EU AI Act AI System Inventory Template XLSX
Professional Excel worksheet with Start Here, Dashboard, AI system inventory, lookups, sources, and review notes.
Download XLSX worksheet →AI system inventory field guide
Plain field guide for each column in the register.
Download Markdown →What this template captures
A useful AI inventory does one job first: it stops the team from arguing from memory. It shows where AI is being used, who owns the use case, which vendor or model is involved, whether Annex III or Article 50 may be in play, and where the evidence lives. Keep it simple at the start. A bloated register dies quickly.
| Field | Purpose |
|---|---|
| AI system ID | Unique reference for the AI use case or system. |
| AI system name | Plain business name used internally. |
| Business owner | Accountable process or business owner. |
| Technical owner | System owner, engineering owner, or vendor manager. |
| Provider or vendor | Internal build, external vendor, open-source model, or mixed stack. |
| Role assessment | Provider, deployer, importer, distributor, product manufacturer, or unclear. |
| Intended purpose | The purpose the system is designed or used for. |
| User group | Employees, customers, citizens, patients, applicants, students, or other affected persons. |
| Sector / process | HR, credit, insurance, healthcare, education, biometrics, public services, security, or other. |
| Data categories | Personal data, special-category data, operational data, synthetic data, public data, or mixed data. |
| Automated decision impact | Advisory only, decision support, automated recommendation, automated decision, or unclear. |
| Annex III relevance | No obvious Annex III trigger, potential trigger, confirmed trigger, or needs legal review. |
| Article 50 transparency trigger | Chatbot, content generation, deepfake, emotion recognition, biometric categorisation, or none identified. |
| FRIA trigger | No, likely no, possible, likely yes, or legal review needed. |
| Human oversight owner | Named person or role responsible for review, intervention, and escalation. |
| Logs and evidence location | Where usage records, model cards, vendor docs, approvals, and oversight logs are retained. |
| Status | Discovery, pilot, production, suspended, retired, or banned. |
| Last reviewed | Date of last classification and evidence review. |
| Next action | Classify, request vendor evidence, run FRIA, add notice, improve oversight, or retire. |
How to use it
- Start with approved systems, pilots, and suspected shadow AI. Leave nothing in someone’s head.
- Assign a business owner and a technical owner before debating the legal label.
- Use the register to decide what needs classification, FRIA review, Article 50 notice review, vendor evidence, tighter oversight, or retirement.
- Review it monthly while the inventory is immature. Move to quarterly only after owners and review dates stop slipping.
FAQ
Is this a full compliance register?
No. It is the intake layer. Use it before role classification, high-risk analysis, FRIA, vendor review, and evidence planning.
Should shadow AI tools be included?
Yes. Include approved systems and suspected shadow AI. Mark uncertain entries clearly. A messy entry is still better than an invisible system.
Related EU AI Compass assets
Source and review note
This page is an educational evidence starter. It is not legal advice and does not confirm compliance. Review the official text of Regulation (EU) 2024/1689 and obtain qualified legal review before relying on any template for a formal compliance decision.
- Regulation (EU) 2024/1689 on EUR-Lex
- Last reviewed against official source references: 27 April 2026.