EN
HomeAI Compliance › AI inventory

Inventory · classification · governance

The AI inventory: prerequisite for all further compliance measures

Before risk classification, deployer duties or an AI management system become reliable, one basic question must be answered: Which AI systems do you actually use?

Why the AI inventory is the foundation

Every further EU AI Act measure assumes that the institution knows which AI systems it uses: risk classification, conformity assessment, Fundamental Rights Impact Assessment, vendor management, training planning and ongoing monitoring.

The key question is not only: "Which AI have we consciously purchased?" The decisive question is: "Which of our software systems contains AI components within the meaning of the EU AI Act, and how are they used in the specific business process?"

Four challenges of a structured inventory

Vendor AI is not labelled as such

Software providers often describe ML components as advanced analytics, smart features or copilot functions. Regulatory classification requires technical understanding and knowledge of the distinction criteria.

Shadow AI is not inventoried by definition

Consumer AI tools and unapproved internal tools do not appear in any official IT list. Capturing them requires technical discovery and organisational interviews while respecting GDPR, labour law and employee rights.

Departments work in isolation

IT knows systems, procurement knows contracts, business units know usage, compliance knows requirements. No single department has the full picture. A reliable inventory needs a coordinated aggregation process.

Role allocation under Art. 25 is legally complex

For every system it must be checked whether the institution is a provider or deployer. Modification, branding or change of purpose can alter the role position.

What a regulatorily robust AI inventory contains

  • System name, version and provider
  • Contractual basis, system responsibility and business process
  • Functional description and actual use
  • EU AI Act risk classification and Annex III allocation
  • Role allocation under Art. 25 and Art. 26
  • Status of documentation and provider materials
  • CSRD / ESRS relevance for bias, discrimination or human-rights risks
  • Oversight person, escalation path and review cycle

This inventory is not a static document. It must be updated for new systems, material updates and changed use. It is the basis for reporting, risk committees and supervisory discussions.

Practical experience

A complete initial inventory at a medium-sized Austrian financial institution typically takes several weeks. Without a structured methodology, vendor AI, business-unit use and HR-adjacent systems are easily missed.

Structured initial inventory

We support you from the first inventory through to a complete AI governance structure, using a methodical approach and financial-market knowledge.

Request inventory support

Sources

Notice: This page is for general information only and does not constitute legal advice. Content reflects the state of June 2026.