Transparency rules in2 Aug 2026
Library / Guide

Building your first AI inventory

Almost everything the Act asks of a deployer starts from one thing: knowing what AI you use and what for. An inventory is that foundation, and it is quicker to build than people expect.

Why it comes first

You cannot classify, document, or oversee what you have not written down. The inventory is the thing every other duty is derived from, which is why it is the first step rather than an afterthought.

It is also the quickest win. An afternoon spent listing your AI tools and their uses turns a vague worry into a concrete, finite list you can actually work through.

List the tools, and the uses

For each AI tool, record what your team actually does with it. The use matters more than the tool, because the use is what sets the risk tier. One tool used two ways is two entries.

Keep the description concrete: "drafting customer emails" or "ranking job applicants", not "general AI". A vague entry gives you a vague classification.

Find the shadow AI

The tools you know about are rarely all of them. People sign up for AI with a work email, or expense a subscription, and the official list falls behind. Check expense and card data, ask each team one direct question, or connect your identity provider to surface what is actually in use.

The tools most likely to be missed, the ones a single team adopted quietly, are also the ones most likely to be a high-risk use nobody reviewed. So the hunt is worth the effort.

Classify each use

Place each use in a tier. Most will be minimal-risk, a few limited-risk, and the ones to slow down on are anything touching recruitment, credit, insurance, or decisions about individuals.

Treat anything that looks like it could be high-risk as high-risk until confirmed, and get those reviewed rather than guessed.

Keep it current

An inventory is only useful if it reflects reality, so add new tools as they are adopted and review it on a regular cadence. A stale inventory is worse than none, because it looks done while quietly being wrong.

A short quarterly check, plus a habit of adding tools at the point of adoption, keeps it honest without it becoming a project.

How Veillo helps

Veillo builds this as a living risk register, classifies each use under the Act, and can connect to the systems you already run to find the AI your team is using.

From there the register drives everything else: your roadmap of duties, the documents you generate, and the audit trail all flow from what is in it.

Placeholder

This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.

Put it into practice

Classify your AI systems against the Act and generate the documents this guide describes.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.