RESOURCE — EU AI ACT

AI inventory template (12 fields)

A structured on-page schema for deployers under Regulation (EU) 2024/1689 Article 26. Each field is tied to a specific Article 26 paragraph, Annex III sub-point or GDPR coordination duty, so reviewers can see why every column exists. A worked example using an HR-tech CV-screening system illustrates each field; the schema applies to any AI or SaaS deployment.

The 12 fields

Build the register in a spreadsheet, a wiki page or your GRC platform — the format does not matter to the regulator. What matters is that every high-risk AI system you put into use is represented and that each field is traceable to an Article 26 obligation.

01

System name + version

Why: Uniquely identifies the AI system. Version is required because Article 26(5) monitoring duties attach to the version deployed.

Example: TalentFit Screener v3.2.1

02

Provider (legal entity + CVR/VAT)

Why: Article 26(1) requires use in accordance with the provider's instructions. You need the legal counter-party for incident escalation.

Example: TalentFit ApS, CVR 12345678

03

Provider's CE marking + DoC reference

Why: Article 26(1) presupposes the provider has placed a compliant high-risk system on the market. Capture the EU Declaration of Conformity reference.

Example: DoC ref TF-2026-014 dated 2026-03-12

04

Intended purpose (verbatim from provider)

Why: Article 26(1) ties your obligations to the provider's stated intended purpose. Off-purpose use can re-classify you as a provider under Article 25.

Example: Pre-screening of job applications for IT-engineering roles in Denmark

05

Risk classification (high / limited / minimal / prohibited)

Why: Drives the entire compliance regime. Annex III Point 4 covers HR-tech recruitment and workplace decision-making.

Example: High-risk — Annex III(4)(a)

06

Annex III sub-point (if high-risk)

Why: Several sub-points can apply (e.g. 4(a) recruitment + 4(b) performance). Each triggers the full Article 26 stack.

Example: Annex III(4)(a) recruitment + Annex III(4)(b) candidate ranking

07

Input data sources controlled by you

Why: Article 26(4) duty for input-data relevance attaches only to data the deployer controls. Capture sources to scope the duty.

Example: Applicant CVs uploaded via careers portal; LinkedIn-imported profiles

08

Output type + downstream decision

Why: Article 26(11) requires you to inform affected persons when output contributes to a decision producing legal or similarly significant effects.

Example: 0-100 fit score; used to shortlist top 30 candidates per role

09

Named human oversight role + competence

Why: Article 26(2) requires assignment to a named natural person with competence, training and authority — not a generic team mailbox.

Example: Head of Talent Acquisition, completed Article 4 literacy module 2026-04

10

Log retention location + period

Why: Article 26(6) requires automatically generated logs to be retained for at least 6 months unless other Union or national law requires longer.

Example: AWS S3 eu-north-1 bucket talentfit-logs, 24-month retention, immutable

11

DPIA reference (GDPR Article 35)

Why: Profiling and automated decision-making about job applicants typically triggers DPIA. Article 26(9) lets you re-use provider documentation but the DPIA stays your responsibility.

Example: DPIA-2026-007, last review 2026-05-15, owner DPO@example.com

12

Worker-information evidence (Article 26(7))

Why: Employers must inform workers' representatives and affected workers before putting a high-risk system into use in the workplace. GDPR information duties run in parallel.

Example: Works-council briefing minute 2026-02-08; intranet notice published 2026-02-15

Operating notes

What this template does not cover

The inventory is the foundation, not the whole compliance file. You still need separately:

Sources

Note: PowerQuant supplies software and documentation for use in your internal compliance process — not legal advice. Concrete obligations depend on each system’s classification, your role (provider, deployer, both) and the applicable phase of the EU AI Act.

PowerQuant Module 1

EU-hosted, Ed25519-signed evidence package: fully populated AI inventory with risk classification, Article 4 literacy register and Annex III mapping. Helps AI and SaaS vendors answer customer CAIQ, SIG and investor due-diligence questionnaires — you review and approve every answer. Delivered in 5 working days. Fixed fee, no subscription.

Price: EUR 1,499 — fixed fee, no subscription.

Start Module 1