EU AI Act enforcement countdown
The EU AI Act’s enforcement clock is counting down to August 2, 2026, and it demands data lineage, low‑overhead compliant logging, and inference auditing for any AI affecting EU users — with penalties up to 7% of global revenue. Companies serving EU customers must upgrade logging and provenance systems now to support after‑the‑fact audits without degrading runtime performance. (insightsoftware.com)
Article 12 of the Act obliges high‑risk AI systems to “technically allow for the automatic recording of events (logs) over the lifetime of the system,” including records that let auditors identify inputs that caused unwanted behaviour and the start and end times of each use. (ai-act-service-desk.ec.europa.eu) Practical engineering guidance defines an “inference log” as a permanent, queryable record containing the input, the output, the exact model identifier/version used, timestamps, and ancillary metadata to enable post‑market monitoring and back‑tracking to training/validation artefacts. (practical-ai-act.eu) Article 19 and implementation notes set a baseline retention expectation—logs must be kept for a period “appropriate to the intended purpose of the high‑risk AI system,” with guidance commonly interpreting a minimum of six months for automatic logs, creating predictable storage and compression requirements. (logdy.dev) Engineering patterns being adopted to satisfy auditability without harming runtime performance include OpenTelemetry instrumentation, writing telemetry to append‑only blob storage for tamper evidence, cryptographic hash chains or signed records for immutable audit proofs, and storing object URIs plus salted hashes instead of plaintext payloads to reduce exposure and cost. (oneuptime.com) Standards work such as the Open Inference / OpenInference specifications and vendor‑neutral inference schemas are converging as canonical record formats so platform SDKs can enforce consistent fields (model id, input reference, output, trace id) across teams and vendors. (github.com) Agent observability plays a dual role for compliance and reliability: current best practices call for hierarchical traces across sessions, explicit capture of prompt + completion and token‑level metadata, and tooling experiments showing OpenTelemetry‑based instrumentations dramatically shorten root‑cause time for multi‑step agent workflows. (opentelemetry.io) Legal and advisory notes from firms and market monitors recommend folding experiment tracking, model/version registries, vendor due diligence, and post‑market monitoring plans into the record‑keeping architecture to support conformity assessments and national authority audits. (wilmerhale.com)
