What is an AI inventory?

Key facts

Records each system's name, purpose, owner, vendor, data used, EU AI Act role, risk class, status and review date.
It is the first step in AI governance and EU AI Act compliance — you classify risk from it.
It must capture third-party and embedded AI, not just systems you build.
‘Shadow AI’ — tools used without approval — is a key risk it surfaces.
For SMEs a structured spreadsheet is enough; larger organisations use GRC or AI-governance platforms.

Why do you need an AI inventory?

You cannot govern or comply for AI you cannot see, so the inventory is the foundation of every framework. It feeds risk classification, the risk register and the prioritisation of controls.

What fields should an AI inventory capture?

At minimum: system name, purpose, owner, vendor, data used, EU AI Act role, risk class, status and review date. Keep entry depth proportionate to risk — more detail for high-risk and customer-facing systems.

How do you build one?

Discover AI across teams and vendors, capture the key fields, classify risk, assign owners, and keep it live. Integrate it with procurement so new AI is logged as it arrives.

What is shadow AI and how do you find it?

Shadow AI is tools used by staff without approval or oversight — a major hidden risk source. Surface it through surveys, expense and SaaS reviews, network or SSO logs, and an easy route for staff to request tools.

How often should it be updated?

Continuously, with a formal review at least quarterly. Assign owners to keep entries current. This keeps your governance based on reality, not last year's snapshot.

AI inventory vs data inventory

An AI inventory tracks systems and models and their governance; a data inventory tracks data assets. They complement each other but are not the same register.

Frequently asked questions