惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
D
DataBreaches.Net
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
S
Secure Thoughts
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
腾讯CDC
GbyAI
GbyAI
G
Google Developers Blog
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
Jina AI
Jina AI
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
J
Java Code Geeks
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
H
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
S
Security Affairs
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Last Week in AI
Last Week in AI

Information Age

Is the SaaSpocalypse already over? - Information Age Stopping bad data from becoming bad business - Information Age Google I/O 2026 shows why enterprise AI governance needs an operating model Moving off the cloud – how to get repatriation right From speed to safety – how regulation is reshaping DevOps Why every organisation needs a minimum viable company strategy Quantum is coming. Here’s what CTOs can be doing today Small Language Models (SLMs) as the gold standard for trust in AI Your employees are waiting for your change programme to blow over How technical debt turns your IT infrastructure into a game you can’t win The business mobility trends driving workforce performance in 2026 Four actions CIOs must take to turn innovation into impact Eliminating blind spots – nailing the IPv6 transition Goodbye Software as a Service, Hello AI as a Service Smart auto-tiering vs. data reduction – logical efficiency vs. architectural efficiency The value of reducing middle office emissions for ESG How to match tech investment with real-world output
The AI inventory is the EU AI Act artefact most teams underestimate
Abhishek G Sharma · 2026-05-26 · via Information Age

An inventory does not equal compliance

As part of the EU AI Act, organisations will need to implement an AI inventory. This is what you need to identify


  • Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.
  • The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot.
  • A minimum viable AI inventory should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.

For chief information officers and chief technology officers, EU AI Act readiness will expose an operating problem before it becomes a legal problem. Many organisations do not yet have a reliable record of where artificial intelligence is used, who owns it, and what evidence each system leaves behind.

That makes the AI inventory more important than it looks. It is often treated as a spreadsheet of tools. In practice, it should become the map that connects AI use cases to business owners, technical owners, vendors, data inputs, output use, human review, transparency triggers, and escalation routes. A policy can state intent while an inventory shows what must be governed.

The weak version of an AI inventory lists products: chatbot, analytics tool, resume screener, customer service assistant, fraud model, productivity copilot. That may be useful for basic visibility. But it does not answer the questions that matter when AI governance becomes operational:

  • Who uses the system, and what business process does it support?
  • Is the system built internally, supplied by a vendor, or embedded inside a software-as-a-service platform?
  • What data enters it, and what decisions, recommendations, or content does it influence?
  • Who reviews the output before it affects a person, customer, employee, patient, student, or applicant?

Most organisations discover their AI estate is larger and more fragmented than anyone expected. The inventory is the first honest map.

Those questions matter because the EU AI Act creates a documentation issue as well as routing work. A system may need role analysis, risk classification, vendor evidence, user-facing transparency notices, human oversight records, incident escalation, or coordination with privacy review. The inventory is where that routing should begin.

Governance over administration

This is where technology leaders become central. Legal and compliance teams may interpret obligations, but they rarely know every AI-enabled feature sitting inside customer relationship management platforms, human resources tools, analytics dashboards, security products, call centre software, procurement platforms, or developer environments.

The AI estate is not static. Vendors add AI features, and business units trial new tools that move quickly from experimentation into live workflows. Teams are now connecting agents to files, systems, and enterprise actions. Annual policy review cycles will not keep up with that pace.

A minimum viable AI inventory should therefore capture more than the system name. It should identify the business owner, technical owner, vendor or provider, intended purpose, user group, input data category, output use, human review point, likely risk route, possible transparency trigger, evidence owner, incident route, and last review date.

The evidence owner field – the named person accountable for requesting or retaining records for a given system – is especially important. It prevents the inventory from becoming a dead register. If a system needs vendor documentation, someone must own the request. If a chatbot may require a disclosure notice, someone must own that record. If an AI output influences hiring, credit, education, healthcare, insurance, or access to services, someone must own the classification rationale and review trail. If the system fails or produces harmful output, someone must know where the escalation record starts. That is the difference between inventory as administration and inventory as governance.

Curing ‘ownerless AI’

The inventory also helps reduce one of the most common failure modes in AI programmes: ownerless AI. A system’s purpose drifts it has no named business owner. Without a technical owner, underlying model changes go untracked. If nobody owns the vendor evidence, procurement risk stays unresolved. And when there is no human review point or incident route, accountability only starts after something has already gone wrong.

None of this means the inventory proves compliance. It doesn’t replace legal advice, privacy review, security testing, procurement diligence, or model-risk assessment. Its value is more basic as it creates the shared operating record that those functions need before they can do their work properly.

The AI inventory should sit near the centre, alongside asset management, vendor management, security review, privacy assessment, and enterprise architecture.

A good AI policy tells employees what the organisation expects while a good AI inventory tells the organisation what it has to control. As EU AI Act obligations continue to phase in, the organisations that move faster will be the ones whose legal, technology, security, privacy, product, and business teams are working from the same current record of AI use. That record starts with the inventory.

Abhishek G Sharma is founder and CTO of EUAICompass.com.

Read more

From speed to safety – how regulation is reshaping DevOps – Incoming regulations and agentic workflows are changing priorities for DevOps. Cameron Etezadi explains how to manage these changes

Small Language Models (SLMs) as the gold standard for trust in AI – Stephen Edginton of Dext explains why Small Language Models (SLMs) should be the next stage in your evolving AI strategy

Are you really ready for AI? Exposing shadow tools in your organisation – Without clear AI governance, employees often misuse publicly accessible external tools, known as ‘shadow AI’