AI inventory template for EU AI Act readiness

AI Inventory Template: How to Inventory AI Systems for the EU AI Act

An AI inventory template is a central, living register of every AI system your organisation provides or deploys. It delivers the visibility required to classify risk lanes, assign owners, track evidence, meet Article 4 AI literacy obligations, satisfy Article 50 transparency rules, and prepare for high-risk requirements. Without it, teams cannot demonstrate they know where AI is used, who is responsible, or which deadlines apply.

This guide supplies a ready-to-use minimum schema, an expanded version for mature programmes, practical examples, maintenance workflows, and an action checklist. Use it as the backbone for compliance readiness and evidence collection.

Current-law status (May 2026) Article 4 (AI literacy) has applied since 2 February 2025. Article 50 transparency obligations apply from 2 August 2026. High-risk rules phase in during 2026–2027. No single article mandates an “AI inventory,” but official implementation guidelines on value-chain responsibilities, fundamental rights impact assessments (FRIA), quality management systems, and post-market monitoring make a living register practically essential. The proposed Digital Omnibus seeks to simplify aspects of the framework but does not remove the need for systematic visibility into AI use. Always consult primary sources and national competent authorities for your situation.

A good AI inventory is not bureaucracy — it is operational infrastructure. It gives you:

• Visibility: A single source of truth so no AI system slips through the cracks, whether it is an internal ChatGPT wrapper, a customer-facing chatbot, or a recruitment screening tool.
• Ownership: Clear accountability so someone is responsible for classification, evidence, and ongoing monitoring.
• Classification: The data needed to assign the correct risk lane (prohibited, high-risk, transparency/limited risk, or minimal risk) and the corresponding obligations. This directly supports decisions on provider vs deployer roles. See our guide to provider vs deployer responsibilities.
• Evidence collection: A place to link or reference technical documentation, impact assessments, literacy records, transparency logs, and conformity documents. This aligns with AI Office guidance on quality management systems and FRIA templates.
• Change tracking: A mechanism to log substantial modifications, new deployments, vendor changes, or shifts in use case that could alter the system’s obligations.

Organisations that maintain a credible inventory can answer regulator questions quickly, allocate training under Article 4 effectively, and prepare Article 50 disclosures without last-minute scrambling. The European AI Office emphasises coherent application across the value chain; an inventory is the practical tool that makes coherence possible.

Keep the first version simple. These seven to nine fields give you 80 % of the value with minimal overhead. Add rows as new systems are discovered through procurement, product launches, or employee surveys.

Here is the minimum AI inventory schema:

Populate this in a shared spreadsheet or dedicated compliance platform. Review at least quarterly or upon any material change.

Three real-world examples

1. Internal ChatGPT use register

System name: “Marketing Content Generator – Internal”. Likely lane: Limited risk / Article 50 (interactive AI). Owner: Marketing Operations Manager. Evidence status: Link to acceptable-use policy and Article 4 literacy module for marketing staff.

1. Customer-facing chatbot

System name: “Website Support Bot – EU Customers”. Likely lane: Article 50 transparency obligations. Affected persons: Website visitors in EU. Role: Deployer. Evidence status: Link to system prompt, refusal policy, and human handover log.

1. Recruitment screening tool

System name: “CV Ranking Engine”. Likely lane: High-risk (employment). Owner: Head of HR Technology. Evidence status: Link to data governance policy, bias audit report, and planned FRIA. Review date tied to next procurement renewal.

These examples show how the same template supports very different obligations.

Once the minimum register is live, add fields that reduce duplicated effort when you reach deeper compliance stages.

Here is the expanded schema for serious teams:

These fields turn the inventory from a static list into a dynamic compliance cockpit. They directly support the guidelines the AI Office is preparing on obligations for providers and deployers, responsibilities along the value chain, and simplified QMS for SMEs.

An inventory dies when it is treated as a one-off project. Tie it to existing business rhythms so updates become automatic.

• Procurement and vendor onboarding: Add a mandatory AI questionnaire and inventory entry step before any new tool is purchased or contracted. Include vendor dependency and questionnaire status fields.
• Product launch gates: Require an inventory update (or new entry) at the design-review or go-to-market stage. Link the entry to any planned transparency measures or human oversight design.
• Contract renewals: Flag high-impact vendors for annual review. Update geography, affected persons, and evidence status.
• Policy and training reviews: Connect the inventory to your annual Article 4 AI literacy programme. Use the “literacy impact” field to generate training assignments automatically.
• Change management and substantial modification process: Any team that modifies an AI system (new features, new data, different use case) must update the relevant inventory row and reassess the lane.
• Central ownership with distributed accountability: A central AI governance or compliance lead owns the register’s integrity. Individual system owners remain accountable for the accuracy of their entries. Schedule automated reminders 30 days before each review date.

Organisations that embed these triggers report far higher register completeness and dramatically reduced panic before audits or authority requests.

• Treating the inventory as a compliance checkbox instead of a living operational tool. A dusty spreadsheet from last year provides no evidence of ongoing monitoring.
• Inventorying only “high-risk” systems and ignoring Article 50 triggers such as chatbots or generative tools used for public-interest content.
• Failing to assign a single named owner per system. Shared responsibility quickly becomes no responsibility.
• Storing the register in a format that cannot link to evidence (e.g. a static PDF). Use a tool that supports attachments or hyperlinks.
• Forgetting experimental or pilot systems. Early-stage tools often carry the highest classification risk once scaled.
• Not connecting the inventory to Article 4 literacy mapping, leaving training programmes disconnected from actual AI use.

• [ ] Run a cross-functional workshop this month to discover all current AI systems (IT, procurement, marketing, HR, product, legal).
• [ ] Create or import the minimum schema above and populate known systems.
• [ ] Assign an owner and review date to every entry.
• [ ] Classify each system’s likely lane and add Article 50 or literacy flags where relevant.
• [ ] Link or upload initial evidence for each high-impact system.
• [ ] Integrate the inventory into procurement, product launch, and contract renewal workflows.
• [ ] Schedule the first quarterly refresh and assign the central register owner.
• [ ] Share a read-only view with relevant teams and train them on how to request new entries.

Complete these steps and you will have a credible foundation that supports every other EU AI Act obligation.

Next step: Put the template into practice immediately. Import your systems into the Evidence Scanner to receive automated risk-lane suggestions, deadline tracking, and centralised evidence storage. Teams using the Scanner report completing their first credible inventory in under two weeks.

Sources (official primary references)

• European AI Office and supporting implementation guidelines (digital-strategy.ec.europa.eu)
• AI literacy Q&A and Article 4 materials (digital-strategy.ec.europa.eu)
• Article 50 transparency FAQ, code of practice drafts, and service desk text (ai-act-service-desk.ec.europa.eu and digital-strategy.ec.europa.eu)
• Regulation (EU) 2024/1689 and phased application timeline

This page is for informational and operational readiness purposes only. It does not constitute legal advice. Obligations depend on your specific role, use cases, and national implementation. Consult primary EU sources and competent authorities for binding guidance.