Resource · EU AI Act

The EU AI Act made the AI log a legal requirement.

For high-risk AI systems, the Act does not ask for a policy document. It requires the system to automatically record what it did, over its whole lifetime. That record has to already exist. Vidai produces it from day one, in the request path.

Request a Demo See the compliance product

What it is

The first horizontal law for AI.

Regulation (EU) 2024/1689, the EU AI Act, is the first comprehensive law governing how AI is built and used. It is risk-tiered: most AI carries light or no obligations, but a defined set of high-risk uses carries hard duties, and those duties are in force on a staged timeline through 2026 and 2027. It reaches any organisation whose AI output is used in the EU, the same extraterritorial shape as the GDPR.

It is risk-scoped

The heavy obligations attach to high-risk systems, the Annex III categories, not to every AI call. Knowing which of your workflows are in scope is the first move.

Logging is mandatory

For high-risk systems, automatic event logging over the system's lifetime is not optional and not satisfiable by a human reviewing outputs. It is a technical requirement.

You cannot backfill it

The record has to have been kept while the system ran. A log assembled after the fact is not the lifetime record the Act describes.

Where Vidai fits

We don't certify you. We produce the record the Act asks for.

Vidai is not a legal compliance certification and cannot make a system "EU AI Act compliant", that is a determination about your whole system, your documentation and your processes. What Vidai does is collapse the part that is hardest to do by hand: for high-risk AI traffic that flows through it, the lifetime event log the Act requires is produced continuously, automatically, as a queryable record.

→The log is in the path, not after it. Every model call is recorded as it happens, frozen at write time. There is no separate logging step to remember.

→It carries who and what. Each event has the principal, the requested versus served model, the rule that fired and the guardrail outcome, the detail Art. 12 and Art. 26 expect.

→Retained and exportable. Request Logs are kept under your control and exportable as your own data, which is what Art. 19's retention duty needs.

→We are precise about the boundary. Vidai produces the operational record. Conformity assessment, the technical file and risk management remain your process, and we say so.

The mapping, exactly

The articles where Vidai produces the evidence.

For these duties you do not assemble a record by hand. The record is what Vidai already wrote.

Art. 12

Record-keeping (logging)High-risk AI systems must technically allow the automatic recording of events (logs) over the system's lifetime. Vidai records every model call as a frozen, per-request event: this is the logging capability, in the path, not a manual export.

Art. 19

Automatically generated logsProviders must keep the logs the system generates, where those logs are under their control, for at least six months unless other law requires longer. Vidai's Request Logs are retained, queryable and exportable as the provider's own data.

Art. 26

Deployer logging obligationsDeployers of high-risk AI must keep the logs the system generates, where under their control, for at least six months. Financial institutions may meet this through their existing financial-services record-keeping. The same Vidai record serves the deployer, with the principal and policy outcome on every event.

Art. 14

Human oversightHigh-risk systems must be designed so people can oversee them. Routing and access rules encode who may reach which model, for what; guardrail outcomes are visible, not buried.

Art. 72

Post-market monitoringProviders must monitor high-risk systems in operation. Vidai's live telemetry is continuous operational evidence of what the system actually did, not a point-in-time snapshot.

Sourced from Regulation (EU) 2024/1689 as in force, 2026. Vidai produces the operational record these articles require; conformity assessment, the technical documentation and risk management are the organisation's own process, and the product is precise about that boundary rather than claiming legal coverage.

Is your AI in scope

High-risk is a defined list, not a vibe.

Annex III names the uses the heavy duties attach to. If a workflow sits here, the logging obligation is real.

→Creditworthiness and credit scoring of people

→Risk assessment and pricing in life and health insurance

→Recruitment, and decisions on promotion or termination

→Access to essential public and private services

→Critical infrastructure, education, law enforcement and migration

Most AI traffic is not high-risk and the Act says so. The point of an in-path layer is that you do not have to decide per application: the record exists for all of it, and you scope the obligation to the workflows that are in Annex III.

Walk through your high-risk AI logging.

A 20-minute walkthrough: which workflows are in scope, the per-request record behind the Art. 12 duty, and exactly where Vidai's boundary is.

Request a Demo