Most organisations deploying AI have logs. Very few have an audit trail that would survive regulatory scrutiny under the EU AI Act. The difference is not volume of data — it is architecture. Specifically, whether the records can prove they have not been altered since the moment they were created.
Application logs, observability platforms, and database audit tables all share the same fundamental weakness: they are stored in infrastructure that someone controls. An administrator with the right access can alter, delete, or backfill records without leaving a trace in the log itself.
The EU AI Act does not use the word tamper-proof. But Article 12 requires logging capabilities that enable traceability of the functioning of a high-risk AI system appropriate to its intended purpose. If your logs can be silently altered and you cannot prove otherwise, their evidentiary value to a regulator is zero.
This is not a theoretical concern. When regulators investigate AI decisions, the first question is not what decision was made — it is whether the record of that decision is trustworthy. A log entry that could have been edited after the fact cannot answer that question.
A compliant audit trail under the EU AI Act needs to satisfy four properties that standard logging does not provide by default:
Each record in KairoNull's Umbra Ledger contains a SHA-256 hash of its own content combined with the hash of the previous record. This creates a chain where every record is mathematically bound to every record before it.
If any field in record_1284941 is altered after the fact — the output changed from BLOCK to APPROVE, for instance — the hash no longer matches. And because the next record contains this record's hash, the entire subsequent chain breaks. The tampering is detectable by anyone with access to the chain, not just KairoNull.
Hash chaining proves internal consistency — that records have not been altered relative to each other. RFC3161 timestamps from a trusted timestamp authority prove external consistency — that each record existed at the stated time.
This matters for EU AI Act compliance because regulators may investigate decisions made months before the investigation begins. A record that can only prove its internal hash chain is intact cannot prove it was not created retroactively. RFC3161 timestamps bind each record to a specific moment in time at generation, not retrospectively.
Article 19 of the EU AI Act requires that automatically generated logs be retained for a minimum of six months. For financial services firms, this overlaps with existing record-keeping obligations under MiFID II, AIFMD, and national financial services law — meaning AI audit trails should be integrated with existing compliance infrastructure, not siloed.
Organisations that begin logging on August 2, 2026 — the date full Annex III obligations take effect — will have a six-month gap in their audit trail covering the period before enforcement began. Investigations that reference decisions made before that date will find no records. Starting now closes that gap.
If you already have an AI governance platform, ask three questions:
The answers will tell you whether you have an audit trail or a logging system. They are not the same thing.
KairoNull provides cryptographic evidence infrastructure for AI decisions in regulated financial institutions. The Umbra Ledger creates SHA-256 hash-chained, RFC3161-timestamped records of every AI decision event — built to meet the authentication, integrity, and chain-of-custody standards applied to digital evidence.
Learn how KairoNull works →