Building your first AI inventory
Almost everything the Act asks of a deployer starts from one thing: knowing what AI you use and what for. An inventory is that foundation, and it is quicker to build than people expect.
Why it comes first
You cannot classify, document, or oversee what you have not written down. The inventory is the thing every other duty is derived from, which is why it is the first step rather than an afterthought.
It is also the quickest win. An afternoon spent listing your AI tools and their uses turns a vague worry into a concrete, finite list you can actually work through.
List the tools, and the uses
For each AI tool, record what your team actually does with it. The use matters more than the tool, because the use is what sets the risk tier. One tool used two ways is two entries.
Keep the description concrete: "drafting customer emails" or "ranking job applicants", not "general AI". A vague entry gives you a vague classification.
Find the shadow AI
The tools you know about are rarely all of them. People sign up for AI with a work email, or expense a subscription, and the official list falls behind. Check expense and card data, ask each team one direct question, or connect your identity provider to surface what is actually in use.
The tools most likely to be missed, the ones a single team adopted quietly, are also the ones most likely to be a high-risk use nobody reviewed. So the hunt is worth the effort.
Classify each use
Place each use in a tier. Most will be minimal-risk, a few limited-risk, and the ones to slow down on are anything touching recruitment, credit, insurance, or decisions about individuals.
Treat anything that looks like it could be high-risk as high-risk until confirmed, and get those reviewed rather than guessed.
Keep it current
An inventory is only useful if it reflects reality, so add new tools as they are adopted and review it on a regular cadence. A stale inventory is worse than none, because it looks done while quietly being wrong.
A short quarterly check, plus a habit of adding tools at the point of adoption, keeps it honest without it becoming a project.
How Veillo helps
Veillo builds this as a living risk register, classifies each use under the Act, and can connect to the systems you already run to find the AI your team is using.
From there the register drives everything else: your roadmap of duties, the documents you generate, and the audit trail all flow from what is in it.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.