An AI system register is an organised inventory of all artificial intelligence tools and systems used in an organisation - together with information about who uses them, for what purpose, on what data and with what risk. It is the first practical step towards EU AI Act compliance and the foundation of any AI Governance system.
In this guide we explain why the register is needed, what exactly it should contain, who should maintain it and how to build it step by step.
Does the AI Act require a register of AI tools?
It is worth starting with an honest framing. The AI Act does not contain a single provision titled „every company must keep a register of AI tools".
The regulation provides for formal registration in an EU database for high-risk systems (Articles 49 and 71 of the AI Act) - this applies to providers of such systems and to some deployers, including public authorities.
But that does not mean other organisations can skip the topic. It is exactly the other way round - and it follows from the simple logic of the obligations the AI Act places on anyone who uses AI:
- the obligation to ensure AI literacy for employees (Article 4) - impossible to fulfil without knowing who uses what;
- the ban on prohibited practices (Article 5) - impossible to verify without knowing which systems run in the company;
- transparency obligations (Article 50) - you need to know where AI interacts with people or generates content;
- the obligations of deployers of high-risk systems (Article 26) - first you have to establish whether you have such systems at all.
In other words: an inventory and a register are a precondition for every other obligation. An organisation that does not know which AI tools it uses cannot demonstrate compliance with any provision of the AI Act - or answer the questions of a supervisory authority, a client or an auditor.
We wrote about how large the gap can be between what a company „knows" and what employees actually use in our article on Shadow AI - the biggest gap in AI Act readiness.
What should an AI system register contain? (field template)
A good register does not have to be complicated. It has to be complete and up to date. In practice, the following set of fields works well for every tool or system:
- Tool/system name - e.g. ChatGPT, Claude, Copilot, Gemini, an internal model, an AI feature in your CRM;
- Provider - who supplies the tool and on what terms (licence, terms of service, data processing agreement);
- Version / plan - free or business, which model, whether data is used for training;
- Departments and users - who uses it and in what role;
- Purpose of use - which tasks the tool is approved for (e.g. text drafts, document analysis, code);
- Input data - which categories of data may go into the tool (and which are forbidden, e.g. client personal data);
- Risk classification - an initial assessment: could the use case be high-risk or subject to transparency obligations;
- Responsible person - the business owner of the tool within the organisation;
- Approval status - approved / under testing / forbidden;
- Review date - when the entry was last verified.
These ten fields are enough to answer the questions that come up in every compliance conversation: what do we use, who, what for, on what data and who is accountable.
How to build the register step by step
Step 1: Inventory. Collect information about actual AI use - an employee survey, a review of purchases and subscriptions, conversations with departments. The goal is to also detect tools used informally.
Step 2: Assessment and classification. For each tool, establish the provider, the terms, the type of data and the initial risk. At this stage it is worth asking providers compliance questions - you will find the list in our article on what to ask your vendor about compliance, data and risk.
Step 3: Decisions. Management or the responsible person approves the tools that are allowed, conditional and forbidden. This is the moment the register stops being a list and becomes a management tool.
Step 4: Rules and communication. The register connects to the AI usage policy - employees must know what they may use and on what terms, and confirm they have read the rules.
Step 5: Maintenance. The register lives: new tools, model changes, changes in providers' terms (example: the sudden block and return of Claude Fable 5). Set a periodic review - e.g. quarterly - and a responsible owner.
The most common mistakes
First, a register „on paper" - created once, never updated, with no owner. Second, a register without shadow AI - covering only officially purchased tools while employees use private accounts. Third, a register with no link to the rules - the list exists, but it does not say what is allowed and what is not. Fourth, no evidence - the supervisory authority and the auditor ask not only „do you have a register", but „since when, who approved it and how is it maintained".
The register and the AI Act timeline
The AI Act obligations apply in stages: the bans and AI literacy have applied since 2 February 2025, the obligations for general-purpose AI models since 2 August 2025, and from 2 August 2026 the regulation applies in full - together with the national supervision and penalty system. We describe the deadlines and sanctions on our EU AI Act compliance page and in the guide to AI Act fines and penalties.
In practice this means the register has to be built earlier - because it is the evidentiary basis for everything else.
How does AI TrustCERT help?
In the AI TrustCERT AI Governance system, the AI tool register is a ready-made module: the inventory, the fields described above, approval statuses, owners, change history and a readiness report - all in one place, with evidence for audit purposes. Instead of building spreadsheets from scratch, the organisation gets a working standard in 1-7 days.
Not sure where to start? The free AI Ready Check will show you in 3 minutes which AI Act obligations apply to your organisation - including whether the register is your priority number one.
Summary
An AI system register is not a bureaucratic add-on. It is a precondition for AI Act compliance and the only way for an organisation to genuinely know where it uses artificial intelligence.
A good register is simple: ten fields, a clear owner, a periodic review and a link to the AI usage rules. Built once, it puts every subsequent step in order - from training, through risk assessment, to due-diligence evidence.
And a company that does not have one is not managing AI. It is only assuming that employees use it sensibly.
Sources
- Regulation (EU) 2024/1689 (AI Act) - Article 4 (AI literacy), Article 5 (prohibited practices), Article 26 (deployer obligations for high-risk systems), Articles 49 and 71 (registration of high-risk systems in the EU database), Article 50 (transparency): eur-lex.europa.eu
- European Commission - AI Literacy - Questions & Answers: the AI competence obligation under Article 4: digital-strategy.ec.europa.eu
- European Commission - AI Act application timeline: digital-strategy.ec.europa.eu