Introduction
A complete AI systems inventory is the foundation of your Evidence Pack. It documents all AI systems in use, including third-party tools and shadow usage.
This guide provides a step-by-step approach to building your inventory, with templates and examples you can use.
What to Include
Your AI inventory should capture the following information for each system:
Required Fields
- • System Name: Clear, descriptive name
- • Purpose: What the system is used for
- • Type: Third-party, internal, or both
- • Vendor/Provider: If third-party, who provides it
- • Risk Classification: High, limited, or minimal risk
- • Data Types: What data the system processes
- • Owner: Who is responsible for the system
- • Status: Active, deprecated, or in development
Discovery Process
Finding all AI systems in use can be challenging. Use these approaches:
1. Survey Teams
Survey all teams about AI tools they use. Ask about customer support tools, analytics platforms, content generation, and automation tools.
2. Review Vendor Contracts
Review contracts with vendors to identify AI-powered features. Many SaaS tools include AI capabilities that may not be obvious.
3. Check Shadow AI
Look for unsanctioned AI usage. Check for ChatGPT, Claude, or other AI tools used without formal approval. See our Shadow AI Discovery guide.
4. Review Code and Infrastructure
Review code repositories and infrastructure for AI model usage, API calls to AI services, and ML pipelines.
Inventory Template
Example Entry
What to Export as Evidence
Your AI inventory should be exportable in multiple formats:
- Complete inventory as a table or spreadsheet
- Summary by risk classification
- Summary by owner or team
- Third-party vs internal breakdown
Include the inventory as a section in your Evidence Pack PDF.
Best Practices
Be Comprehensive
Include all AI systems, even if they seem minor. Incomplete inventories raise questions with procurement teams.
Keep It Updated
Update your inventory whenever you add, remove, or change AI systems. Maintain a change log.
Document Shadow AI
Don't ignore shadow AI. Document it and establish governance. It's better to acknowledge and manage it than to have it discovered during a review.
Checklist
- ✓ All AI systems documented
- ✓ Third-party tools included
- ✓ Shadow AI usage documented
- ✓ Each system has an owner
- ✓ Risk classifications assigned
- ✓ Data types documented
- ✓ Inventory is exportable
- ✓ Change log maintained