Your compliance team will ask for an AI agent audit trail before August 2. Here's the part most teams haven't built.

The deadline, stated plainly

On August 2, 2026 — two months out as I write this — the EU AI Act's high-risk obligations under Annex III reach full enforcement. If your organization deploys AI agents that influence decisions in a high-risk category (employment, lending, healthcare, essential services, law enforcement, critical infrastructure), a set of concrete technical requirements becomes legally binding.

The one this article is about is Article 12: high-risk AI systems must technically allow "automatic recording of events (logs) over the lifetime of the system." Automated logs retained for at least six months. Article 99 backs it with fines up to €35 million or 7% of global turnover for the most serious violations.

One important accuracy note before we go further: a proposed extension of these deadlines to December 2027, via the EU Digital Omnibus, was under negotiation as of April 2026. As of this writing it has not become law. You cannot plan engineering work around an extension that doesn't legally exist. Build for August 2.

A second accuracy note: whether your specific AI coding agent falls under high-risk obligations depends on what it's deployed to do, not on the fact that it's an AI agent. An agent writing a CRUD app for an internal tool is in a different position from an agent operating in or building systems for a regulated decision domain. But the audit-trail capability is worth building regardless, because — as the rest of this article argues — enterprise procurement and SOC 2 increasingly demand the same record even outside EU AI Act scope, and building it after you need it is the expensive path.