tracient.ai DORA & AI agents
DORA enforcement is active — ICT register audits underway

DORA compliance
for AI agents

DORA Articles 9, 12, and 28 require financial institutions to log, map, and evidence every AI agent action. Most compliance teams have the policies. Very few have the audit trail.

See a live DORA compliance demo → Request early access
EU AI Act high-risk deadline: 2 August 2026 — 120 days remaining

What DORA requires

Three articles. One compliance gap.

DORA has been enforceable since January 2025. Articles 9, 12, and 28 together create a specific obligation that most compliance teams are not yet meeting — a complete, real-time audit trail of every automated process, with third-party providers verified against a registered ICT register.

When an AI agent queries your transaction database, calls an external credit bureau API, or flags a customer account for review — that is a regulated ICT action under DORA Article 9. It must be logged, timestamped, and tied to an identifiable process with a retention period of at least five years.

Article 28 goes further: every third-party endpoint the agent calls must appear in your ICT third-party register, with a contractual arrangement in place. Most firms' registers were built for their SaaS vendors and cloud providers — not for the dozens of APIs their AI agents are quietly calling.

DORA Art. 9 — ICT Risk Management
Log every automated action in real time
Financial entities must implement mechanisms to detect anomalous activities and maintain full logs of ICT operations. Every AI agent action is an ICT operation.
Art. 9
DORA Art. 12 — Logging
Retain tamper-evident records for five years
Logs must include timestamps, input/output data, and decision rationale. They must be tamper-evident and available to competent authorities on request.
Art. 12
DORA Art. 28 — Third-Party ICT
Every endpoint in the register. Every endpoint.
If your AI agent calls an API that is not in your ICT third-party register, that call is an immediate breach. Regulators reviewed submissions in March 2026 and are conducting supervisory audits now.
Highest risk
Without Tracient
Your AI agents are a black box to regulators
Your IAM platform logs human access. Your GRC tool maps policies. Neither captures what your AI agents actually did, which endpoints they called, or whether those endpoints were registered. When the regulator asks, there is no evidence pack to produce.
Regulatory exposure
With Tracient
Every action logged, mapped, and regulator-ready
Tracient wraps your AI agents and captures every action in real time. Each call is checked against your ICT register. Findings are flagged immediately. Evidence packs are generated on demand — no manual work, no gaps.
Compliant

The compliance gap

Your ICT register was not built for AI agents.

When firms built their DORA ICT registers, they catalogued their cloud providers, SaaS platforms, and critical outsourcing arrangements. What most missed was the layer underneath: the individual API endpoints that AI agents call autonomously at runtime.

An AI agent handling mortgage applications might call five or six external APIs in a single transaction. An anti-money-laundering agent might hit a sanctions database, a transaction scoring API, and an address verification service — all in under four seconds. If any of those endpoints are not in the register, you have a breach.

Tracient's onboarding process compares what your agents actually call against your uploaded ICT register. The delta is your finding list. Most clients discover unregistered endpoints they did not know existed.

See a DORA Art.28 breach caught in the demo →

Frequently asked questions

DORA and AI agents

Does DORA apply to AI agents specifically?
Yes. DORA applies to all ICT systems and automated processes, which includes AI agents. Any agent that queries databases, calls external APIs, or processes customer data is performing a regulated ICT action under DORA Article 9. The regulation does not distinguish between human-operated and AI-operated processes.
What does DORA Article 28 require for AI agent endpoints?
Article 28 requires that every third-party ICT provider — including every API endpoint an AI agent calls — is listed in the ICT third-party register with a contractual arrangement. Calling an unregistered endpoint is an immediate breach. The first register submission deadline was 31 March 2026, and regulators are now reviewing those submissions.
What format does a DORA-compliant AI audit log need to be in?
DORA Article 12 and Annex IV specify that logs must include timestamps, the nature of the ICT operation, the systems involved, input and output data references, and decision rationale where applicable. Logs must be tamper-evident and retained for a minimum of five years.
We submitted our ICT register in March 2026. Are we done?
The submission was the first step. Regulators are now reviewing those submissions and conducting supervisory audits. Ongoing compliance requires that the register stays current — every new AI agent deployment, every new API integration, and every change to an existing agent must be reflected. Tracient monitors this in real time so your register stays accurate.
How does Tracient integrate with existing AI agent infrastructure?
Tracient uses an agent SDK wrapper. You instrument your existing AI agents — LangChain, custom agents, or model API calls — without rebuilding them. Onboarding starts with uploading your ICT register and contract repository. Tracient then monitors what agents actually do against what is registered, flagging any deviations in real time.

Early access

DORA audits
are happening now.

Supervisory audits underway across the EU

Join compliance professionals from regulated fintechs and banks getting Tracient's 90-day free pilot. Know exactly what your AI agents are doing — before your auditor asks.

90-day free pilot · EU data residency · No credit card

✓ You're on the list. We'll be in touch shortly.