Oversight Log: How to Document Human Oversight Under the EU AI Act
An oversight log is the contemporaneous record that proves human oversight of a high-risk AI system under Art. 26.2 of the EU AI Act. It must capture, per oversight event, who reviewed the AI output, what they decided and why — and it must be retained for at least six months under Art. 26.6.
Updated: June 2026
Introduction: Why Oversight Documentation Matters
Art. 26.2 requires human oversight of high-risk AI systems. But oversight without documentation is invisible to supervisory authorities. When the supervisory authority investigates a complaint or conducts a compliance audit, the question will not be "do you have oversight?" but "can you demonstrate oversight?" A well-maintained oversight log is your primary evidence.
This guide explains what an oversight log must contain, how to structure it, and how to maintain it efficiently in practice.
What Is an Oversight Log?
An oversight log is a contemporaneous record of human oversight activities for high-risk AI systems. It documents that a qualified person reviewed AI outputs before or shortly after they influenced significant decisions, and records the outcome of that review.
The log serves three functions:
- Compliance evidence: Demonstrates to the supervisory authority and to affected individuals that meaningful oversight occurred
- Performance monitoring: The log data reveals patterns — rising override rates signal model degradation
- Learning and improvement: Override reasons documented over time build institutional knowledge about AI system strengths and weaknesses
What Must an Oversight Log Contain?
Minimum required elements for each oversight event:
| Field | Description |
|---|---|
| Date and time | When was the oversight conducted? |
| AI system | Which AI system generated the output being reviewed? |
| Overseer identity | Who conducted the oversight (name/role)? |
| AI output summary | What did the AI system recommend or decide? |
| Oversight decision | Accept / override / escalate |
| Override rationale | If overridden: why? (required for audit trail quality) |
| Final decision | What decision was ultimately made? |
Oversight Frequency
Oversight frequency depends on the AI system's decision volume and risk level:
- High-volume, high-stakes systems (credit scoring, CV screening): Oversight on every individual decision, or at minimum a structured sample of decisions with defined statistical coverage
- Lower-volume systems (performance appraisal AI): Oversight on every decision
- Monitoring-only systems (anomaly detection AI that generates alerts): Oversight review of all alerts before action is taken
Oversight Log Implementation Options
- Integrated in the AI platform: Ideal — many enterprise AI platforms have built-in human review workflows. Configure the platform to capture oversight decisions as part of the workflow.
- Ticketing system (Jira, ServiceNow): Create oversight tickets linked to AI outputs. The ticket trail serves as the log.
- Structured spreadsheet: Acceptable for low-volume systems. Use a shared spreadsheet with protected formatting to maintain integrity.
- Document management system: Monthly oversight review reports filed in a versioned document system.
Retention
Oversight logs are AI system logs within the meaning of Art. 26.6. You must retain them for at least 6 months, or longer if sector-specific law requires.
Compliance Checklist
- Is there an oversight log for every high-risk AI system?
- Does each log entry contain all required elements?
- Are override rationales documented for all overrides?
- Is the oversight frequency appropriate for the decision volume and risk level?
- Are logs retained for the required period?
- Is override rate data regularly analysed for performance monitoring purposes?