Compliance mapping
EU AI Act: human oversight and logging for agent actions
Two AI Act obligations are especially relevant to the evidence Cosignet can produce: Article 14 (human oversight, the ability to intervene, interrupt, and oversee) and Article 12 (logging and record-keeping). This page connects both to concrete, verifiable artifacts, and gives the current timeline after the Digital Omnibus.
Scope. Cosignet provides verifiable approval evidence only; it does not determine legal applicability, certify compliance, replace regulated controls, or substitute for legal, compliance, or audit advice.
Framing: Cosignet is a component that may support evidence for your human-oversight and record-keeping processes. It does not by itself implement any AI Act article or make an AI system compliant, and it does not classify your system's risk level for you. That assessment is yours.
Article 14: supporting evidence for human oversight
Article 14 addresses the ability of humans to effectively oversee high-risk AI systems, including to intervene in or interrupt the system. A human-approval gate is one way to support evidence for the "intervene before the consequential action happens" case:
- Oversee. The approver sees the exact action, re-hashed in their browser and confirmed against the signed fingerprint, before deciding (what you see is what you sign).
- Intervene and interrupt. The action does not run until a named human approves it with a passkey. No approval, no execution: the system fails closed.
- Accountability. Each intervention is recorded as a signed, tamper-evident decision, so oversight is not just claimed, it is evidenced.
Article 12: supporting evidence for record-keeping
Article 12 addresses automatic recording of events (logs) over the system's lifetime to support traceability. Cosignet's transparency log can support evidence for this kind of record-keeping:
- Every approval is an append-only leaf in a Merkle log with an Ed25519-signed tree head.
- Records are tamper-evident: an inclusion proof shows a decision is committed under a published root, and consistency proofs show the log only ever appended.
- The log is anchored into Bitcoin via OpenTimestamps, so the record's integrity does not rest on trusting the operator.
| AI Act obligation | What is expected | Cosignet artifact |
|---|---|---|
| Article 14 human oversight | Ability to intervene or interrupt before harm | Fail-closed payload-bound approval gate; the action runs only on an explicit signed approval |
| Article 14 oversight quality | The human understands what they are authorizing | WYSIWYS: the exact action is re-hashed in the browser and confirmed against the signed fingerprint |
| Article 12 record-keeping | Automatic, traceable logs of events | Append-only Merkle transparency log, Ed25519-signed tree head, Bitcoin anchor, exportable evidence pack |
Timeline (after the Digital Omnibus)
The Digital Omnibus is expected to revise the AI Act's high-risk timeline. The dates below are indicative and subject to confirmation against the final published text in the Official Journal:
- High-risk, stand-alone (Annex III): expected 2 December 2027, deferred from the earlier 2026 date.
- High-risk, embedded in regulated products (Annex I): expected 2 August 2028.
- Article 50 transparency obligations: expected largely from 2 August 2026, with provider watermarking obligations expected from 2 December 2026.
The Digital Omnibus simplification package was formally adopted in June 2026 (European Parliament endorsement on 16 June 2026, Council final approval on 29 June 2026) and enters into force shortly after publication in the Official Journal. Confirm the final published dates against the Official Journal for your records. Primary source for the base Act: Regulation (EU) 2024/1689.
Transitional provisions
The AI Act includes transitional provisions addressing systems already placed on the market before the applicable date and the effect of "substantial modification." The precise scope, conditions, and dates of these provisions are subject to confirmation against the final published text and are a matter for your own legal assessment.
Confirm the scope and conditions of the transitional and "substantial modification" provisions with your own counsel before relying on them. Nothing here is a recommendation about the timing of any regulatory decision.
Related reading
- DORA: ICT traceability and incident evidence.
- For auditors: verify a real record end to end.
- All compliance mappings.
Evidence your human oversight, do not just assert it
Free to start, no credit card.
Informational, not legal advice. This page explains how Cosignet evidence artifacts can support EU AI Act human-oversight and logging obligations. It is not a legal opinion, does not classify your system's risk level, and does not make your system compliant. Verify all references and dates against the primary sources and confirm applicability with your own counsel.