Free template

AI System Inventory Template

You cannot classify risk, assign oversight, or demonstrate compliance for AI systems you have not catalogued. This free CSV template gives you the columns to register every AI system your organisation develops or uses - with risk tier, role, owner, oversight assignment, and compliance status. The practical first step to EU AI Act compliance.

TL;DR

An AI system inventory is a register of every AI system your organisation develops or uses. For each system: record its intended purpose, your role (provider or deployer), its risk tier, the owner, and the compliance status. Required as a practical matter by overlapping obligations under Arts. 9 (risk management), 17 (quality management), and 26 (deployer obligations).

Why you need an AI inventory

The EU AI Act creates obligations that depend on knowing what AI systems you use, what they do, and what risk tier they fall in. Without a register, you cannot:

  • Determine which systems are high-risk and therefore subject to the most demanding obligations.
  • Assign human oversight to the right systems (Art. 14 for providers, Art. 26 for deployers).
  • Demonstrate that AI literacy training covers every system and role that uses AI (Art. 4).
  • Respond to a regulator's request for information about your AI systems (Art. 21 / 26).
  • Track compliance progress and identify gaps before a deadline.

Most organisations are deployers

If you buy AI from a vendor and use it in your business, you are a deployer. Article 26 deployer obligations apply even when you did not build the system. An inventory is how you track all the systems you deploy and the obligations that come with each. Art. 3 - Definitions (provider / deployer)

Template columns explained

ColumnWhat to put in it
system_idA unique identifier for the AI system in your register.
system_nameThe commercial or internal name of the system.
vendorThe provider of the system (internal if built in-house).
roleYour organisation's role: Provider, Deployer, Both, or Other.
intended_purposeWhat the system does in your context, in plain English.
risk_tierProhibited / High-risk / Limited-transparency / Minimal - after applying the risk classifier.
annex_iii_areaIf high-risk under Annex III, which of the 8 use-case areas applies.
ownerThe person in your organisation responsible for this system.
data_processedTypes of personal or sensitive data the system handles.
human_oversight_assignedYes / No - whether a trained oversight person is assigned.
literacy_training_doneYes / No - whether AI literacy training is documented for users of this system.
compliance_statusYour current compliance status: Not started / In progress / Compliant / Under review.
notesAnything else relevant: deadlines, open gaps, linked documentation.

How to fill in the inventory

  1. 1

    List every AI system you use or provide

    Work through each business function and list every AI system in use - from your own products to embedded AI in SaaS tools. If in doubt, include it.

  2. 2

    Classify the risk tier

    For each system, run through the AI Act risk classification: prohibited, high-risk (Annex I or Annex III), limited/transparency risk, or minimal risk. Use the risk classifier tool to help.

  3. 3

    Record the role, owner, and data

    Is your organisation the provider, the deployer, or both? Who owns the system? What data does it process? These columns determine your obligations.

  4. 4

    Assign oversight and literacy status

    For each system, note whether a trained human oversight person is assigned and whether AI literacy training is documented for the users of that system.

  5. 5

    Track and review

    Mark the compliance status and keep the register updated as you adopt new systems, as the rules change, and as systems are retired.

Download the template

Get the AI System Inventory pack, free.

Pop in your email and your download will start: a plain-English guide (PDF) plus the ready-to-fill template (CSV). We'll add you to The AI Act Brief so you hear when the rules change.

Free. No spam. This adds you to The AI Act Brief - our free plain-English newsletter. Unsubscribe any time, in one click.

Questions about the AI inventory

Do I have to use a spreadsheet? Can I use a dedicated tool?

The AI Act does not prescribe a format for your AI inventory. A spreadsheet works well for smaller organisations or as a starting point. Larger organisations with many AI systems typically migrate to a dedicated governance platform that provides workflow, role management, and integration with other compliance systems. The template here gives you the columns you need; you can export them into any system later.

Which AI systems should I include?

Include every AI system your organisation develops, places on the market, or uses under its authority in a professional context - including systems provided by third-party vendors. Start with the systems that clearly fall within the AI Act's scope (see Article 2), then work through the borderline cases. If in doubt, include it: an over-inclusive inventory is easier to trim than an incomplete one. The risk classifier tool can help you determine the tier for each system.

We use many AI features embedded in SaaS products. Do they all count?

Potentially, yes. When a SaaS product you use in a professional context includes AI features - an AI assistant, an automated scoring or ranking function, AI-generated suggestions - you are likely a deployer of those AI systems. Article 26 deployer obligations apply to each. In practice, triage by risk: AI features that clearly fall in the minimal-risk tier need much less governance attention than those that could be high-risk. The inventory helps you see the whole picture at once.

Is an AI inventory a legal requirement?

There is no Article that says 'you must maintain an AI inventory.' However, the combination of obligations - risk management (Art. 9), quality management (Art. 17), human oversight assignment (Art. 26), AI literacy documentation (Art. 4), and the ability to cooperate with national authorities (Art. 21 / 26) - effectively requires you to know exactly which AI systems you use, their risk tier, and their governance status. An inventory is the practical instrument for meeting those overlapping obligations and demonstrating compliance.

Keep going

Risk-tier classifier

Determine the risk tier for each system in your inventory.

AI governance framework

From inventory to full governance - the six pillars mapped to AI Act obligations.

Obligations tool

Your specific obligations as provider or deployer for each risk tier.

Readiness checklist

Every step to get AI Act-ready, in one free PDF.

Get the free Readiness Checklist

Sources

  1. [1]Regulation (EU) 2024/1689 (EU AI Act), EUR-Lexretrieved 9 Jun 2026
  2. [2]AI Act, Article 9 - Risk management systemretrieved 9 Jun 2026
  3. [3]AI Act, Article 17 - Quality management systemretrieved 9 Jun 2026
  4. [4]AI Act, Article 26 - Obligations of deployers of high-risk AI systemsretrieved 9 Jun 2026
  5. [5]AI Act, Article 6 - Classification rules for high-risk AI systemsretrieved 9 Jun 2026

This is guidance to help you understand the EU AI Act, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified adviser. Last updated: 9 June 2026.

AI System Inventory Template (Free CSV) | AI Act Navigator · AI Act Navigator