EU AI Act compliance: audit trail and required disclosures

How Zeuslock provides the audit trail, transparency log, and incident timeline that legal and compliance teams need to evidence Articles 4, 26 and 50 of the EU AI Act.

What the EU AI Act actually asks of you

The AI Act (Regulation (EU) 2024/1689) is the first horizontal AI law in the world, and its obligations apply to almost every European employer, not just AI vendors. If your staff use ChatGPT, Claude, Gemini, Copilot, Mistral or any internal copilot, you are a deployer within the meaning of the Regulation. This document is for the legal counsel, DPO, compliance officer and CISO who will be asked, by a regulator or an internal auditor, to prove the company is meeting its obligations. It maps the relevant Articles to the audit trail Zeuslock generates and lists what we do not cover, so you can plan the rest of your compliance programme honestly.

The real timeline you need to plan against

The Act entered into force on 1 August 2024 and applies in stages. Three dates matter for compliance planning:

  • 2 August 2025 — GPAI obligations. Providers of general-purpose AI models (OpenAI, Anthropic, Google, Mistral, Meta and others) are subject to Article 53 transparency, copyright and documentation duties. Article 55 adds systemic-risk obligations for the largest models. Deployers feel this indirectly: the upstream documentation you must collect from these providers becomes available.
  • 2 August 2026 — high-risk system obligations. Annex III high-risk uses (HR screening, credit scoring, biometric ID, critical infrastructure, education access, etc.) become enforceable. Article 26 deployer obligations kick in.
  • 2 August 2027 — full enforcement. Including high-risk systems embedded in regulated products under Annex I.

Penalties scale with the violation: up to €35 million or 7% of worldwide annual turnover for prohibited-practice breaches, €15 million or 3% for most other infringements. CNIL in France, AEPD in Spain, the BfDI alongside the Länder DPAs in Germany, and the EDPB at EU-wide level have already started publishing guidance.

Article 4 — AI literacy, and how you measure it

Article 4 requires that providers and deployers "take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf". The Regulation does not prescribe a syllabus. It does, however, expect that you can describe where AI is being used and by whom. Most organisations cannot answer that question on day one.

Zeuslock's role here is observational, not pedagogical. The browser extension, desktop agent and CLI together produce a continuous, anonymised log of which employees use which AI tools, at what frequency, with what type of data. That log is the baseline a training programme can be designed against. Without it, AI literacy becomes a self-declaration exercise.

Article 50 — transparency to end users

Article 50 requires that natural persons be informed when they are interacting with an AI system, and that synthetic content be marked as such. For deployers, the practical question regulators will ask is: "can you list every AI-driven destination your data flows to?" Zeuslock answers this by maintaining a destination-by-destination usage register — ChatGPT, Claude, Gemini, Perplexity, Mistral, Copilot, Poe, You.com, DeepSeek and any tool caught by Universal mode. The export is timestamped and signed, which is what an auditor will want.

Article 26 — what high-risk deployers must do

Article 26 is the operational core for most companies. It requires deployers to:

  • Use the high-risk system in accordance with its instructions for use.
  • Assign human oversight to natural persons with the necessary competence.
  • Ensure input data is relevant and sufficiently representative.
  • Monitor operation and inform the provider of serious incidents.
  • Keep the automatically generated logs for at least six months.

Zeuslock sits at the data layer of these obligations. We continuously log inputs sent to AI systems, block dangerous inputs in line with policy (human oversight expressed in software), and build an incident timeline for any prompt that breaches the configured rules. We do not replace the human reviewer — we ensure the reviewer has evidence.

Articles 53 and 55 — what changes for GPAI

The bulk of Article 53 (technical documentation, copyright policy, training-data summary) and Article 55 (systemic-risk evaluation, adversarial testing, incident reporting) lands on providers. As a deployer integrating GPAI into your own product, your responsibility is to capture the evidence that you used the model in a controlled way. The Zeuslock audit trail is what makes that evidence concrete.

