AI Asset Inventory

Tier 1 GOVERN
ISO A.4

What This Requires

Maintain comprehensive inventory of all AI systems, models, tools, and services including: system owner, data inputs, use case, risk classification, deployment status, and compliance obligations. Update quarterly.

Why It Matters

You can't govern what you don't know exists. Shadow AI (unapproved tools) proliferates without visibility. An inventory enables risk prioritization, incident response, and compliance reporting.

How To Implement

Define Inventory Schema

Capture: System Name, Owner (team/individual), Use Case, Risk Tier (from risk appetite), Model/Vendor, Data Classification, Deployment Environment, Compliance Tags (GDPR, HIPAA), Status (dev/staging/prod), Last Review Date.

Discovery Process

Combine tech-based discovery (cloud billing, API logs, network traffic) with self-reporting (quarterly survey to engineering teams). Require new systems to register during approval workflow.

Centralized Repository

Use CMDB, ServiceNow, or spreadsheet (if small org). Grant read access to audit/compliance teams. Designate owner for each asset who confirms accuracy quarterly.

Lifecycle Management

Mark systems as decommissioned when retired. Archive historical records for audit trail. Flag systems missing review date for follow-up.

Evidence & Audit

  • Inventory database/spreadsheet with all required fields
  • Discovery process documentation (survey template, automated scan config)
  • Quarterly attestation records from asset owners
  • Change logs showing additions/updates/decommissions
  • Sample asset records demonstrating completeness

Related Controls

AI Acceptable Use Policy Vendor/Model Evaluation Rubric AI Monitoring Dashboard