AIG-003 AI System Inventory
Description
A maintained inventory of all AI systems in use or development exists. Each entry records: system name, version, owner, intended purpose, deployment status (development / staging / production), risk classification, and the frameworks or third-party models the system depends on. The inventory is reviewed quarterly and updated whenever a system is deployed, substantially modified, or decommissioned.
Rationale
You cannot govern what you cannot enumerate. An AI inventory is the prerequisite for applying risk treatment proportionately.
Framework Mappings (3)
| A.4.2 | Resource documentation | partial |
| GOVERN 1.6 | AI System Inventory | full |
| MAP 1.4 | AI System Business Value Definition | partial |
Evidence (2)
AI system inventory register listing all AI systems in use or under development, with required fields: system name, version, owner, purpose, deployment status, risk classification, and third-party dependencies.
Example: AI System Inventory v4 (Airtable or Confluence table), reviewed by AI governance lead on 2026-01-15, with 12 entries covering all production and staging systems
Test: Request the AI system inventory. Verify: (1) each entry contains all required fields (name, version, owner, purpose, status, risk classification, dependencies), (2) at least one quarterly review event is recorded in the last 12 months, (3) cross-check inventory against deployment pipeline or cloud account to identify unregistered AI endpoints, (4) decommissioned systems are marked deprecated rather than deleted.
Automated cloud resource scan or MLOps platform export confirming that all live AI model endpoints and inference services correspond to entries in the AI system inventory.
Example: AWS SageMaker endpoint list export (JSON) dated 2026-04-01, cross-referenced against AI inventory; SaaS ML platform (Weights & Biases) active deployment export
Test: Obtain the infrastructure scan or MLOps platform export. Compare all active model endpoints against the inventory. Verify: (1) every active endpoint has a matching inventory entry, (2) no orphaned or unregistered endpoints exist, (3) scan timestamp is within the last 30 days.
Questions (2)
Does your organisation maintain a current inventory of all AI systems in use or under development?
An AI inventory is the prerequisite for proportionate risk treatment. It should cover production, staging, and development systems and be reviewed at least quarterly.
Which of the following fields does your AI system inventory record for each entry?
All six fields should be present. Risk classification and dependency tracking are the most commonly missing fields; without them the inventory cannot drive proportionate risk controls or supply chain oversight.