Article-to-feature mapping

AI Act provisionDeployer obligationZeuslock contribution
Article 4Sufficient AI literacy of staffPer-user, per-tool usage register that scopes training
Article 26(1)Use system per instructionsPolicy-as-code enforcement; blocked-prompt log
Article 26(2)Human oversight by competent personsIncident queue with reviewer attribution
Article 26(5)Monitor operation, report serious incidentsReal-time alerting to Slack, Splunk, Sentinel, PagerDuty
Article 26(6)Retain logs ≥ 6 monthsWORM-style audit export, configurable retention
Article 50Transparency about AI interactionDestination-by-destination usage log
Article 53 / 55GPAI provider duties (mostly upstream)Evidence package proving controlled deployer use

Practical evidence checklist for a compliance officer

If your regulator or auditor walked in tomorrow, you should be able to evidence each of the following within one working hour. Each item maps to data Zeuslock generates by default.

  1. A list of every AI tool used in the last 90 days, by department, with sample anonymised prompts.
  2. The set of policies in force on each detection type (Monitor, Anonymize, Block) and the date each policy was last changed.
  3. An incident timeline for the last quarter, with severity, reviewer, action taken and time to resolution.
  4. The total volume of credentials, PII and source code intercepted before it left the perimeter.
  5. A list of shadow-AI destinations flagged (for example DeepSeek) and the CISO notification log.
  6. The current SSO / SCIM provisioning state, showing which employees have access to AI tools through approved identity providers.
  7. The AI literacy baseline: how many staff use AI weekly, in which functions, with what data types.
  8. The configured retention period and a signed sample of an exported audit log.
  9. Evidence of human oversight: reviewer identity, decision, justification stored against each high-severity incident.
  10. The DPIA appendix covering AI tool usage, including data categories, lawful basis and transfer safeguards.
  11. A copy of the latest webhook delivery to your SIEM, verified by HMAC signature.
  12. The incident report template you would file with your national authority (CNIL, AEPD, BfDI, etc.) if a high-risk incident occurred today.

The audit-trail export

The audit trail is the single artefact most regulators will ask for. Zeuslock exposes it in three forms: CSV download, real-time forward to a SIEM (Splunk HEC, Microsoft Sentinel, generic webhook), and a packaged DPIA appendix. Each record carries these columns:

{
  "timestamp": "2026-05-17T09:42:18Z",
  "user_hash": "sha256:6f1c…",
  "group": "finance-paris",
  "destination": "chat.openai.com",
  "finding_type": "iban",
  "severity": "high",
  "action": "blocked",
  "policy_version": "2026.04-rev3"
}

The user_hash is a salted SHA-256 of the directory identifier — you can re-identify on request to support a data subject access or a serious incident, but the default export is pseudonymised, which matches Article 26(6) read alongside GDPR Article 32.

What Zeuslock does not cover

Honesty matters more than coverage here. Zeuslock is the evidence layer. It is not a substitute for the rest of an AI governance programme.

  • Model risk assessment of the LLMs themselves — bias, hallucination rate, robustness. This belongs to the provider's Article 53/55 documentation and to your own internal model risk function.
  • Contract governance with AI vendors — DPAs, sub-processor lists, EU data residency clauses, audit rights. Your legal and procurement teams own this.
  • Training delivery — we generate the data that tells you who needs training and on what; we do not deliver the course.
  • Conformity assessment for high-risk systems you build — if your company is the provider of a high-risk system, you need a notified body or self-assessment process that Zeuslock does not perform.

Working with European regulators

Each Member State enforces through one or more authorities. In France the CNIL has taken the lead on AI-and-personal-data questions and publishes sandboxes. The AEPD in Spain runs a similar programme and was the first to designate an AI supervisory authority. In Germany the BfDI coordinates with the Länder DPAs (Bayern, Baden-Württemberg, Berlin and others), each with its own guidance. The EDPB issues EU-wide opinions and has already published its Opinion 28/2024 on AI models and personal data. When you brief any of them, lead with the data Zeuslock produces — they respond well to concrete logs.