AI System Inventory and Register — Template

This AI System Inventory is the live register of every AI system [companyName] provides or deploys, maintained at [inventoryLocation] under the responsibility of the AI Officer [aiOfficer]. It covers all systems on the market, in service, in pilot, and in development, and is the single point from which [companyName] satisfies the technical-documentation obligation of Article 11 and Annex IV of Regulation (EU) 2024/1689 for high-risk AI systems, and the documentation obligations of Articles 53-55 for GPAI providers. The inventory is made available to the competent national authority [supervisoryAuthority] on request. The inventory takes effect on 2026-04-26 and is reviewed on or before [reviewDate].

The inventory is structured as a single source of record indexed by AI system identifier. For each system, the record links to: the Risk Classification Decision (template AI Act Risk Classification); the Conformity Assessment file (template AI Act Conformity Assessment) for high-risk systems; the Transparency Notice (template AI Act Transparency Notice) for systems triggering Article 50 obligations; the Human Oversight Procedure (template AI Act Human Oversight) for high-risk systems; the Data Quality and Management Procedure (template AI Act Data Quality) for high-risk systems; and any GPAI documentation set required under Articles 53-55. The inventory references the corporate AI Governance Policy and incident-reporting log.

Each AI system record contains: (a) system identifier and human-readable name; (b) provider name and address; (c) deployer name and address (if different); (d) intended purpose and reasonably foreseeable misuse; (e) risk classification (prohibited / high-risk / GPAI / limited / minimal); (f) Annex III use-case reference (for high-risk under Article 6(2)); (g) version, release date, last material modification; (h) training, validation and test data sets identifiers and provenance; (i) performance metrics including accuracy on benchmarks, fairness metrics, robustness measures; (j) operational logs reference; (k) human-oversight measures reference; (l) post-market monitoring reference; (m) serious-incident reporting status; (n) EU database registration ID for high-risk systems (Article 71); (o) CE marking and EU declaration of conformity reference.

For each high-risk AI system, the inventory links to a technical documentation file structured per Annex IV of the AI Act: a general description (intended purpose, version, date, hardware on which it is intended to run, instructions of use); a detailed description of system elements (development methods, computational resources, design choices including assumptions about persons or groups, system architecture, data requirements, human oversight measures, predetermined changes); information about monitoring, functioning and control of the AI system; description of the appropriateness of performance metrics; risk management system documentation per Article 9; pre-determined changes envisaged by the provider; cybersecurity measures; standards and specifications applied; and EU declaration of conformity. The file is updated for the lifetime of the system and kept for ten years following placing on the market or putting into service.

Where [companyName] is a GPAI provider, the inventory links to: the GPAI technical documentation per Annex XI; the information for downstream providers per Annex XII; the copyright-policy compliance file (Article 53(1)(c)); the publicly available summary of training content (Article 53(1)(d)) — typically published on the website [companyName] maintains for the model. For GPAI models with systemic risk under Article 51(2), the file additionally contains: model evaluation methodology and results (Article 55(1)(a)); adversarial testing documentation (Article 55(1)(b)); serious-incident records (Article 55(1)(c)); cybersecurity-protection records (Article 55(1)(d)). When [companyName] is a downstream provider integrating a GPAI model, the upstream provider's information sheet under Annex XII is retained in the inventory.

The inventory tracks each system through five lifecycle states: design (no production use, no obligations triggered); pilot (limited deployment with explicit user consent, oversight and logging); production (full obligations apply); maintenance (continued monitoring, periodic re-validation of risk classification, post-market monitoring); decommissioned (system withdrawn, but documentation retained for ten years). Transitions between states are recorded with the date, the reason, the approver and the new compliance status. Material modifications (Article 43(4)) trigger re-classification and, where the change is significant, a new conformity assessment for high-risk systems.

The inventory is made available, in whole or in part, to the supervisory authority [supervisoryAuthority] on request, in accordance with Articles 21 and 64-65 of the AI Act. Access requests are logged with the date of the request, the requesting authority, the scope, the response date and the responsible person. For high-risk AI systems, the standalone EU database registration entry (Article 71) is kept current; for GPAI providers, the European AI Office may request additional information under Article 91. The AI Officer [aiOfficer] is the single point of contact for these communications and ensures alignment with the corporate AI Governance Policy and the Risk Classification Decisions referenced in the inventory.