A practical guide to building an AI system inventory for governance - discovery methods, what to capture, EU AI Act 2026 context, the Treasury FS AI RMF inventory requirement, and how to keep it accurate.
•
•
21 min read time
Topics
An AI system inventory (also called an AI system registry) is a comprehensive, centralized catalog of all AI systems, models, and agents in use across an organization. It tracks their business purpose, ownership, and risk levels - the foundation of any enterprise governance program. Building a complete AI inventory is now a strict prerequisite for compliance with the EU AI Act, ISO 42001, the NIST AI RMF, and the Treasury Department's new Financial Services AI Risk Management Framework.
Most organizations cannot answer a deceptively simple question: how many AI systems are currently operating across the business? The inability to produce a reliable answer - and the absence of a comprehensive AI inventory - is not merely an administrative gap. It is a compliance liability, a risk management blind spot, and an increasingly untenable position as regulatory frameworks worldwide move from voluntary guidance to binding obligation.
The EU AI Act, which entered into force in August 2024 and whose obligations are phasing in through 2027, requires deployers of high-risk AI systems to register those systems in the EU database (Article 71) and maintain documentation that presupposes a complete accounting of every system in scope.[1] ISO/IEC 42001, the international standard for AI management systems, requires organizations to document the scope and context of their AI systems as a prerequisite for certification, making systematic cataloging a practical necessity.[2] The NIST AI Risk Management Framework treats identification and classification of AI systems as the foundational activity within its Map function, which feeds all downstream risk measurement and management.[3] The Treasury Department's Financial Services AI Risk Management Framework, released in February 2026, makes AI inventory its own control objective (GV-1.6), with six sub-objectives that span shadow IT discovery to portfolio-level risk analysis.[4] Without a comprehensive AI inventory, compliance with any of these frameworks is structurally impossible.
Yet the task of cataloging every AI system within an enterprise is far more complex than it first appears. This guide provides a systematic approach to building an AI inventory from nothing, including what to capture, how to discover systems that may be invisible to central governance, and how to keep the inventory accurate over time.
Why an AI Inventory Is the Foundation of Governance
Regulatory mandates aside, a complete AI system inventory serves as the prerequisite for virtually every downstream governance activity. Risk assessments cannot be conducted on systems that are unknown. Bias audits cannot reach AI tools that procurement never logged. Incident response plans cannot account for AI-driven processes that IT has no visibility into.
The practical consequences of operating without an inventory are already visible. Organizations subject to the EU AI Act face a registration requirement for high-risk systems with the European database.[1] Those pursuing ISO 42001 certification must demonstrate a systematic process for identifying and managing AI systems across the organization.[2] Financial regulators, including the Bank of England, FCA, and European Central Bank, have begun issuing supervisory expectations that assume firms know precisely which decisions are influenced by algorithmic or AI-based tools.[5] And as of February 2026, U.S. financial institutions must be ready to support the Treasury FS AI RMF questionnaire, which cannot be completed without a base-level AI inventory.[4]
The challenge is compounded by the pace of AI adoption. McKinsey's 2024 Global Survey on AI found that 72% of organizations had adopted AI in at least one business function, with adoption nearly doubling year on year and much of it occurring at the departmental level without central oversight.[6] Platforms such as Enzai have emerged specifically to address the complexity of maintaining a living AI inventory at enterprise scale, connecting discovery, risk classification, and ongoing monitoring in a single governance layer.
An AI inventory is not a compliance checkbox. It is the single artifact upon which every other governance activity depends.
What to Include in Your 2026 AI Inventory: Updated Requirements
Two things have changed since most organizations last reviewed their inventory specification. The regulatory bar has risen, and the systems being inventoried have evolved. An inventory designed in 2024 to support EU AI Act preparation is materially insufficient for 2026.
