All Posts
AI & Governance

Building an AI Governance Inventory

14 November 20252 min read

The first rule of AI governance is deceptively simple: know what you have. In every enterprise I have worked with, the actual use of AI tools and systems significantly exceeds what leadership thinks is happening. Engineers are using AI coding assistants, teams are integrating AI APIs into products, and business units are experimenting with AI-powered analytics — often without any centralized visibility.

Why an Inventory Matters

You cannot assess risk on systems you do not know exist. You cannot ensure compliance with regulations you cannot map to specific implementations. And you cannot make informed decisions about AI strategy when you do not have a clear picture of your current AI footprint.

The EU AI Act is approaching enforcement, and organizations will need to classify their AI systems by risk level. If you do not have an inventory, you cannot classify. If you cannot classify, you cannot comply.

What I Built

I created a lightweight AI inventory using a Confluence template with five fields for each AI touchpoint: system name, use case description, data inputs, risk classification (using a simplified version of the EU AI Act categories), and the responsible owner.

I then sent a brief survey to every team lead asking three questions. What AI tools are your team members using in their daily work? Are any AI components integrated into the products or services you deliver? Are any AI experiments or proofs-of-concept currently running?

The responses were eye-opening. We identified fourteen distinct AI touchpoints across the organization — nearly double what leadership was aware of. Three of them involved processing customer data in ways that warranted immediate review.

Keeping It Current

A static inventory is useless. I tied the inventory to our architecture review process. Any new system design that includes an AI component now requires an inventory entry before approval. This adds about ten minutes to the review process and ensures the inventory stays current without manual auditing.

This is foundational work. Not exciting, not innovative — but absolutely essential if you are serious about responsible AI adoption.

Back to all posts