- Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.
- The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot.
- A minimum viable AI inventory should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.
For chief information officers and chief technology officers, EU AI Act readiness will expose an operating problem before it becomes a legal problem. Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.
That makes the AI inventory more important than it looks. It is often treated as a spreadsheet of tools. In practice, it should become the map that connects AI use cases to business owners, technical owners, vendors, data inputs, output use, human review, transparency triggers, and escalation routes. A policy can state intent while an inventory shows what must be governed.
The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot. That may be useful for basic visibility. But it does not answer the questions that matter when AI governance becomes operational:
- Who uses the system, and what business process does it support?
- Is the system built internally, supplied by a vendor, or embedded inside a software-as-a-service platform?
- What data enters it, and what decisions, recommendations, or content does it influence?
- Who reviews the output before it affects a person, customer, employee, patient, student, or applicant?
Most organisations discover their AI estate is larger and more fragmented than anyone expected. The inventory is the first honest map.
Those questions matter because the EU AI Act creates a documentation issue as well as routing work. A system may need role analysis, risk classification, vendor evidence, user-facing transparency notices, human oversight records, incident escalation, or coordination with privacy review. The inventory is where that routing should begin.
Governance over administration
This is where technology leaders become central. Legal and compliance teams may interpret obligations, but they rarely know every AI-enabled feature sitting inside customer relationship management platforms, human resources tools, analytics dashboards, security products, call centre software, procurement platforms, or developer environments.
The AI estate is not static. Vendors add AI features, and business units trial new tools that move quickly from experimentation into live workflows. Teams are now connecting agents to files, systems, and enterprise actions. Annual policy review cycles will not keep up with that pace.
A minimum viable AI inventory should therefore capture more than the system name. It should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.
The evidence owner field – the named person accountable for requesting or retaining records for a given system – is especially important. It prevents the inventory from becoming a dead register. If a system needs vendor documentation, someone must own the request. If a chatbot may require a disclosure notice, someone must own that record. If an AI output influences hiring, credit, education, healthcare, insurance, or access to services, someone must own the classification rationale and review trail. If the system fails or produces harmful output, someone must know where the escalation record starts. That is the difference between inventory as administration and inventory as governance.
Curing ‘ownerless AI’
The inventory also helps reduce one of the most common failure modes in AI programmes: ownerless AI. A system’s purpose drifts it has no named business owner. Without a technical owner, underlying model changes go untracked. If nobody owns the vendor evidence, procurement risk stays unresolved. And when there is no human review point or incident route, accountability only starts after something has already gone wrong.
None of this means the inventory proves compliance. It doesn’t replace legal advice, privacy review, security testing, procurement diligence, or model-risk assessment. Its value is more basic as it creates the shared operating record that those functions need before they can do their work properly.
The AI inventory should sit near the centre, alongside asset management, vendor management, security review, privacy assessment, and enterprise architecture.
A good AI policy tells employees what the organisation expects while a good AI inventory tells the organisation what it has to control. As EU AI Act obligations continue to phase in, the organisations that move faster will be the ones whose legal, technology, security, privacy, product, and business teams are working from the same current record of AI use. That record starts with the inventory.
Abhishek G Sharma is founder and CTO of EUAICompass.com.
Read more
From speed to safety – how regulation is reshaping DevOps – Incoming regulations and agentic workflows are changing priorities for DevOps. Cameron Etezadi explains how to manage these changes
Small Language Models (SLMs) as the gold standard for trust in AI – Stephen Edginton of Dext explains why Small Language Models (SLMs) should be the next stage in your evolving AI strategy
Are you really ready for AI? Exposing shadow tools in your organisation – Without clear AI governance, employees often misuse publicly accessible external tools, known as ‘shadow AI’
