EU AI Act Article 12 readiness

The EU AI Act's record-keeping (Article 12) and human-oversight (Article 14) requirements for Annex III high-risk systems become enforceable on August 2, 2026. This article maps each requirement to a LumenFlow primitive so a regulated buyer can answer compliance questions concretely.

What changes on August 2, 2026#

The EU AI Act's record-keeping and oversight obligations for Annex III high-risk AI systems become enforceable on August 2, 2026. Penalties for non-compliance reach €15 million or 3% of worldwide annual turnover, whichever is higher. As of this writing, no finalised technical standard exists yet for Article 12 logging — drafts including prEN 18229-1 and ISO/IEC DIS 24970 are still in development.

That gap is a procurement reality: regulated buyers need to demonstrate compliance before the standards are finished. LumenFlow's primitives map directly to the obligations.

Article 12 — automatic record-keeping#

RequirementLumenFlow primitive
Automatic logging over the lifetime of the systemEvidence receipts emitted at every governed tool call (TOOL_CALL_STARTED / PROGRESS / FINISHED), persisted to the evidence store
Traceability of inputs to outcomesContent-addressed input hashes, output hashes, scope snapshots, and policy-version snapshots inside each receipt
Tamper-resistanceDetached signatures over canonicalised evidence bundles, with a verifier CLI that returns PASS or FAIL on the bundle
Lifetime preservationAppend-only receipt store with retention controls and an export envelope for regulator hand-off

Article 14 — human oversight#

RequirementLumenFlow primitive
Effective oversight by a natural person during useApprovals as a first-class noun: risky tool calls pause execution and route to a workspace inbox
Ability to intervene or interruptDeny-wins Rules cascade evaluated before the action runs; an Approval can withhold or revoke without after-the-fact rollback
Specific dual-confirmation for Annex III point 1(a)Approval workflows support multi-approver routing; the approval record captures both confirmations and timestamps

Article 15 — robustness, accuracy, cybersecurity#

LumenFlow's contribution to Article 15 obligations is not the model itself — it is the boundary around the model. Per-Connection identity, short-lived enrolment tokens, signed Packs with integrity pins, and import-boundary enforcement reduce the supply-chain and lateral-movement attack surface around the AI system.

What a buyer actually gets#

For an Annex III deployer, LumenFlow provides four artefacts that map to the obligations above:

  1. A signed evidence bundle per governed action — the canonical record of what the system did, under which policy, with what scope, for which Ask.
  2. A verifier command — a third-party-runnable check that confirms the bundle has not been altered.
  3. An approval record per gated action — the human-oversight artefact for Article 14.
  4. An export envelope — a portable hand-off format so evidence can leave LumenFlow without losing its integrity proof.

These are not a substitute for a full Article 12 conformity assessment, nor for a Notified Body review where one is required. They are the operational substrate that lets a deployer answer the questions the regulator will ask.

info See Connections: Trusted Compute for the runnable demo that produces a signed evidence bundle, and Autonomy policies and tool-call approvals for the Rules and Approvals mechanics that implement Article 14 oversight.