PowerQuantEUSend your AI questionnaire

The EU AI Act does not name 'AI inventory' as a stand-alone deliverable, but you cannot satisfy Article 4 AI literacy, Article 6 classification, Article 26 deployer duties or Article 50 transparency without a complete register of every AI system you put into service. This guide lists the fields a defensible inventory contains and how it links to GDPR, NIS2 and Article 27 FRIA.

Why you need it

  • Article 4 (in force since 2 February 2025): deployers must ensure a sufficient level of AI literacy among staff dealing with AI systems. Without knowing which systems are in use, you cannot scope training.
  • Article 6 + Annex III (high-risk regime from 2 August 2026): you must determine whether each system is high-risk to know which obligations apply.
  • Article 26 (deployer duties): human-oversight assignment, log retention, monitoring and worker information all presume you can list the systems in scope.
  • GDPR Article 30: records of processing activities must reflect AI-based processing. An AI inventory feeds the RoPA.

Required fields

  1. System name, vendor and version (or in-house model identifier).
  2. Intended purpose (described in business terms, not marketing).
  3. Role of your organisation: provider, deployer, importer, distributor — and whether the system is a general-purpose AI model (GPAI).
  4. Risk classification per Article 5 (prohibited), Article 6(1) (safety component or Annex I product), Article 6(2) (Annex III high-risk), Article 50 (limited risk / transparency), or minimal risk.
  5. Annex III point and sub-point if high-risk (e.g. point 4(a) for recruitment AI).
  6. Article 6(3) exception assessment, if claimed (and the reasoning).
  7. Input data categories and sources; output data and downstream consumers.
  8. Personal-data flags (GDPR, special categories, automated decisions under Art 22).
  9. Cross-border transfers (Schrems II / TIA where relevant).
  10. Human-oversight assignment: role, escalation path, training reference.
  11. Log-retention configuration and minimum period (Art 26(6): at least 6 months).
  12. FRIA reference (Art 27) and DPIA reference (GDPR Art 35) if applicable.
  13. Incident-reporting routing (Art 73 serious incident; NIS2 Art 23 if also in scope).
  14. Date placed in service, last review date and review owner.

Lifecycle triggers

Re-run the inventory entry when any of these happen:

  • Vendor releases a substantial modification of the model or the intended purpose.
  • You change the intended purpose, the user group, or the decision the system influences.
  • A new Annex III sub-point applies (typically following a change in workflow).
  • The system is integrated with a new data source or downstream system.
  • A serious incident or near-miss occurs.

Common scope mistakes

  • Excluding embedded AI in everyday SaaS (e.g. AI features in Microsoft 365, Google Workspace, ATS or HRIS). Embedded use that materially influences a decision is in scope.
  • Listing only models, not systems. The AI Act regulates AI systems and their use; a model becomes a system once given an intended purpose and deployed.
  • Treating "shadow AI" (employee-procured tools, free chatbots) as out of scope. They are in scope from the moment they handle work data or influence work decisions.
  • Treating limited-risk transparency obligations (Art 50) as "not high-risk so not our problem". From 2 August 2026, chatbots, emotion-recognition systems and AI-generated content carry deployer duties even when the system is not high-risk.

Where to keep the inventory

A signed CSV in a versioned repository is enough to start. The Article 26 audit trail cares about completeness, accuracy and dating — not the tooling. Map each entry to your DPIA repository and to the supplier register used for NIS2 supply-chain risk management.

Related EU guides

Sources

  • Regulation (EU) 2024/1689, Articles 3, 4, 5, 6, 26, 27, 50, 73 and Annex III — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
  • Regulation (EU) 2016/679 (GDPR), Articles 22, 30, 35 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj

Note: Concrete obligations depend on each system's classification and the applicable phase of the EU AI Act. PowerQuant supplies software and documentation for use in your internal compliance process — not legal advice.