惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
LINUX DO - 最新话题
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Forbes - Security
Forbes - Security
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
V
V2EX
Stack Overflow Blog
Stack Overflow Blog
Engineering at Meta
Engineering at Meta
PCI Perspectives
PCI Perspectives
Martin Fowler
Martin Fowler
T
The Exploit Database - CXSecurity.com
F
Full Disclosure
WordPress大学
WordPress大学
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
P
Privacy International News Feed
IT之家
IT之家
M
MIT News - Artificial intelligence
G
GRAHAM CLULEY
Hacker News: Ask HN
Hacker News: Ask HN
D
DataBreaches.Net
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google Online Security Blog
Google Online Security Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Check Point Blog
美团技术团队
Security Latest
Security Latest
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
MyScale Blog
MyScale Blog
H
Help Net Security
宝玉的分享
宝玉的分享
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
The Cloudflare Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
Intezer
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
AI
AI
I
InfoQ
N
News | PayPal Newsroom
TaoSecurity Blog
TaoSecurity Blog

Information Age

Is the SaaSpocalypse already over? - Information Age Stopping bad data from becoming bad business - Information Age Google I/O 2026 shows why enterprise AI governance needs an operating model Moving off the cloud – how to get repatriation right From speed to safety – how regulation is reshaping DevOps Why every organisation needs a minimum viable company strategy Quantum is coming. Here’s what CTOs can be doing today Small Language Models (SLMs) as the gold standard for trust in AI Your employees are waiting for your change programme to blow over How technical debt turns your IT infrastructure into a game you can’t win The business mobility trends driving workforce performance in 2026 Four actions CIOs must take to turn innovation into impact Eliminating blind spots – nailing the IPv6 transition Goodbye Software as a Service, Hello AI as a Service Smart auto-tiering vs. data reduction – logical efficiency vs. architectural efficiency The value of reducing middle office emissions for ESG How to match tech investment with real-world output
The AI inventory is the EU AI Act artefact most teams underestimate
Abhishek G Sharma · 2026-05-26 · via Information Age

An inventory does not equal compliance

As part of the EU AI Act, organisations will need to implement an AI inventory. This is what you need to identify


  • Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.
  • The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot.
  • A minimum viable AI inventory should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.

For chief information officers and chief technology officers, EU AI Act readiness will expose an operating problem before it becomes a legal problem. Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.

That makes the AI inventory more important than it looks. It is often treated as a spreadsheet of tools. In practice, it should become the map that connects AI use cases to business owners, technical owners, vendors, data inputs, output use, human review, transparency triggers, and escalation routes. A policy can state intent while an inventory shows what must be governed.

The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot. That may be useful for basic visibility. But it does not answer the questions that matter when AI governance becomes operational:

  • Who uses the system, and what business process does it support?
  • Is the system built internally, supplied by a vendor, or embedded inside a software-as-a-service platform?
  • What data enters it, and what decisions, recommendations, or content does it influence?
  • Who reviews the output before it affects a person, customer, employee, patient, student, or applicant?

Most organisations discover their AI estate is larger and more fragmented than anyone expected. The inventory is the first honest map.

Those questions matter because the EU AI Act creates a documentation issue as well as routing work. A system may need role analysis, risk classification, vendor evidence, user-facing transparency notices, human oversight records, incident escalation, or coordination with privacy review. The inventory is where that routing should begin.

Governance over administration

This is where technology leaders become central. Legal and compliance teams may interpret obligations, but they rarely know every AI-enabled feature sitting inside customer relationship management platforms, human resources tools, analytics dashboards, security products, call centre software, procurement platforms, or developer environments.

The AI estate is not static. Vendors add AI features, and business units trial new tools that move quickly from experimentation into live workflows. Teams are now connecting agents to files, systems, and enterprise actions. Annual policy review cycles will not keep up with that pace.

A minimum viable AI inventory should therefore capture more than the system name. It should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.

The evidence owner field – the named person accountable for requesting or retaining records for a given system – is especially important. It prevents the inventory from becoming a dead register. If a system needs vendor documentation, someone must own the request. If a chatbot may require a disclosure notice, someone must own that record. If an AI output influences hiring, credit, education, healthcare, insurance, or access to services, someone must own the classification rationale and review trail. If the system fails or produces harmful output, someone must know where the escalation record starts. That is the difference between inventory as administration and inventory as governance.

Curing ‘ownerless AI’

The inventory also helps reduce one of the most common failure modes in AI programmes: ownerless AI. A system’s purpose drifts it has no named business owner. Without a technical owner, underlying model changes go untracked. If nobody owns the vendor evidence, procurement risk stays unresolved. And when there is no human review point or incident route, accountability only starts after something has already gone wrong.

None of this means the inventory proves compliance. It doesn’t replace legal advice, privacy review, security testing, procurement diligence, or model-risk assessment. Its value is more basic as it creates the shared operating record that those functions need before they can do their work properly.

The AI inventory should sit near the centre, alongside asset management, vendor management, security review, privacy assessment, and enterprise architecture.

A good AI policy tells employees what the organisation expects while a good AI inventory tells the organisation what it has to control. As EU AI Act obligations continue to phase in, the organisations that move faster will be the ones whose legal, technology, security, privacy, product, and business teams are working from the same current record of AI use. That record starts with the inventory.

Abhishek G Sharma is founder and CTO of EUAICompass.com.

Read more

From speed to safety – how regulation is reshaping DevOps – Incoming regulations and agentic workflows are changing priorities for DevOps. Cameron Etezadi explains how to manage these changes

Small Language Models (SLMs) as the gold standard for trust in AI – Stephen Edginton of Dext explains why Small Language Models (SLMs) should be the next stage in your evolving AI strategy

Are you really ready for AI? Exposing shadow tools in your organisation – Without clear AI governance, employees often misuse publicly accessible external tools, known as ‘shadow AI’