Key facts
- Format: editable XLSX inventory with all core fields pre-built.
- Captures owner, vendor, purpose, data used, risk class and EU AI Act role per system.
- Includes a status and review-date column to keep the inventory live.
- Foundation document for risk classification, governance and procurement.
- Free to download — pairs with the AI inventory guide.
What is the AI system inventory template?
It is a spreadsheet register for every AI system your organisation develops, buys or uses — including AI embedded in vendor products, not just the tools you built yourself. It is the foundation document everything else depends on: you cannot classify risk, govern or comply for AI you haven't mapped.
Who is it for?
Whoever is first asked to 'map our AI' — often a compliance, risk or IT lead — and anyone building an AI governance or risk management programme that needs a starting inventory.
What the template covers
Core fields. System name, purpose, owner, vendor, data used, and status.
Risk and role. Risk classification tier and EU AI Act role (provider, deployer, importer or distributor).
Third-party AI. A dedicated section for embedded and vendor AI, which is often missed.
Review cadence. A next-review-date column so the inventory doesn't go stale.
Shadow AI prompts. Discovery questions to help surface AI tools staff are using without formal approval.
How to use it
Run a discovery pass across teams, vendor contracts and expense or SaaS records to find AI you don't already know about — this is where most shadow AI turns up. Assign an owner to every entry, review at least quarterly, and use the inventory as the direct input to your risk register and governance workflow.
Frequently asked questions
What is an AI inventory?
A central register of all AI systems an organisation develops, buys or uses, with key risk and ownership details.
How do you build an AI inventory?
Discover AI across teams and vendors, capture key fields, classify risk, assign owners, and keep it live.
What fields should an AI inventory capture?
System name, purpose, owner, vendor, data used, risk class, EU AI Act role, status and review date.
What is shadow AI?
AI tools used by staff without approval or oversight — a major hidden source of risk.
How do you find shadow AI?
Staff surveys, expense and SaaS reviews, network or SSO logs, and an easy tool-request route.
How often should the AI inventory be updated?
Continuously, with a formal review at least quarterly.
Should the inventory include third-party AI?
Yes — embedded and vendor AI must be captured to properly assess supply-chain risk.
Related pages
Sources
Last updated 19 June 2026.