EU AI Act AI System Inventory Template
Deployers of AI systems under the EU AI Act need a maintained inventory and, for high-risk systems, an Article 9 risk record. This template has both: a per-system inventory and an Article 9 risk cycle log. Includes five worked examples covering Annex III high-risk and not-high-risk classifications.
Get the spreadsheet
Enter your email to download
Excel format (.xlsx). Opens in Excel, Google Sheets, or any spreadsheet tool. Three sheets: how-to guide, AI system inventory, Article 9 risk cycle log. You'll also receive new blog posts when they publish.
Who it's for
AI governance leads, DPOs, compliance officers, and legal teams maintaining an EU AI Act-aligned inventory of AI systems deployed or built by their organisation.
Use it organisation-wide — one row per AI system in scope. For high-risk systems, the Article 9 risk cycle log provides the per-system evidence record required before production.
How to use it
- 1Identify all AI systems your organisation deploys, builds, or substantially customises.
- 2Add one row per system to the Inventory sheet.
- 3Classify each system: Prohibited / High-risk / Limited / Minimal.
- 4For high-risk systems, complete the Article 9 Risk Cycle log with evidence references.
- 5Re-review whenever a system changes materially or at least quarterly.
- 6Use the inventory as the evidence record for EU AI Act deployer obligations.
What's in the file
Three sheets: how-to guide, AI system inventory (with five worked-example systems), and an Article 9 risk cycle log showing the six required cycle steps for a high-risk system.
| Inventory column | Contents |
|---|---|
| System ID + Name | Internal identifier and display name |
| Provider / Deployer role | Provider / Deployer / Importer / Distributor |
| Intended Purpose | What the system is designed to do, as documented |
| Annex III Category | Specific Annex III category, or 'Not high-risk' |
| Risk Classification | Prohibited / High-risk / Limited / Minimal |
| Lifecycle Stage | Design / Development / Pilot / Production / Decommissioned |
| Article 9 Risk Record | Reference to the system's risk record |
| Technical Documentation File | Reference to Article 11 technical documentation |
| Conformity Route | Self-assessment / Notified body / Not applicable |
| Re-review Triggers | Named triggers that require re-assessment |
Sample inventory row — Candidate screening assistant (high-risk)
| ID | Name | Annex III | Classification | Lifecycle | Conformity |
|---|---|---|---|---|---|
| AI-003 | Candidate screening assistant | §4(a) — Employment | High-risk | Design | Self-assessment |
From inventory to review pack
Spreadsheets are the starting point
This inventory helps maintain the evidence record the EU AI Act requires. Drel turns that record into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready dossier your AI Committee can actually approve or reject.
Frequently asked questions
- Does using this template make my system EU AI Act compliant?
- No. The template supports the inventory and risk record work that the EU AI Act requires for high-risk systems. Conformity assessment, when required, is a separate process. This template helps you maintain the evidence; it does not certify conformity.
- Which AI systems should be in the inventory?
- Any AI system your organisation deploys, builds, substantially customises, imports, or distributes. The classification column then captures whether it is high-risk under Annex III, prohibited, limited (Article 50 transparency), or minimal.
- What is the Article 9 risk cycle?
- Article 9 of the EU AI Act requires a documented risk management process for high-risk AI systems with six explicit steps: identification, analysis, evaluation, treatment, testing, and post-market monitoring. The template's third sheet provides a log structure for those six steps per high-risk system.
- How often should the inventory be reviewed?
- Whenever a system changes (model, training data, intended purpose, sub-processors) and at minimum on a regular cycle (quarterly is common). The template includes a Re-review Triggers column to capture system-specific triggers.
- What about General-Purpose AI (GPAI)?
- If you use a GPAI model (e.g. GPT, Claude, Gemini) as the base of an AI application, the GPAI provider has obligations under Title III of the EU AI Act, and you retain your own deployer obligations under Article 9 if your application is high-risk. The inventory captures both your role and the dependency.
- Do I need a notified body audit?
- Only for certain high-risk AI systems where Annex VI/VII requires third-party conformity assessment. Many Annex III systems can self-declare conformity with internal documentation. The Conformity Route column captures the route per system, and the answer depends on the specific Annex III category and the conformity assessment procedure that applies.
- Is this legal advice?
- No. This template is operational tooling for security and AI governance teams. EU AI Act interpretation, especially around Annex III scope and conformity assessment routes, requires qualified legal advice for your specific situation.