AI inventory and register setup
Move from scattered AI tools, vendor claims and spreadsheets to a working AI register. In 10 business days we bring your AI systems, roles, risks, GDPR/FRIA signals and first actions into one clear overview.
Register sprint
10 business days
A register that can be managed and expanded internally
A first risk view per AI system
A list of missing evidence and supplier questions
A concise leadership summary with priorities
Why the AI register comes first
Without an inventory, AI Act preparation stays abstract. You can only classify, train, monitor or challenge suppliers once it is clear which AI systems exist and who owns them.
Overview for leadership and legal
A central list of systems, purposes, owners, suppliers and status.
Basis for risk classification
For each system we record whether there are prohibited, high-risk, transparency or low-risk signals.
Faster path to a roadmap
The register shows which systems need attention first and which actions can wait.
What goes into the register
AI system, use case, purpose and process context
Internal owner, involved teams and supplier
Provider/deployer signal and main AI Act route
Risk classification: prohibited, high-risk, transparency duty, GPAI or low risk
GDPR/DPIA/FRIA signals and affected people or groups
Human oversight, logging, monitoring and transparency requirements
Evidence status: present, missing, unclear or vendor-dependent
Priority, owner and first 30-60-90 day action
Approach in 10 business days
Scope freeze
We choose the business units, processes, suppliers and systems that fit the first sprint.
Inventory
We collect systems through interviews, tool overviews, procurement, security, privacy and team input.
Classification and signals
We give each system a first AI Act route and mark GDPR, DPIA, FRIA, vendor and human-oversight signals.
Register and review
We deliver the register, review uncertainties and make it usable for legal, compliance, IT and leadership.
Roadmap
We close with priorities, owners and logical next steps toward governance, training or an evidence pack.
Who this works for
Compliance and privacy
Teams that need a substantiated starting point for AI Act, GDPR, DPIA and FRIA discussions.
IT, security and procurement
Teams that want to organize AI tools, SaaS features and vendor claims without a months-long project.
Leadership and management
Teams that need a readable priority map instead of a loose AI list.
HR, finance and public-sector teams
Contexts where AI quickly affects people and classification, transparency and oversight become concrete.
Afterwards you have
A register that can be managed and expanded internally
A first risk view per AI system
A list of missing evidence and supplier questions
A concise leadership summary with priorities
A route into Readiness Sprint, Governance Framework or Article 4 Evidence Sprint where needed
Frequently asked questions
Is an AI register legally required?
The AI Act does not prescribe the same register format for every organization. In practice, a register is the workable basis for classifying systems, determining roles, collecting evidence and organizing follow-up.
What if we do not know which AI tools teams are using?
That is exactly why this is the first step. We use short interviews, known suppliers, SaaS overviews and process questions to make shadow AI visible without a heavy audit project.
Is this the same as a full governance framework?
No. The register is the starting point. The governance framework then covers policy, roles, review process, monitoring and incident handling. For many organizations, the register is the fastest first move.
Can supplier information and DPIA/FRIA signals be included?
Yes. We mark per system which supplier evidence is missing and where GDPR, DPIA or FRIA needs deeper work. The register does not replace those analyses, but shows where they are needed.
Start with the register, not scattered debates.
In the Gap Intake we define which business units, systems and suppliers belong in the first register sprint.