WHITEPAPER · PHASE 3

Audit-grade Agent Observability under EU AI Act Article 72

The next major AI incident creates a procurement category overnight. By the time it lands, the vendors who built audit-grade evidence chains into their platform are the answer to every compliance officer's next RFP question. This is what we built and why it matters.

§1The pattern we keep seeing

Air Canada chatbot promises a fare refund — court rules the airline is liable. NYC MyCity LLM tells small-business owners to violate labor law. Klarna rolls back its AI customer-service deployment after revenue drops. Every postmortem of every public AI incident in the last 18 months ends with the same line: "we couldn't reconstruct exactly what the agent did and why."

That sentence is a procurement signal. The next major incident creates the category overnight, and the buying team will skip every vendor whose answer to "show me what the agent did" is "here are some logs we hope are intact."

§2What audit-grade means

EU AI Act Article 72 (post-market monitoring obligations, in force for high-risk Annex III systems from 2 December 2027 — deferred 16 months by the May 2026 Digital Omnibus deal) requires providers of high-risk AI systems to:

Document and monitor each system's performance throughout its lifecycle
Investigate and respond to serious incidents
Maintain logs sufficient to enable post-market monitoring

That third clause is doing a lot of work. "Sufficient" in the regulator's mind is not "there's a database somewhere with the call log." It is: any auditor or regulator can pick up the bundle, six months after the fact, and prove what the agent did and that the proof itself hasn't been tampered with.

That bar requires four properties:

Append-only chain — each evidence row hashes the previous row's hash, so a single missing or modified row breaks the chain visibly.
Cryptographic anchoring — the chain's Merkle root is committed to an external immutable store (S3 Object Lock with COMPLIANCE-mode retention) so "tampered after the fact" is provable, not just claimed.
Action provenance — every governed object (model, AIIA, policy, signature) carries a source-badge stamp that ties the action back to a verifiable actor — human signoff, agent run, CI commit, or external attestation.
Public verifiability — anyone given the bundle can re-check the chain without needing tenant access. The verifier is a 100-line standalone program, not a hosted SaaS dependency.

§3The reference architecture

Cognita ships all four properties as primitives. The data flow:

Agent action ─┐
              ├──> Evidence row (HMAC-signed, chained via prevHash)
Tool call ────┤        │
              │        ▼
Audit event ──┘   Audit ledger (append-only Postgres table + RLS)
                       │
                       ├─ hourly Merkle anchor cron (Inngest)
                       ▼
                  Segment Merkle root → S3 Object Lock
                       │   COMPLIANCE mode · 7-year retention
                       │   AWS receipt = external attestation
                       ▼
                  Bundle export (chain.json + anchor.json + verify-ledger.mjs)
                       │
                       ▼
                  Public verifier ── /api/v1/audit-log/verify

Each link is independently verifiable. Each link is a primitive in lib/persisted-ledger.ts + lib/anchor/s3-object-lock.ts + lib/source-badge.ts + app/api/v1/audit-log/verify. The technology is real and shipped today.

§4Try the verifier yourself

The public verifier at /api/v1/audit-log/verify accepts a chain + anchor JSON pair and returns a verdict. No auth, no tenant access — the entire point is that any external party (auditor, regulator, journalist) can verify a bundle they received without trusting us.

$ curl https://app.cognitagrc.io/api/v1/audit-log/verify \
       -X POST -H "content-type: application/json" \
       --data @bundle-payload.json
{
  "ok": true,
  "verified": 1247,
  "merkleRoot": "0x4d3a8c2e...",
  "firstId": "evidence_…",
  "lastId":  "evidence_…",
  "message": "Chain of 1247 entries verified. Merkle root matches."
}

§5What to demand from every AI vendor in your RFP

"Show me the audit ledger schema." If the answer is "we use Datadog," the vendor doesn't understand the question.
"Where does the chain anchor?" If the answer is "in our database," the chain is forgeable by the vendor.
"How does an external auditor verify the bundle without your help?" If the answer requires a SaaS login, the bundle isn't portable.
"What happens to the ledger when our subscription ends?" If the bundle isn't exportable + standalone-verifiable, the vendor is holding your evidence hostage.

Cognita is the only AI governance platform shipping all four. The competition — LangSmith, Arize, Weights & Biases, OpenLLMetry — are agent-debugging tools for engineers. Datadog and New Relic don't understand agentic semantics. Vanta, Drata, and Secureframe are SOC 2-first attestation vendors that don't do AI Management System implementation.

Read further

Reference architecture — full diagram + code pointers
15-minute crypto-proof demo — three artifacts you can re-create on any Cognita-governed model
Cognita Red-Team Series — commissioned public engagements that demonstrate the reconstruction in production
IAF-MLA credential framing — why the auditor counter-signature is portable across CBs

See V-CAIR pricing →Inspect the public API →