Which AI tools should you inventory for EU AI Act readiness?

Why the AI inventory question matters for EU AI Act readiness

The useful answer is not a list of vendor names. For EU AI Act readiness, the inventory should cover every AI-assisted workflow where the organisation uses a model, embedded AI feature, third-party AI vendor or internally built system to support work that could affect people, customers, compliance evidence or regulated decisions.

The source brief points to the practical audit problem: when a regulator, client or board asks what is in use, a firm needs a complete inventory with risk classification, documented controls for each non-trivial use case, and a working incident-response route. That is more useful than a one-off spreadsheet of tools that is already out of date by the next procurement cycle.

The tools to inventory first

Inventory the AI tools that touch decisions, sensitive data, customer outcomes, staff processes, regulated records or audit evidence first. Include public AI tools, Copilot-style assistants, AI features inside existing SaaS products, workflow automation platforms, analytics models, document review tools, chatbots, vendor APIs and any internal model or script used in a live process.

A simple rule works well: if someone relies on the output to decide, advise, prioritise, approve, reject, summarise, score, monitor or evidence something, it belongs in the inventory. If the tool only helps an individual draft low-risk internal notes with no sensitive data and no operational reliance, it may be low priority, but it should still be visible as a permitted or restricted use pattern.

Map your AI tools and control gaps

Use cases matter more than product names

The same product can sit in different risk categories depending on how it is used. A public AI assistant used to rephrase a generic internal email is not the same risk as the same assistant being used to analyse client documents, draft regulated advice or summarise a complaint file.

For each tool, record the use case rather than only the licence owner. A useful entry captures: the business process, owner, supplier, model or embedded AI feature, input data, output use, affected user or customer group, human review point, retention setting, training opt-out position, access controls, logs, known limitations and escalation route.

What should be in the inventory record?

Each inventory entry should answer five audit questions:

• What is the tool or AI feature? Include embedded AI inside core systems as well as standalone model subscriptions.
• Where is it used? Name the workflow, team, system and decision point.
• What data goes in? Separate public, internal, confidential, personal, special category and client-provided data.
• What does the output affect? Note whether it influences staff, customers, pricing, claims, legal advice, compliance evidence, finance, HR or operational decisions.
• What controls prove it is supervised? Capture human review, approval gates, logging, testing, retention, access limits, incident response and version history.

How to classify risk without overcomplicating the first pass

For the first pass, use practical tiers: prohibited or unacceptable, potentially high risk, regulated or sensitive, operational but lower risk, and experimental or personal productivity. This is not a substitute for legal assessment, but it gives the business a working triage model.

High attention should go to AI used in HR, recruitment, credit, insurance, legal workflows, complaint handling, fraud detection, identity checks, vulnerable-customer processes, health and safety, biometric processing, or anything that affects access to services. For financial services, insurance and professional services, connect the classification back to confidentiality, Consumer Duty where relevant, SM&CR accountability, data protection, audit trail and quality review.

Set up a repeatable AI governance cadence

Do not miss shadow AI and embedded AI

Most weak inventories miss two categories. The first is shadow AI: staff using public tools or browser extensions outside approved processes. The second is embedded AI: features quietly added to CRM, finance, HR, document management, meeting, analytics or customer support platforms.

The control response is not to pretend these uses do not exist. Ask teams what they use, review procurement and SaaS admin settings, check browser extensions where appropriate, inspect vendor release notes, and add a lightweight declaration route for new AI use. The inventory should make safe use easier than hidden use.

How this supports EU AI Act readiness

The EU AI Act readiness value comes from traceability. If the organisation can show which systems exist, who owns them, why they are used, what data they touch, how outputs are reviewed and how incidents are handled, it is in a stronger position to map deployer obligations and respond to client or regulator questions.

The source article frames the lean audit-readiness target as complete inventory, controls per use case and incident response. That is the right practical order. ISO/IEC 42001, cloud assurance such as BSI C5 where relevant, and sector-specific oversight can then be mapped onto real use cases rather than abstract policy statements.

A 30-day starter plan

1. Week 1: pull a list from procurement, SaaS admin consoles, security tooling and team leads.
2. Week 2: interview process owners and identify the real decision points, data inputs and human review points.
3. Week 3: classify each use case, flag sensitive or regulated uses, and assign accountable owners.
4. Week 4: close the obvious gaps: banned data in public tools, missing review gates, absent logs, unclear vendor retention and no incident route.

Turn the inventory into an implementation plan

Conclusion

The right AI inventory is a live control, not a compliance worksheet. Start with every AI-assisted workflow that affects decisions, customers, staff, regulated records or sensitive data. Record the use case, risk, owner, data, review point and evidence trail. That gives the business a defensible base for EU AI Act readiness and a practical way to govern AI as tools change.