The 2026 Regulatory Backdrop
EU AI Act - high-risk obligations effective 2 August 2026. The full suite of high-risk system requirements under Articles 9-15, conformity assessment under Article 43, transparency obligations under Article 50, and EU database registration under Article 71 takes effect on 2 August 2026.[7] The Digital Omnibus proposed in November 2025 would extend the Annex III deadline to December 2027, but that proposal remains in trilogue negotiation and the outcome is uncertain. Plan for August; treat any extension as contingency, not baseline. The inventory implication is concrete: every system that may fall within Annex III categories must be identifiable, classified, and ready for registration.
Treasury Financial Services AI Risk Management Framework - released 19 February 2026. The U.S. Department of the Treasury released the Financial Services AI Risk Management Framework (FS AI RMF) on 19 February 2026, alongside an AI Lexicon, adapting the NIST AI RMF for financial institutions across 230 control objectives.[4] Building the AI inventory is its own control objective - GV-1.6 - with six sub-objectives spanning shadow IT discovery to portfolio-level risk analysis. The framework is currently voluntary, but it is expected to shape auditor expectations rapidly. For financial services organizations, the inventory must now support FS AI RMF questionnaire completion as a baseline.
Colorado AI Act and parallel state laws. The Colorado AI Act, originally effective 1 February 2026 and subject to pending amendments, requires developers and deployers of high-risk AI systems to exercise reasonable care to avoid algorithmic discrimination in consequential decisions.[8] Inventories supporting Colorado compliance must capture decision impact, affected populations, and consequential-decision flags - fields not always present in older AI inventories.
ISO/IEC 42001 and NIST AI RMF. Continuing voluntary frameworks. ISO 42001 certification requires demonstrating a systematic process for identifying and managing AI systems. The NIST AI RMF treats identification and classification as the foundational activity within its Map function.[2][3]
What's New to Capture in 2026
The fields and considerations that 2026 specifically adds:
Agentic system flags. Whether the system is an autonomous agent, its autonomy tier (see Enzai's Agentic AI Governance Guide), and the bounded action space it operates within.
Foundation model dependency. For systems built on third-party foundation models, the model provider, model version, version pinning policy, and re-validation triggers when the provider issues updates.
EU AI Act risk classification fields. Annex III category (if applicable), high-risk classification reasoning, conformity assessment route, EU database registration status, post-market monitoring plan reference. See Enzai's EU AI Act Compliance Guide for the full obligations breakdown.
FS AI RMF mapping (financial services). Designation against relevant control objectives, particularly GV-1.6 sub-objectives, including external-facing exposure, sensitive or regulated data use, customer or market impact, and criticality.
Shadow agent discovery flags. Specific tracking for autonomous agents adopted outside formal procurement - frequently embedded in SaaS platforms or built informally by data science teams.
Substantial modification triggers. Defined criteria for when a change to an existing system constitutes a "substantial modification" under EU AI Act Article 3(23), triggering re-assessment.
These are additions to the field framework that follows. Organizations whose inventories already cover the core fields below should plan a targeted enrichment pass to add 2026-specific data rather than rebuilding from scratch.
The Discovery Challenge
Understanding why AI systems are difficult to catalog is essential before attempting to build the inventory itself. AI does not behave like traditional software in terms of visibility. It embeds itself into existing tools, operates through third-party APIs, and proliferates through individual employee decisions that never cross a procurement desk.
Shadow AI - The most significant discovery challenge is shadow AI: systems adopted by employees or teams without formal approval. A marketing analyst subscribing to an AI-powered copywriting tool on a personal credit card, a sales team using an AI meeting transcription service, a finance team experimenting with a large language model through a browser extension. Each of these represents an AI system processing organizational data outside of any governance framework.
Embedded AI in SaaS platforms - Major enterprise software vendors have integrated AI features into existing products at extraordinary speed. A CRM platform that introduced predictive lead scoring, an HR system that added resume screening, a customer support tool that deployed automated response generation. These are AI systems, but they often arrive as feature updates rather than new procurements, making them invisible to traditional software auditing.
Vendor and third-party AI - When an organization engages a vendor that uses AI in its service delivery, the organization may become a deployer of that AI system under regulatory frameworks such as the EU AI Act. A background check provider using AI to screen candidates, a claims processing outsourcer using AI to triage submissions, a logistics partner using AI for route optimization. Each creates a governance obligation that begins with knowing the system exists.
Internally built AI - Data science teams, innovation labs, and software engineering departments may build and deploy AI models that never pass through a formal release management process. Jupyter notebooks promoted to production, machine learning models running on departmental servers, automated decision scripts that evolved from proof-of-concept to business-critical without anyone formally commissioning them.
The discovery challenge is fundamentally one of visibility. Traditional IT asset management was not designed for AI, and the tools and processes most organizations rely on will miss the majority of their AI footprint.
What to Capture in Your AI Inventory
A useful AI inventory must balance comprehensiveness with practicality. Capturing too little renders the inventory inadequate for risk assessment and compliance. Capturing too much creates a maintenance burden that causes the inventory to decay. The following template framework covers the fields that regulatory requirements, industry standards, and practical governance needs demand.
Core Identification Fields
Field | Description | Example |
|---|---|---|
System ID | Unique identifier for the AI system | AI-2026-0042 |
System Name | Descriptive name | Customer Churn Prediction Model |
System Description | Plain-language summary of what the system does | Predicts likelihood of customer contract non-renewal based on usage patterns and support ticket history |
System Category | Classification of the AI type | Machine learning model, rule-based system, generative AI, robotic process automation, autonomous agent |
Deployment Type | How the system is deployed | Internal build, third-party SaaS, embedded vendor feature, API service |
Ownership and Accountability
Field | Description | Example |
|---|---|---|
Business Owner | Individual accountable for the system's use | VP of Customer Success |
Technical Owner | Individual responsible for technical operation | Lead ML Engineer, Data Science Team |
Vendor (if applicable) | Third-party provider | Acme Analytics Ltd |
Department | Organizational unit using the system | Customer Success |
Contract Reference | Link to relevant procurement or license agreement | PO-2025-8831 |
Risk and Compliance Classification
Field | Description | Example |
|---|---|---|
EU AI Act Risk Category | Unacceptable, High, Limited, Minimal | Limited risk |
Annex III Category (if high-risk) | Which Annex III category applies | Employment - CV screening |
FS AI RMF Designation (financial services) | Relevant control objectives, GV-1.6 sub-mapping | External-facing, sensitive data, customer-affecting |
Data Types Processed | Categories of data the system ingests | Customer usage data, support ticket text, contract metadata |
Personal Data Involved | Whether personal data is processed and under what basis | Yes - legitimate interest, DPIA reference DP-2025-019 |
Decision Impact | Nature of decisions influenced by the system | Advisory input to renewal team, no automated decisions |
Affected Populations | Who is affected by system outputs | Enterprise customers (B2B), approximately 2,400 accounts |
Consequential Decision Flag | Does the system make or substantially influence a consequential decision (employment, credit, insurance, housing, etc.)? | No |
Technical and Operational Details
Field | Description | Example |
|---|---|---|
Model Type / Algorithm | Technical approach | Gradient boosted decision tree (XGBoost) |
Foundation Model Dependency | If built on a third-party foundation model: provider, version, version-pinning policy | Anthropic Claude Sonnet 4.6, pinned to claude-sonnet-4-6 |
Training Data Summary | Description of training data sources and vintage | 36 months of historical customer data, last retrained March 2026 |
Infrastructure | Where the system runs | AWS eu-west-2, SageMaker endpoint |
Integration Points | Systems that feed data to or receive outputs from this AI | Salesforce CRM, internal dashboards, renewal workflow |
Performance Metrics | How the system's effectiveness is measured | AUC-ROC 0.87, precision 0.79, reviewed quarterly |
Last Review Date | Date of most recent governance review | 2026-02-15 |
Agentic-Specific Fields (where applicable)
Field | Description | Example |
|---|---|---|
Is this an autonomous agent? | Yes | |
Autonomy Tier | 1 (Assistive) to 4 (Fully Autonomous) | Tier 3 - Bounded autonomous |
Action Whitelist Reference | Link to the agent's permitted action space | RUN-A042-actions.yaml |
Escalation Triggers | Defined conditions that hand control back to a human | Confidence < 0.8; transaction > $5k; tool failure |
Audit Trail Location | Where the agent's reasoning and tool-use logs are stored | S3://enzai-audit/agents/A042/ |
Lifecycle and Status
Field | Description | Example |
|---|---|---|
Status | Current operational state | Active, pilot, decommissioned, under review |
Date Deployed | When the system entered production | 2025-06-01 |
Next Review Date | Scheduled date for next governance review | 2026-08-15 |
Decommission Plan | Whether an exit or sunset plan exists | Documented in run-book RB-2025-044 |
Substantial Modification Trigger | Defined criteria that would re-trigger conformity assessment | Change to training data sources; foundation model version bump |
Not every field will be populated for every system on the first pass. A practical approach is to define which fields are mandatory at intake (system name, owner, deployment type, risk classification) and which can be deferred to the first governance review cycle. Enzai's AI inventory schema implements this tiered approach, distinguishing required intake fields from progressive enrichment fields to prevent teams from either skipping everything or getting paralyzed by a 22-field form for each of 200 systems. The goal is to establish the structure and fill gaps systematically, rather than to delay the inventory until every field can be completed perfectly.
Discovery Methods
With a clear picture of what to capture, the next question is how to find every AI system operating within the organization. No single method will achieve complete coverage. An effective discovery program uses multiple approaches in combination.
Automated scanning and technical discovery - Network traffic analysis can identify API calls to known AI service providers, including major cloud AI endpoints from providers such as OpenAI, Google, Anthropic, and AWS. DNS logs, proxy server records, and cloud access security broker (CASB) tools can flag connections to AI services that have not been formally sanctioned. Software composition analysis can identify AI libraries and frameworks within internally developed applications.
Organizations using platforms like Enzai can integrate automated discovery capabilities directly into their governance workflow, reducing the manual effort required and ensuring that newly detected systems are immediately flagged for classification and review.
Procurement and vendor audit - A systematic review of procurement records, software license agreements, and vendor contracts will surface AI systems acquired through formal channels. This should include a retrospective review of existing contracts, since many vendors have added AI features to previously non-AI products. Procurement teams should be briefed to flag any new acquisition that includes AI or machine learning capabilities.
Employee surveys and self-declaration - Direct outreach to business units remains one of the most effective discovery methods for shadow AI. A structured survey asking teams to identify any tools, services, or models they use that involve AI, machine learning, natural language processing, or automated decision-making will consistently reveal systems that no technical scanning method would detect. The survey should be framed constructively, emphasizing governance support rather than enforcement, to encourage honest disclosure.
Vendor questionnaires - For existing third-party relationships, a targeted questionnaire asking vendors whether AI is used in service delivery and, if so, what type and for what purpose, will identify embedded and third-party AI. This is particularly important for outsourced business processes where AI may be introduced by the vendor without explicit notification to the client.
Network and API traffic analysis - Beyond scanning for known AI endpoints, deeper analysis of API traffic patterns can reveal AI systems that communicate through non-obvious channels. Monitoring for patterns consistent with model inference calls, such as structured JSON payloads sent to external endpoints with latency profiles typical of ML inference, can surface systems that other methods miss.
The most robust discovery programs run these methods in parallel and repeat them on a regular cycle. A single sweep will capture the majority of systems, but ongoing discovery is necessary to keep pace with the rate at which new AI tools enter the organization.
Building the Inventory Process
An AI inventory is only as durable as the process and governance structure that sustains it. Without clear ownership, cross-functional involvement, and defined workflows, even a thorough initial catalog will degrade within months.
Establishing ownership - A single function must own the AI inventory as a corporate asset. In most organizations, this falls to one of three roles: the Chief AI Officer (where the role exists), the Chief Information Security Officer, or the Chief Compliance Officer. The critical requirement is that the owner has sufficient authority to compel disclosure from all business units and sufficient technical credibility to engage with engineering teams on classification and risk assessment.
Cross-functional involvement - The inventory process requires active participation from multiple functions:
IT and Engineering provide technical discovery capabilities and can identify internally built AI systems, infrastructure details, and integration points.
Procurement flags new AI acquisitions and retrospectively reviews existing vendor relationships.
Legal and Compliance classifies systems against regulatory requirements, including EU AI Act risk categories, FS AI RMF control objectives, and data protection obligations.
Business Unit Leaders identify AI tools in use within their teams and assign business ownership for each system.
Data Protection / Privacy assesses personal data processing and ensures alignment with GDPR and equivalent frameworks.
Internal Audit validates the completeness and accuracy of the inventory on a periodic basis.
Defining the intake workflow - Every new AI system, whether procured, built, or discovered through scanning, should pass through a standardized intake workflow. This workflow should include initial registration (populating the core identification fields), preliminary risk classification, assignment of business and technical owners, and scheduling of a full governance review. The intake process should be lightweight enough that it does not create an incentive to circumvent it, while rigorous enough that no system enters production without basic governance documentation.
Setting the governance cadence - The inventory should be formally reviewed on a quarterly basis at minimum. Each review should assess completeness (have new systems been added since the last cycle?), accuracy (are the details for existing systems still correct?), and compliance posture (are any systems operating outside of their approved risk parameters?).
A process without clear ownership is an aspiration. A process with ownership, cross-functional buy-in, and a defined cadence is a governance program.
Maintaining the Inventory Over Time
The initial build is the easier half of the challenge. Maintaining an accurate, living inventory requires triggers, automation, and integration with broader organizational change management.
Triggers for inventory updates - The inventory should be updated whenever any of the following events occur:
A new AI system is procured, built, or deployed
An existing system is materially modified (new data sources, changed decision scope, model retraining, foundation model version change)
A system is decommissioned or suspended
A vendor notifies the organization of AI feature additions to an existing product
A regulatory change alters the risk classification of an existing system
An incident involving an AI system is reported
Organizational restructuring changes the business ownership of a system
Continuous discovery - Technical discovery methods should run continuously rather than as periodic exercises. Automated scanning for AI API traffic, CASB alerts for new AI SaaS tools, and integration with software deployment pipelines to flag AI components in new releases all contribute to reducing the lag between a system entering the organization and appearing in the inventory.
Integration with change management - The AI inventory should be embedded into existing change management and IT service management processes. Change advisory boards should include AI inventory impact as a standard assessment criterion. Software deployment processes should include a check for AI components. Vendor management workflows should include AI disclosure as a standard contractual and review requirement.
Version history and audit trail - Every change to an inventory entry should be logged with a timestamp, the identity of the person making the change, and the reason for the update. This audit trail is not merely good practice. It is an explicit requirement under several regulatory frameworks and will be expected by auditors and supervisory authorities.
Maintenance is where most AI inventories fail. The organizations that succeed are those that treat the inventory as a living system integrated into operational workflows, not as a static document revisited annually.
Common Pitfalls
Even well-resourced organizations encounter predictable failure modes when building and maintaining an AI inventory. Recognizing these patterns in advance significantly improves the likelihood of a durable outcome.
Defining AI too narrowly. Organizations that limit their inventory to "machine learning models" will miss rule-based automated decision systems, robotic process automation with cognitive elements, autonomous agents, and generative AI tools used informally across the business. The definition of what constitutes an AI system for inventory purposes should be deliberately broad and aligned with regulatory definitions, such as the EU AI Act's expansive framing in Article 3(1).[1]
Treating the inventory as an IT project. If the inventory is owned exclusively by IT, business-side AI adoption will be systematically under-reported. Conversely, if it is owned exclusively by compliance, technical details will be sparse and unreliable. Cross-functional ownership is not optional.
