Regulation

What evidence does the EU AI Act actually require for high-risk AI?

2026NextVise

Most coverage of the EU AI Act talks about risk categories and fines. The operational question institutions face is narrower and harder: what must you be able to produce when someone asks? Article by article, the answer is: evidence.

Art. 9 — A risk management system that leaves a trail.

The Act requires a continuous, iterative risk management process across the system’s lifecycle — identified risks, mitigation measures, testing results. Not a policy document: a documented, dated, reviewable process. If it isn’t recorded, it didn’t happen — that is how a conformity assessment reads it.

Art. 12 — Record-keeping, built in.

High-risk AI systems must technically allow the automatic recording of events (“logs”) over their lifetime. This is the Act’s most underestimated clause: logging is not an operational nicety, it is a design requirement. A system that cannot produce its own decision trail is non-conforming by architecture — before anyone examines a single output.

Art. 14 — Human oversight that actually works.

Oversight must be effective: the humans overseeing the system need the competence, authority, and information to intervene. A review nobody can act on doesn’t count — the regulator’s reading of oversight has no room for rubber stamps. Which means the oversight itself needs evidence: who reviewed, when, with what information, and what they decided.

Art. 19 — Logs, kept and producible.

Providers keep the automatically generated logs at least six months — longer where other law applies. Financial institutions keep them as part of their existing financial-services documentation duties. The six months are a floor, not a target: the institutions we work with retain decision evidence for years, because the question rarely arrives within six months.

Art. 26 — The deployer is on the hook too.

Deployers of high-risk AI must monitor operation, keep the logs under their control, and assign oversight to named, competent people. Liability doesn’t stop at the vendor. The institution running the AI answers for it — with its own records.

And the cost of not being able to answer:

Article 99 sets penalties up to €35 million or 7% of global annual turnover — above the GDPR ceiling. But the fine is the second problem. The first is the moment an authority, an auditor, or a court asks for the record and the institution has nothing to put on the table.

What this adds up to

is a single requirement wearing five article numbers: forensic evidence, produced at runtime, kept immutable, owned by named humans. That is not a compliance report written after the fact — it is infrastructure underneath the AI. It is what we build.

― basis: EU AI Act Art. 9, 12, 14, 19, 26, 99 (Regulation (EU) 2024/1689)

Get Audit-Ready
← Back to Insights