Article 12 requires high-risk AI systems to keep automatic, traceable, tamper-evident logs of every decision. Most compliance tools store those logs in a database the audited party can edit. Agent Cert signs each decision, anchors it to a public ledger, and lets anyone verify it — without trusting us, or you.
Four obligations for every high-risk AI system in scope. Agent Cert was built around all four from day one.
Every algorithmic decision is recorded automatically over the system's operational life — not sampled, not opt-in.
Each log entry must trace the decision: the inputs, the action, the context, and the conditions that produced it.
Logs must be retained for at least six months (Arts. 19, 26) and be producible for a regulator on request.
A log you can silently edit proves nothing. Entries must be tamper-evident to carry weight in an inspection.
Don't take our word for it — read the law. Regulation (EU) 2024/1689 on EUR-Lex is the official EU AI Act text; Article 12 (Record-keeping) is the record-keeping obligation this page maps to. Retention sits in Articles 19 & 26.
Every compliance vendor can hand a regulator a log file. The question an auditor actually asks: how do I know it wasn't changed after the fact?
The full field-by-field Article 12 + ISO 42001 crosswalk ships in the compliance docs. The shape of it:
| Article 12 obligation | Agent Cert mechanism |
|---|---|
| Automatic logging of each decision | A signed Decision Receipt issued per agent action via API or MCP |
| Traceability of inputs → action | Receipt records user intent, agent output, tools used, model + version, policy applied |
| Tamper-evidence | Ed25519 signature + SHA-256 hashes, anchored on Solana |
| ≥ 6-month retention | Receipts retained in Postgres; documented retention policy, exportable on demand |
| Producible for inspection | generate_audit_report → JSON or PDF export for a given agent + time range |
| Independent verification | Public verifier at /r/, public signing key, on-chain anchor proof |
The decision content, prompts, outputs, and any PII stay in your private records. What gets anchored to the public ledger is a one-way cryptographic hash — enough to prove a receipt hasn't changed, impossible to reverse into the underlying data. That's the line that makes "blockchain" acceptable to a compliance officer: public proof, private content.