EU AI Act
Europe's law for high-risk AI systems. The company deploying the agent, not the company that trained the model, has to keep a continuous record of what the AI did and prove a human is overseeing it. IntentGate writes that record automatically for every tool call the agent makes. The table below pairs each obligation in the regulation with the specific gateway output that satisfies it.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| Art. 12(1) — automatic recording of events throughout the system's lifecycle | Per-call audit row written by the gateway; no operator action required |
| Art. 12(2) — events that enable identification of situations of risk | Decision field (allow / block / escalate) plus the rule that fired |
| Art. 12(3) — retention of records | Hash-chained Postgres store; the gateway never deletes; retention is the deployer's policy |
| Art. 26(1) — deployer responsibility to operate the system appropriately | Per-tenant policy and audit owned by the deployer, in the deployer's environment |
| Art. 26(6) — keep logs and make them available to the authority | Signed export from a single query; verification command for the authority |
The deployer is the entity operating the agent. The records therefore have to live inside the deployer's environment, in a form the deployer can produce on demand. A vendor-hosted governance dashboard does not satisfy this. The self-hosted gateway does.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation