Skip to content

Feature: Structured compliance audit logging for EU AI Act (Article 12)Β #35357

@desiorac

Description

@desiorac

Context

The EU AI Act (Regulation 2024/1689) enters full enforcement in August 2026. Article 12 requires that high-risk AI systems support automatic logging of events throughout their lifecycle, with logs that enable traceability of the system's operation.

For LLM-based applications built with LangChain, this means chain executions need structured, tamper-evident audit trails that regulators can inspect.

Current State

LangChain has an excellent callback system (BaseCallbackHandler) and integrations with observability tools (LangSmith, Weights & Biases, etc.). However, these are primarily designed for debugging and monitoring, not for regulatory compliance audits.

What's missing is a standardized, structured log format specifically designed for compliance that captures:

  • Chain/agent execution trace with deterministic identifiers
  • Input/output pairs at each step (with optional PII redaction)
  • Model identifiers and versions used
  • Timestamps in ISO 8601 with timezone
  • Human oversight decisions (approvals, rejections, overrides)
  • Risk classification of the operation

Proposal

A ComplianceCallbackHandler (or similar) that:

  1. Outputs structured JSON logs following a compliance-oriented schema
  2. Includes fields mapped to EU AI Act Article 12 requirements (event type, timestamp, system version, input hash, output hash)
  3. Supports configurable PII redaction (GDPR Article 5 interplay)
  4. Can write to append-only storage backends (file, database, S3)

This would be useful for any organization deploying LangChain in regulated industries (healthcare, finance, legal, public sector) β€” not just for EU AI Act but also for SOC2, ISO 42001, and internal audit requirements.

References

  • EU AI Act full text: Regulation 2024/1689
  • Article 12 specifically covers automatic logging requirements
  • For scanning existing LangChain code against EU AI Act requirements, there's an open-source MCP server: mcp-eu-ai-act
  • Related standard: ISO/IEC 42001 (AI Management System)

Happy to discuss implementation approaches or contribute if there's interest.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions