BLOG

Getting started with an AI inventory: a practical first week

By PowerQuant | Updated June 2026 | Reading time: ~7 minutes

Every EU AI Act readiness plan eventually arrives at the same conclusion: nothing else works without an AI inventory. You cannot classify systems you have not listed. You cannot perform Art. 26 deployer duties on systems no one in legal knows are being used. You cannot run an Art. 4 literacy programme for "the people interacting with AI" if you do not know who they are. This article is a practical first-week plan for building that inventory inside a Nordic HR-tech deployer.

Why "just ask IT" doesn't work

The single biggest reason inventories are incomplete is that they are built from the IT asset register alone. Modern HR-tech AI rarely shows up there. It arrives via:

  • SaaS features turned on by default — your ATS vendor enabling AI-assisted matching in a quarterly release;
  • Embedded models inside "just a tool" — a survey platform that secretly classifies free-text sentiment;
  • Shadow procurement — a recruiter signing up for a sourcing tool on a credit card;
  • Pilots that never ended — a six-week test of an interview-scoring tool that has been live for two years;
  • Internal builds — a People Analytics team that wrapped a foundation-model API in a dashboard.
  • If your inventory pipeline starts from IT's SaaS list, you will systematically miss the last three categories — which are exactly where the highest-risk HR systems tend to live.

    Scope it correctly: what counts as "AI"

    Use the Act's own definition (Art. 3(1)): a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

    The European Commission has published guidance on this definition. In practical scoping terms: if a tool produces a score, ranking, recommendation, classification, generated text, or auto-decision based on inference (rather than a fixed rules engine), treat it as AI for inventory purposes. Borderline cases go in the inventory with a "classification: under review" tag — you can refine later.

    The first-week plan

    Day 1 — Stand up the schema

    Before you collect anything, decide on the fields you will capture per system. A workable starter schema:

  • Identifier — short internal name + canonical vendor/product name
  • Owner — the named business owner (a person, not a team)
  • Purpose — what decision or output it supports, in plain language
  • Provider vs. deployer designation — who put it on the market (Art. 25 analysis where you customise)
  • Annex III classification — high-risk / limited-risk / minimal / under review, with the Annex point cited
  • Use of GPAI — does it rely on a general-purpose AI model? If so, which one and which version
  • Data inputs — what personal data flows in (link to your RoPA entry)
  • Human oversight — named role with the authority to override
  • Affected persons — candidates, employees, contractors, customers
  • Status — production / pilot / sunset / proposed
  • Evidence links — vendor DoC, instructions for use, FRIA, worker-information notice
  • A spreadsheet is fine to start. Resist the urge to buy a GRC tool before you have populated the schema; the tool selection should be informed by the inventory, not the other way around.

    Day 2 — Run three parallel discovery passes

  • Pass A — IT/security export: SaaS register, SSO logs, sanctioned-app list, network egress to known AI-vendor domains.
  • Pass B — Finance export: filter expense and AP for vendor names that match a working list of AI-tooling providers, including HR-tech with AI features (ATS, sourcing, interview, performance, workforce-management, sentiment, learning).
  • Pass C — Structured interviews: a 20-minute call with each of: TA lead, HRBP lead, People Analytics, Learning & Development, Workforce Management, and Internal Comms. Ask the same five questions: what AI tools do you use, what AI features are turned on in your existing tools, what pilots are running, what have you built internally, what data do you send to a third party.
  • The three passes will overlap, and that is the point — the systems that appear in only one pass are the ones to scrutinise first. A tool that finance pays for but no one will own is a red flag. A tool that an HRBP describes but IT has never heard of is a bigger one.

    Day 3 — De-duplicate and triage

    Merge the three lists into a single inventory. For each candidate entry, decide: in scope (AI as defined), out of scope (e.g. a deterministic rules engine), or under review. Tag every Annex III point-4 candidate as high-risk pending validation.

    Day 4 — Provider-evidence requests

    For every high-risk and under-review system, send the vendor a single, focused evidence request:

  • latest instructions for use (Art. 13);
  • EU declaration of conformity or, where not yet issued, the timeline for CE marking;
  • EU-database registration confirmation (Art. 49);
  • a description of human-oversight capabilities (Art. 14);
  • log-retention configuration and how to extend to ≥6 months;
  • where applicable, the GPAI model identity, version, and any provider-side mitigations.
  • Track each request with a deadline. Silence is data — a vendor that cannot answer this in two weeks tells you something about their own readiness.

    Day 5 — Classify and gap-list

    For each system, complete: provider vs. deployer designation (with Art. 25 reasoning where you customise); Annex III classification with the precise point cited; and a one-paragraph gap statement covering AI literacy coverage, oversight role, worker-information notice, log retention, FRIA requirement, and incident path. Stop here — do not try to solve gaps in the first week. Producing a clean, current, classified inventory is the deliverable; gap remediation is its own track.

    Traps to avoid

  • Treating the inventory as a project, not a register. The day you stop maintaining it is the day it starts lying to you. Assign an owner and a quarterly cadence before the project closes.
  • Letting vendors classify themselves. "Our system is not high-risk" is an opinion. Classification is the deployer's legal call, with the vendor's technical input.
  • Excluding pilots. A pilot in production with real candidates is a system in production. The legal status of an output is not affected by the marketing word in front of it.
  • Conflating GDPR RoPA with the AI inventory. They overlap but answer different questions. Link them, do not merge them.
  • Forgetting GPAI consumption. Each ChatGPT/Copilot/Gemini use-case where output enters an HR decision is in scope. Maintain a sub-list with the model identity and version.
  • Optimising for completeness over currency. A 60-system inventory that is six months out of date is worse than a 30-system inventory updated quarterly.
  • What "done" looks like at the end of week one

  • A single source-of-truth file or register, with the agreed schema populated for every confirmed AI system.
  • A short summary of how the inventory was built — sources, dates, interviewees — so a future auditor can verify the method.
  • A named owner with calendar time blocked for the next quarterly refresh.
  • An open list of vendor evidence requests with deadlines.
  • An "under review" pile that will be resolved in week two.
  • From here, the rest of AI Act readiness — Art. 4 register, Art. 26 procedures, FRIA selection, vendor chasing, Art. 86 explanation paths — becomes mechanical. Everything you build later anchors to the inventory, which is why doing it badly is so expensive and doing it well is so leveraged.

    Sources

  • EU AI Act (Regulation (EU) 2024/1689), Articles 3, 4, 13, 14, 25, 26, 49 and Annex III.
  • European Commission — Guidelines on the definition of an AI system.
  • Want the inventory delivered, not built?

    PowerQuant's Module 1 delivers a classified AI inventory, Article 4 literacy register and gap analysis in 5 working days — fixed fee, every claim cross-checked against EU AI Act text.

    Start with M1 — 10.999 kr