is asking for.

Read Article 12 on EUR-Lex or read the full open spec at github.com/Aqta-ai/attestation-spec.

← Back to the verifier