The EU AI Act's logging requirements for high-risk AI systems hit a compliance wall with agentic AI. Article 12 mandates "automatic recording of events" with tamper-evident guarantees that standard application logs can't provide. While the regulation doesn't name AI agents specifically, systems that score credit, filter resumes, or make healthcare decisions fall under Annex III high-risk classification. The deadline is August 2, 2026.
This creates a technical nightmare most organizations haven't grasped yet. AI agents don't just execute API calls — they reason, delegate, and chain tool invocations across decision trees that standard logging architectures weren't built to capture. As I covered in April, agentic AI exposes governance black holes. Article 12 makes those holes regulatory liabilities. You need to log not just what the agent did, but why it chose that path, which tools it called, and how it reached its decision.
Developer coverage reveals the practical gap: most teams think compliance means better CloudWatch dashboards. Wrong. Article 12 requires cryptographic signing or blockchain-style immutability to prove logs weren't altered retroactively. The regulation spans Articles 12, 13, 19, and 26 with cross-references that make implementation unclear. Financial services can integrate AI logs into existing regulatory frameworks, but everyone else faces six-month minimum retention with sector-specific extensions.
If you're building agents for regulated use cases, start designing logging architecture now. "We have observability" isn't a compliance strategy when regulators demand proof your decision logs weren't tampered with six months after the fact.