AI Act | AI Inventory

Guide for conducting an inventory of all AI systems in your organisation.

---

Why conduct an inventory?

An AI inventory is the first mandatory step for AI Act compliance. Without knowing all your AI systems, you cannot:

• Classify risks
• Determine obligations
• Implement controls

---

Types of AI Systems

1. Internal AI (In-house)

AI systems developed or trained internally.

System	Examples
ML models	Fraud detection, recommendation, forecasting
Data pipelines	ETL with ML components, automated data quality
Analytics	Predictive analytics, churn prediction
Automation	RPA with AI, document processing

2. Third-party AI (External)

AI systems from external providers.

System	Examples
GPAI (General-purpose)	Claude, GPT-4, Gemini, Perplexity
SaaS with AI	Salesforce Einstein, HubSpot AI, Zendesk AI
Cloud AI services	AWS SageMaker, Azure ML, Google Vertex AI
Specialised AI	Jasper (content), Grammarly, GitHub Copilot

3. Embedded AI

AI systems embedded in products or tools.

System	Examples
Products	AI in customer-facing software
Hardware	Smart devices, IoT with AI
Open-source	Models from Hugging Face, TensorFlow Hub

---

Inventory Template

AI System Record

AI SYSTEM INVENTORY CARD

BASIC INFO

• System ID: AI-[YYYY]-[NNN]
• Name: [System name]
• Description: [Brief description]
• Type: [ ] Internal / [ ] Third-party / [ ] Embedded
• Status: [ ] Development / [ ] Testing / [ ] Production / [ ] Retired

OWNERSHIP

• Owner: [Name + role]
• Department: [Department]
• Vendor (if external): [Vendor name]

FUNCTIONALITY

• Purpose: [Business use case]
• Input: [What data enters]
• Output: [What AI produces]
• Users: [Who uses it --- internal/external]

DATA

• Personal data: [ ] Yes / [ ] No
• Special category: [ ] Yes / [ ] No
• Data source: [Where data comes from]
• Data storage: [Where stored]

RISK (preliminary)

• AI Act category: [ ] Prohibited / [ ] High / [ ] Medium / [ ] Low
• Affects fundamental rights: [ ] Yes / [ ] No
• Autonomous decisions: [ ] Yes / [ ] No

DOCUMENTATION

• Technical docs: [ ] Yes / [ ] No
• Model card: [ ] Yes / [ ] No
• DPA (if external): [ ] Yes / [ ] No

---

Inventory Table

AI ID	Name	Type	Purpose	Personal Data	Risk Level	Status
AI-2026-001
AI-2026-002
AI-2026-003

---

Inventory Process

Step 1: Identification (Week 1)

Step 2: Information Gathering (Week 2)

For each AI system, complete the inventory card:

1. Send a questionnaire to system owners
2. Conduct interviews with key stakeholders
3. Review documentation (if it exists)
4. Validate with IT technical details

Step 3: Classification (Week 3)

Preliminary risk classification:

Indicator	Probably High-Risk
Makes credit decisions	Credit scoring
Makes employment decisions	HR decisions
Makes health decisions	Health diagnostics
Makes education decisions	Education access
Uses biometrics	Biometric ID
Affects fundamental rights	Fundamental rights

Step 4: Documentation (Week 4)

1. Compile the inventory into a central database
2. Assign ownership for each system
3. Identify gaps in documentation
4. Plan follow-up for missing information

---

Inventory Checklist

Internal AI

• Identify all ML models in production
• Identify experiments/POC with AI
• Check data pipelines for AI components
• Review RPA processes for AI/ML
• Audit internal analytics

Third-party AI

• List all GPAI (Claude, GPT, etc.)
• List SaaS with AI features
• Cloud AI services
• Specialised AI tools
• Check DPA/ToS for each

Embedded AI

• AI in customer-facing products
• Open-source models
• AI in hardware/IoT
• AI components in legacy systems

---

Common Findings

Finding	Action
AI without documentation	Create model card
AI without owner	Assign ownership
Shadow AI (unauthorised)	Review + approval or sunset
Missing DPA	Contact vendor
Unclear classification	Consult with Legal

---

Next Steps

1. Inventory completed
2. Classify risks
3. Review compliance checklist

---

Related Templates

• AI Risk Assessment --- Form for evaluating risks of an AI system
• High-Risk AI Checklist --- Checklist for high-risk AI systems

Tip: The inventory card above (AI System Inventory Card) can be used as a template for documenting each AI system. Copy it into your system and complete it for every identified AI system.

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->