Agnes maps out all AI tools in her organization with a structured inventory

How to Build an AI Inventory for EU AI Act Compliance (Step-by-Step)

AI Act, GDPR, Compliance, SME

"Which AI tools does your company actually use?" Sounds like a simple question. Until you start counting.

Marketing uses ChatGPT for copy. Sales runs an AI tool for lead scoring. HR screens resumes with an automated system. And half your staff uses AI features baked into software you have had for years, without anyone formally tracking it.

Under the EU AI Act, your organization is accountable for the AI systems it deploys. Not just systems you build yourself, but also the tools you use as a deployer. The first step to getting this right: an AI inventory.

What is an AI inventory?

An AI inventory is a structured overview of every AI system your organization uses. For each system, you document what it does, what data it processes, who the vendor is, and what risks come with it.

Think of it like the processing register you maintain for GDPR. That register describes how you process personal data. An AI inventory describes how you use artificial intelligence. In practice, they overlap, because many AI systems process personal data. But the angle is different: an AI inventory looks at the AI system as a whole, including its risk classification under the EU AI Act.

Why do you need an AI inventory?

Three reasons. None of them is "because it sounds trendy."

1. The EU AI Act requires it. The EU AI Act distinguishes between providers (who build AI) and deployers (who use AI). If your company uses AI tools, you are a deployer. Deployers of high-risk AI systems must register their use in an EU database and document how they deploy those systems. Without an inventory, you cannot meet that obligation, because you do not even know which systems you have.

2. Shadow AI is a real risk. Employees adopt AI tools faster than your IT department can keep up. A translation tool here, an AI writing assistant there. Each of those tools may process company data or personal data. Without an overview, you have no grip on what comes in. That is an AI Act risk and a GDPR risk at the same time.

3. It makes vendor management concrete. You probably buy AI as part of existing software. Your CRM has predictive lead scoring. Your helpdesk tool has a chatbot. Those AI features fall under the EU AI Act, but also under your Data Processing Agreements and vendor management. An AI inventory makes visible which vendors deliver AI components, so you can put the right agreements in place.

Step-by-step: building your AI inventory

Step 1: Identify all AI tools in use

Start broad. Do not just ask "which AI tools do we use?" Also ask "which software we already have contains AI features?"

Concrete actions:

  • Pull up your software inventory (or create one if you do not have one yet)
  • Walk through each department: marketing, sales, HR, finance, customer service, IT
  • Explicitly ask about tools employees purchased or use for free on their own
  • Check existing software for AI features: automatic summaries, chatbots, recommendations, predictive models, translation functions

Shadow AI is not malicious. It is employees trying to do their jobs better. But you need to know about it.

Step 2: Classify each system by risk level

The EU AI Act works with four risk categories:

| Risk level | Description | Example | |---|---|---| | Unacceptable | Prohibited applications | Social scoring, manipulative AI | | High risk | Strict documentation and oversight requirements | AI for recruitment screening, credit scoring | | Limited risk | Transparency obligations | Chatbots, AI-generated content | | Minimal risk | No specific obligations | Spam filters, AI translation, autocorrect |

Most SMEs will mainly have tools in the "limited risk" and "minimal risk" categories. But check each tool individually. Using AI to screen job applicants? That puts you in high risk, with corresponding documentation requirements. Read more about obligations per risk category in our overview.

Step 3: Document the key details per tool

For each AI system, record at least the following:

| Field | Explanation | |---|---| | System name | Product name and version | | Vendor | Who supplies the system? | | Purpose | What do you use it for? | | Department | Which team or department uses it? | | EU AI Act risk class | Minimal, limited, high, or unacceptable | | Personal data processed | Yes/no, and if yes: which categories? | | Data input type | What data goes into the system? | | Data output type | What does the system produce? Scores, text, decisions? | | Automated decision-making | Does the system make decisions without human intervention? | | DPA with AI clauses | Is there a signed Data Processing Agreement with AI-specific terms? | | Internal contact | Who is internally responsible for this tool? |

This is your baseline template. For high-risk systems, you will need more: technical documentation, logging requirements, and human oversight arrangements.

Step 4: Check DPAs for AI-specific clauses

You probably already have Data Processing Agreements (DPAs) with your software vendors. But do those agreements cover the AI component?

Check per vendor:

  • Does the DPA explicitly state that AI is being used?
  • Does it describe which data is used as training data (and whether your data is used for that)?
  • Are there provisions about automated decision-making?
  • Is there an opt-out option for AI training on your data?

Many standard DPAs were written for GDPR and do not cover AI-specific risks. This is the moment to have that conversation with your vendor.

Step 5: Set up a process for reviewing new AI tools

An inventory you build once and then forget is outdated within three months. Establish an intake process:

  • New AI tools are reported to a central point (IT, privacy officer, or compliance owner)
  • Every new tool goes through a short intake: what does it do, what data does it process, which risk category does it fall into?
  • High-risk tools get a more thorough assessment before they go into use
  • The inventory is updated whenever a tool is added or removed

It does not need to be a heavy approval process. A structured intake of five questions is enough to maintain control.

Step 6: Assign ownership and keep it current

Without an owner, your inventory ages fast. Assign a responsible person per AI system and set a review frequency:

  • Full review at least twice a year
  • Interim updates when tools change, vendors switch, or functionality is modified
  • Tie the review to your existing compliance cycle (for example, alongside your processing register review)

Practical example: what a record looks like

| Field | Details | |---|---| | Name | ChatGPT Team | | Vendor | OpenAI | | Purpose | Writing support for marketing and customer service | | Department | Marketing, Customer Service | | Risk class | Limited risk (transparency obligation) | | Personal data | Yes, customer queries sometimes contain names and email addresses | | Data input | Text prompts with company and customer information | | Data output | Generated text | | Automated decision-making | No, output is always reviewed by a staff member | | DPA with AI clauses | Yes, OpenAI Data Processing Addendum signed, training opt-out confirmed | | Internal contact | Lisa, marketing team lead |

That is the level of detail you need. Specific enough to hold up during an audit.

Common mistakes

Only counting "real AI tools." Many companies think of AI as ChatGPT and forget that their CRM, helpdesk tool, or accounting software also contains AI features. Those count too.

Not determining the risk class. A list of AI tools is useful, but without risk classification you do not know which obligations apply.

No link to vendor management. Your AI inventory and your vendor management should be connected. An AI tool without a Data Processing Agreement is a loose end.

Filling it in once and forgetting. AI adoption moves fast. What you document today is incomplete within six months. Schedule fixed review moments.

AI inventory vs. processing register: what is the difference?

Your processing register describes how you process personal data (GDPR obligation). Your AI inventory describes which AI systems you use (EU AI Act obligation). They overlap where AI systems process personal data. In practice, the easiest approach is to maintain them in the same platform, connected to the same system and vendor list.

In ComplianceHive, you combine your system inventory, processing register, and AI Act compliance in one platform. Add an AI tool to your system inventory and you can immediately record its risk class, Data Processing Agreement, and AI-specific details. No separate spreadsheets, no duplicate administration.

Ready to build your AI inventory?

ComplianceHive gives you the structure to map out your AI usage step by step. Document systems, classify by risk, and connect everything to your existing compliance administration.

Try it free for 30 days

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free