Pursuing perfection on the first pass. Organizations that insist on completing every field for every system before publishing the inventory will never publish the inventory. A pragmatic approach accepts partial records in the initial build and implements a structured program to fill gaps over subsequent review cycles.
Neglecting vendor AI. The AI systems with the largest impact on an organization are frequently those operated by third parties - a background screening provider's AI, a credit scoring bureau's model, a cloud platform's automated security tooling. These require the same governance attention as internally built systems, and often more, given the reduced visibility.
Overlooking agentic systems. Most legacy inventories were built for static AI - models that produce predictions or content for humans to act on. Agentic systems, which take actions autonomously across multi-step workflows, require additional fields (autonomy tier, action whitelist, escalation triggers, audit trail location) and additional governance disciplines. An inventory that does not surface agentic systems separately from static models cannot support proportionate governance. See Enzai's Agentic AI Governance Guide for the full framework.
Failing to connect the inventory to action. An AI inventory that exists as a spreadsheet, reviewed annually, disconnected from risk assessment, incident management, and regulatory reporting processes, provides negligible governance value. The inventory must be the operational backbone of the AI governance program, not an appendix to it.
Underestimating the maintenance burden. The rate of AI adoption in most organizations means that an inventory completed today will be materially incomplete within three to six months without active maintenance processes. Organizations should budget ongoing effort for inventory upkeep, not merely for the initial build.
The difference between an AI inventory that delivers governance value and one that gathers dust is not the sophistication of the initial catalog. It is the rigor of the process that keeps it current and connected to decision-making.
Practical Implications
The regulatory trajectory is unambiguous. The EU AI Act, ISO 42001, the NIST AI RMF, the Treasury FS AI RMF, and an expanding set of sector-specific supervisory expectations all converge on the same foundational requirement: organizations must know what AI they have, where it operates, who is accountable for it, and what risks it presents. The cost of building this capability only increases with delay, as the volume of AI systems in any enterprise grows faster than the capacity to retrospectively catalog them.
Organizations that begin now, even with an imperfect first pass, will be materially better positioned than those that wait for a regulatory deadline to force action. The template framework, discovery methods, and process structures outlined in this guide provide a concrete starting point.
Choosing the right ai system inventory tool is critical for maintaining an auditable system of record. For organisations seeking to operationalise their AI inventory within a platform purpose-built for AI governance, risk, and compliance, Enzai offers a structured approach to discovery, classification, and ongoing maintenance. Book a demo to see how it works in practice.
Enzai is the leading enterprise AI governance platform, purpose-built to help organizations transition from abstract policy to operational oversight. Our AI risk management platform provides the specialized infrastructure required to manage agentic AI governance, maintain a comprehensive AI inventory, and ensure EU AI Act compliance. By automating complex workflows, Enzai empowers enterprises to scale AI adoption with confidence while maintaining alignment with global standards like ISO 42001 and NIST.
References
Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, August 2024.
ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system. International Organization for Standardization, December 2023.
Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1. National Institute of Standards and Technology, January 2023.
U.S. Department of the Treasury, "Treasury Releases Two New Resources to Guide AI Use in the Financial Sector", 19 February 2026. Includes the Financial Services AI Risk Management Framework and AI Lexicon. AI inventory is control objective GV-1.6.
Bank of England, FCA, PRA, and PSR, "Artificial intelligence and machine learning", DP5/22, October 2022; PRA Supervisory Statement SS1/23, 2023.
McKinsey & Company, "The State of AI in Early 2024: Gen AI Adoption Spikes and Starts to Generate Value", May 2024.
Regulation (EU) 2024/1689, Articles 113-114 (entry into force and application dates). The European Commission's Digital Omnibus on AI proposed November 2025 may extend Annex III deadlines, subject to trilogue.
Colorado SB 24-205, Concerning Consumer Protections for Artificial Intelligence, signed May 2024. Original effective date 1 February 2026; subject to pending legislative amendments.
Empower your organization to adopt, govern, and monitor AI with enterprise-grade confidence. Built for regulated organizations operating at scale.