AI System Inventory: The Complete Guide

In shortAn AI inventory is a central register of every AI system an organisation develops, buys or uses, with key risk and ownership details. You cannot govern or comply for AI you cannot see, which makes the inventory the foundation of AI governance and EU AI Act compliance. For SMEs a structured spreadsheet is enough.

In this guide

What is an AI inventory?Definition, the fields to capture and why it matters.

Key facts

Definition	A central register of every AI system you develop, buy or use, with risk and ownership details
Why	The foundation of governance and compliance — you classify risk from it
Fields	Name, purpose, owner, vendor, data used, EU AI Act role, risk class, status, review date
Scope	Includes third-party and embedded AI, not just systems you build
Shadow AI	Surfaces tools used without approval — a key hidden risk
Tooling	A structured spreadsheet for SMEs; GRC or AI-governance platforms at scale

Why you need an inventory

You cannot govern or comply for AI you cannot see, so the inventory is the foundation of every framework. It feeds risk classification, the risk register and the prioritisation of controls. See what is an AI inventory?

Fields to capture

At minimum: system name, purpose, owner, vendor, data used, EU AI Act role, risk class, status and review date. Keep entry depth proportionate to risk, with more detail for high-risk and customer-facing systems.

How to build one

Discover AI across teams and vendors, capture the key fields, classify risk, assign owners, and keep it live. Integrate it with procurement so new AI is logged as it arrives.

Finding shadow AI

Shadow AI is tools used by staff without approval or oversight. Surface it through surveys, expense and SaaS reviews, network or SSO logs, and an easy route for staff to request tools.

Keeping it accurate

Update continuously, with a formal review at least quarterly, and assign owners to keep entries current so your governance is based on reality.

Inventory vs data inventory

An AI inventory tracks systems and models and their governance; a data inventory tracks data assets. They complement each other but are not the same register.

Frequently asked questions

What is an AI inventory?

A central register of all AI systems an organisation develops, buys or uses, with key risk and ownership details.

Why do you need one?

You can't govern or comply for AI you can't see — it's the foundation of every framework.

What fields should it capture?

System name, purpose, owner, vendor, data used, risk class, EU AI Act role, status and review date.

Does the EU AI Act require one?

Not by name, but you can't classify risk or meet obligations without one.

How often should it be updated?

Continuously, with a formal review at least quarterly.

Related guides

Sources

Last updated 19 June 2026.