Agent CertAgent Cert
EU AI Act · Article 12

Audit logs a regulator can independently verify.

Article 12 requires high-risk AI systems to keep automatic, traceable, tamper-evident logs of every decision. Most compliance tools store those logs in a database the audited party can edit. Agent Cert signs each decision, anchors it to a public ledger, and lets anyone verify it — without trusting us, or you.

Article 12 record-keeping for high-risk AI is phasing in across 2026–2027 — the exact date is in flux (a provisional 2026 agreement would defer high-risk obligations to Dec 2027, not yet ratified). The capability you'll need is the same either way. Build it early.
The requirement

What Article 12 actually demands.

Four obligations for every high-risk AI system in scope. Agent Cert was built around all four from day one.

Automatic lifetime logging

Every algorithmic decision is recorded automatically over the system's operational life — not sampled, not opt-in.

Full traceability

Each log entry must trace the decision: the inputs, the action, the context, and the conditions that produced it.

≥ 6-month retention

Logs must be retained for at least six months (Arts. 19, 26) and be producible for a regulator on request.

Evidentiary integrity

A log you can silently edit proves nothing. Entries must be tamper-evident to carry weight in an inspection.

Don't take our word for it — read the law. Regulation (EU) 2024/1689 on EUR-Lex is the official EU AI Act text; Article 12 (Record-keeping) is the record-keeping obligation this page maps to. Retention sits in Articles 19 & 26.

The difference that matters

Verifiable, not just stored.

Every compliance vendor can hand a regulator a log file. The question an auditor actually asks: how do I know it wasn't changed after the fact?

Typical compliance SaaS

A log in a database you control

  • The audited party (or a breach) can alter or delete entries.
  • "Trust us, it's immutable" — backed by a vendor's word, not math.
  • No way for a third party to confirm integrity independently.
  • Provenance stops at the system boundary — no cross-agent chain.
Agent Cert

A signed receipt anchored to a public ledger

  • Each decision is Ed25519-signed and SHA-256 hashed at the moment it's made.
  • The hash is anchored on Solana — a public, timestamped, immutable record.
  • Anyone can re-verify offline against our public key — no account, no trust in us required.
  • Receipts chain across agents and organizations — provenance the audited boundary can't hide.
The crosswalk

Every requirement, mapped to a capability.

The full field-by-field Article 12 + ISO 42001 crosswalk ships in the compliance docs. The shape of it:

Article 12 obligationAgent Cert mechanism
Automatic logging of each decisionA signed Decision Receipt issued per agent action via API or MCP
Traceability of inputs → actionReceipt records user intent, agent output, tools used, model + version, policy applied
Tamper-evidenceEd25519 signature + SHA-256 hashes, anchored on Solana
≥ 6-month retentionReceipts retained in Postgres; documented retention policy, exportable on demand
Producible for inspectiongenerate_audit_report → JSON or PDF export for a given agent + time range
Independent verificationPublic verifier at /r/, public signing key, on-chain anchor proof

Only hashes go on-chain. Never your data.

The decision content, prompts, outputs, and any PII stay in your private records. What gets anchored to the public ledger is a one-way cryptographic hash — enough to prove a receipt hasn't changed, impossible to reverse into the underlying data. That's the line that makes "blockchain" acceptable to a compliance officer: public proof, private content.

Get Article 12-ready ahead of the curve.

We're onboarding a small number of design partners in finance, healthcare, and HR — high-risk categories that need verifiable audit coverage now. If that's you, let's talk.