AI Asset Inventory Register
Purpose
Centralized register tracking all AI systems, models, agents, and tools with ownership, risk classification, and status.
Related Controls
1. Purpose
Explain why maintaining an AI asset inventory is required.
This register provides a complete inventory of all AI systems, models, agents, and tools used by [ORGANIZATION NAME]. An accurate inventory is the foundation of AI governance — you cannot govern what you do not know exists.
Register Owner: [ROLE TITLE], [DEPARTMENT]
Last Updated: [DATE]
Update Frequency: Continuous (new assets added within 5 business days of deployment); full audit quarterly
2. AI Asset Register
Record every AI system with key metadata. Add rows as needed.
| Asset ID | System Name | Type | Vendor/Source | Owner | Data Classification | Risk Tier | Status | Deploy Date | Next Review |
|---|---|---|---|---|---|---|---|---|---|
| AI-001 | [SYSTEM NAME] | LLM API | [VENDOR] | [OWNER] | Internal | Medium | Production | [DATE] | [DATE] |
| AI-002 | [SYSTEM NAME] | ML Model | Internal | [OWNER] | Confidential | High | Production | [DATE] | [DATE] |
| AI-003 | [SYSTEM NAME] | AI Agent | [VENDOR] | [OWNER] | Internal | Medium | Staging | [DATE] | [DATE] |
| AI-004 | [SYSTEM NAME] | Code Assistant | [VENDOR] | [OWNER] | Confidential | Medium | Production | [DATE] | [DATE] |
Type options: LLM API, ML Model, AI Agent, Code Assistant, Chatbot, AutoML Platform, Custom Model, Embedded AI
Status options: Development, Staging, Production, Deprecated, Decommissioned
3. Asset Detail Record
For each asset, maintain a detailed record with the following fields.
Asset: [SYSTEM NAME] (AI-[NNN])
- Description: [Brief description of what the system does]
- Business Purpose: [Why the organization uses this system]
- Data Inputs: [What data the system receives — types, sources, classification]
- Data Outputs: [What the system produces — types, destinations, classification]
- Integration Points: [Systems this AI connects to — APIs, databases, services]
- Access Control: [Who can access, modify, or administer this system]
- Model Details: [Model name/version, provider, training data sources if known]
- Monitoring: [How the system is monitored — dashboards, alerts, logs]
- Incident History: [Summary of past incidents — count, severity, resolution]
- Compliance Requirements: [Applicable regulations, standards, certifications]
- Dependencies: [Other systems that depend on this AI or that this AI depends on]
- Decommission Plan: [How this system would be safely shut down if needed]
4. Inventory Audit Process
Define how the register is kept accurate and complete.
Quarterly Audit Steps
- Discovery Scan: Review cloud accounts, API gateway logs, and procurement records for AI services not in the register
- Validation: Confirm each registered asset's status, owner, and risk tier are current
- Shadow AI Detection: Survey department heads for any AI tools adopted outside the procurement process
- Update Register: Add new assets, update changed records, mark decommissioned systems
- Report: Publish audit findings to AI Governance Committee
Triggers for Immediate Update
- New AI system deployed to production
- AI system decommissioned or deprecated
- Change in data classification or risk tier
- Change in system owner or vendor
- Security incident involving an AI asset