AI inventory requirements — what an EU AI Act inventory must contain

Why you need it

• Article 4 (in force since 2 February 2025): deployers must ensure a sufficient level of AI literacy among staff dealing with AI systems. Without knowing which systems are in use, you cannot scope training.
• Article 6 + Annex III (high-risk regime from 2 August 2026): you must determine whether each system is high-risk to know which obligations apply.
• Article 26 (deployer duties): human-oversight assignment, log retention, monitoring and worker information all presume you can list the systems in scope.
• GDPR Article 30: records of processing activities must reflect AI-based processing. An AI inventory feeds the RoPA.

Required fields

1. System name, vendor and version (or in-house model identifier).
2. Intended purpose (described in business terms, not marketing).
3. Role of your organisation: provider, deployer, importer, distributor — and whether the system is a general-purpose AI model (GPAI).
4. Risk classification per Article 5 (prohibited), Article 6(1) (safety component or Annex I product), Article 6(2) (Annex III high-risk), Article 50 (limited risk / transparency), or minimal risk.
5. Annex III point and sub-point if high-risk (e.g. point 4(a) for recruitment AI).
6. Article 6(3) exception assessment, if claimed (and the reasoning).
7. Input data categories and sources; output data and downstream consumers.
8. Personal-data flags (GDPR, special categories, automated decisions under Art 22).
9. Cross-border transfers (Schrems II / TIA where relevant).
10. Human-oversight assignment: role, escalation path, training reference.
11. Log-retention configuration and minimum period (Art 26(6): at least 6 months).
12. FRIA reference (Art 27) and DPIA reference (GDPR Art 35) if applicable.
13. Incident-reporting routing (Art 73 serious incident; NIS2 Art 23 if also in scope).
14. Date placed in service, last review date and review owner.

Lifecycle triggers

Re-run the inventory entry when any of these happen:

• Vendor releases a substantial modification of the model or the intended purpose.
• You change the intended purpose, the user group, or the decision the system influences.
• A new Annex III sub-point applies (typically following a change in workflow).
• The system is integrated with a new data source or downstream system.
• A serious incident or near-miss occurs.

Common scope mistakes

• Excluding embedded AI in everyday SaaS (e.g. AI features in Microsoft 365, Google Workspace, ATS or HRIS). Embedded use that materially influences a decision is in scope.
• Listing only models, not systems. The AI Act regulates AI systems and their use; a model becomes a system once given an intended purpose and deployed.
• Treating “shadow AI” (employee-procured tools, free chatbots) as out of scope. They are in scope from the moment they handle work data or influence work decisions.
• Treating limited-risk transparency obligations (Art 50) as “not high-risk so not our problem”. From 2 August 2026, chatbots, emotion-recognition systems and AI-generated content carry deployer duties even when the system is not high-risk.

Where to keep the inventory

A signed CSV in a versioned repository is enough to start. The Article 26 audit trail cares about completeness, accuracy and dating — not the tooling. Map each entry to your DPIA repository and to the supplier register used for NIS2 supply-chain risk management.

Related EU guides

• EU AI Act for recruitment AI
• Deployer vs provider
• Article 50 transparency from 2 August 2026
• NIS2 and HR systems

Sources

• Regulation (EU) 2024/1689, Articles 3, 4, 5, 6, 26, 27, 50, 73 and Annex III — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• Regulation (EU) 2016/679 (GDPR), Articles 22, 30, 35 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj