Überwachungskamera und Codezeilen auf buntem Hintergrund
denisismagilov / stock.adobe.com
2025-12-19 expert contribution

EU AI Act: AI system logging

The EU AI Act imposes strict technical and procedural record-keeping requirements on high-risk AI systems, designed to ensure traceability, transparency and accountability throughout their entire lifecycle.
Contact
AI Projects & Services

What the AI Act requires for AI system logging

The respective obligations originate from Art. 12, which mandates that all high-risk AI systems must be equipped with internal logging mechanisms capable of automatically capturing events throughout their operation. These logs serve three critical purposes:

  • Risk detection: capturing events that could indicate emerging risks or significant modifications to the system in line with Art. 79(1).
  • Post‑market monitoring: enabling providers to assess system behavior and performance after deployment, as required by Art. 72.
  • Operational oversight: facilitating monitoring of system use by deployers in accordance with Art. 26(5).

For AI systems used for remote biometric identification (Annex III, 1(a)), minimum logging capabilities must be ensured:

  • Precise timestamps for each usage session (start and end).
  • Details of the reference database used during input data validation.
  • Records of input data that triggered search matches.
  • Identification of individuals responsible for verifying results, per Article 14(5).


A look at the draft standard for AI system logging

The draft standard ISO/IEC DIS 24970:2025 Artificial intelligence – AI system logging provides help to providers of high-risk AI system to implement Art. 12 provisions in their development and design process.

 The following table provides an overview of the sections of the standard:

Section

Core requirement(s)

Details

Clause5 Logging and use of logs

All AI systems must log relevant events.

Defines the overall purpose, scope and responsibilities for logging.

Clause6 Design of the logging system

Log design must support traceability.

Log entries should be linked to the system’s design decisions, data flows and governance controls so that behavior can be audited.

Clause7 Triggers for logging

Logging is activated in three contexts:

  • Operation – routine system activity.
  • Automated monitoring – performance or safety checks.
  • Human oversight – interventions by users or operators.

Enables comprehensive coverage of normal and exceptional behavior.

Clause8 Information to log

Logs must capture:

  • Error details: error codes, messages, severity level, impact level and system context.
  • Error‑handling flow: failed operation, retry attempts, fallback mechanisms, user notification, escalation and recovery steps.
  • Other context: time stamps, component identifiers, user IDs (where privacy permits).

Provides the data needed for diagnostics, learning and compliance.

Clause9 Storing and access to logs

Logs are not necessarily retained indefinitely. Only those required for regulatory or legal purposes should be stored long term.

Such logs require persistent storage and secure backups.

Governance schemes determine who can read, write or delete logs. Third-party access is permitted only if the recipient has the necessary permissions and can guarantee secure storage and deletion when no longer needed, as well as confidentiality, integrity and availability.

Addresses privacy, data‑portability and legal constraints on log retention and sharing.

General design notes

The logging component is intentionally agnostic, meaning it can be implemented in software, hardware or a hybrid form, and does not impose a fixed schema.

It supports operational, analytical and regulatory objectives.

Enables flexible integration with diverse AI system architectures.

Governance & responsible use

Logging is part of responsible governance processes that cover privacy, fairness and accountability.
Continuous‑learning systems require safeguards to prevent drift or the incorporation of biased/erroneous data.

Ensures that logs contribute to ethical oversight and system safety.

AnnexA Information model

Provides a sample data structure that can be adapted to meet the above requirements.

Offers practical guidance for implementation.


Take‑away

The standard requires that AI systems establish a comprehensive logging framework to ensure traceability, compliance and security. Each system must define a clear logging strategy and design logs that support regulatory and ethical obligations. Logging should be triggered during normal operations, monitoring, and human oversight scenarios to capture detailed error information and contextual data. Logs must be stored securely and only retained for legally mandated periods. They must also be protected through strict access controls. Additionally, the logging component should be flexible enough to be implemented in either software or hardware. These measures together guarantee that AI systems maintain auditable and trustworthy records while safeguarding privacy and meeting compliance requirements.

Get in touch with us!

Briefumschlaege als Icons, Netzwerkkonzept
thodonal / stock.adobe.com

We offer our services in consulting projects and in-house workshops and would be happy to provide you with more information about our services and answer any questions.

AI Projects & Services: aips@vde.com

Follow Us
© 2026 VDE Association for Electrical, Electronic & Information Technologies