Title: Article 12 of the EU AI Act — practitioner notes from 14 months of operating it in production

Body:

For anyone working on AI Act compliance on the practitioner side:

The text of Article 12 is short. The implementation work is not. Things that surprised us when we built this for our own production system:

The five pillars (identifiability, integrity, completeness, availability, proportionality) are not separately named in the law, but every audit checklist we have seen organises around them. Worth having as your internal mental model.

Hash chains are not optional in practice. The law just says "automatic recording", but every regulator I have spoken to or read expects tamper-evidence in a non-trivial audit.

Retention is a sliding scale with sectoral overlays. The base "AI Act high-risk" retention is usually shorter than the MDR overlay for medical AI or the NIS2 overlay for critical infrastructure. Map your sectoral overlays explicitly.

Multi-provider setups need per-vote logging. If you run a 3-of-5 council and only log the final outcome, you cannot reconstruct decisions six months later. Log every voter independently.

Operator overrides are events too. Article 12 covers manual interventions, not just inference. Most teams I have seen forget this category until their first practice audit.

I wrote up the patterns into a bilingual (DE/EN) toolkit with PDF, Excel templates, checklists and JSON schemas. Launch price 29 euros: https://yoendem.gumroad.com/l/eu-ai-act-article-12-toolkit

Mostly posting for the discussion — what implementation gotchas have caught you out?