Definition guide
What Is an AI System Inventory?
An AI system inventory is an authoritative, maintained record of the AI systems, enabled features, models, and business use cases an organisation develops, buys, configures, or uses. It connects technical identity to purpose, ownership, data, outputs, affected processes, suppliers, risk decisions, controls, evidence, change, and lifecycle status.
Direct answer
An AI inventory defines the population the organisation can govern
The inventory answers three practical questions: what AI exists, where and why it is used, and who is accountable for the decisions around it. A discovery list becomes an inventory only when entries are validated, connected to business context, assigned to owners, linked to governance records, and maintained through change.
A broader enterprise AI inventory tests how this practice fits the organization's wider ownership, control, and evidence baseline.
This definition guide explains the entity and its boundaries. The enterprise AI inventory pillar covers the full implementation and governance programme; the template guide provides fields and operating steps. That division keeps this page useful for definition queries without competing with the parent pillar's broader assessment and implementation intent.
Core concept
The inventory connects technical objects to business use
An organisation may need records for products, internally developed systems, embedded AI features, general-purpose models, model versions, APIs, agents, and business use cases. Those objects should be linked, not forced into one category. The governed use case is often the most important unit because purpose, users, data, outputs, affected people, autonomy, controls, and consequences live there.
Authoritative does not mean that every fact originates in one database. It means the organisation has defined which source owns each field, how records are linked, who validates business context, and how conflicts are resolved. The inventory can reference a CMDB for application identity, a model registry for versions, a data catalog for datasets, and a supplier register for contracts while remaining the authoritative view of governed AI use.
The inventory also needs a clear threshold for material use. Recording every statistical feature or dormant licence can make the population impossible to govern, while narrow inclusion rules hide embedded AI and employee tools. Use candidate status for uncertain capabilities, document exclusion criteria, and require an accountable reviewer to decide whether the feature or use needs a governed record.
Operating discipline
An inventory is reliable only when change reaches it
Registration should be triggered by procurement, architecture, development, model release, access, vendor-feature enablement, integration, incident, and retirement workflows. Independent reconciliation tests whether those triggers work. Owner attestations can validate purpose and use but should not be the only discovery method, because people cannot attest to systems they do not know exist.
Tests for an authoritative inventory
These are reliability tests, not instructions for building the full programme.
- 01
Defined scope
Inclusion, candidate, exclusion, product, system, model, feature, and use-case rules are documented and understood.
- 02
Stable identity
Records use identifiers and relationships that survive renaming, reorganisation, model change, and supplier change.
- 03
Accountable validation
Business owners validate purpose and use; specialist owners validate technical, data, supplier, risk, and control facts.
- 04
Governance linkage
Assessments, approvals, controls, evidence, incidents, exceptions, and changes are traceable from the record.
- 05
Lifecycle triggers
Discovery, approval, deployment, material change, suspension, and retirement update the inventory.
- 06
Independent reconciliation
Source systems and business discovery test coverage, duplicates, staleness, unknowns, and broken links.
If the inventory cannot support these tests, it is still useful as a discovery list—but management should describe it honestly.
Management value
The inventory is the starting population for other governance decisions
Risk assessment, EU AI Act readiness, supplier oversight, human-oversight design, control testing, incident response, audit, and board reporting all depend on knowing which systems and uses exist. The inventory does not perform those analyses; it connects each one to the correct object, owner, version, and decision history.
Leadership reporting should distinguish discovery coverage from record completeness. Coverage asks whether independent sources suggest unknown AI use; completeness asks whether validated entries contain the facts and decisions required for their status. A portfolio can score highly on owner completion while still omitting material systems. Showing both measures keeps unknown exposure visible and gives management a concrete reason to improve discovery or validation.
An inventory should also support retirement. Closing a record requires confirmation that access and integrations were removed, dependent processes were addressed, required data or evidence was retained, monitoring ended appropriately, and supplier obligations were resolved. Preserve the closed record and rationale so future discovery does not recreate the same uncertainty or mistake a historical system for an active one.
To implement the record, continue to the AI system inventory template. To find uses outside known systems, use the shadow AI detection guide. For regulatory extensions, use the EU AI Act inventory guide.
The parent enterprise AI inventory guide should remain the principal page for organisation-wide implementation, ownership, governance, and assessment decisions.
FAQ
Frequently asked questions
What belongs in an AI system inventory?
Include internally developed systems, purchased products, embedded AI features, models or components where relevant, APIs, agents, employee tools, pilots, and business use cases that materially use AI. Apply documented candidate and exclusion rules.
Is an AI inventory a list of AI tools?
No. A tool list identifies products. An inventory connects systems and use cases to purpose, users, owners, data, outputs, affected processes, suppliers, risk, controls, evidence, change, and lifecycle decisions.
What is the difference between an AI inventory and a CMDB?
A CMDB manages technical configuration items and service relationships. An AI inventory adds business purpose, use case, affected stakeholders, governance ownership, risk decisions, controls, and evidence. They should exchange identifiers rather than duplicate all fields.
Who owns the AI inventory?
A central process owner governs scope, definitions, quality, reconciliation, and reporting. Each system or use case needs an accountable business owner, supported by technical, data, supplier, risk, and control owners.
How do organisations discover systems for the inventory?
Combine procurement, architecture, CMDB, model registry, identity, SaaS management, endpoint or network signals, expenses, vendor features, surveys, disclosures, and business interviews. Validate signals before treating them as confirmed use.
How often should the AI inventory be updated?
Update it through lifecycle events and material changes, with periodic owner review and independent reconciliation. High-impact or fast-changing systems need shorter review cycles than dormant or low-impact records.
Why is an AI inventory necessary for governance?
Because ownership, risk assessment, control selection, regulatory analysis, monitoring, incident response, and audit all require a defined population. Governance cannot reliably cover systems the organisation cannot identify.