Inventory scope
The inventory should include customer-facing AI features, internal AI tools, third-party AI platforms, model APIs, embedded vendor features, employee productivity tools, pilots, and experiments that may affect customers, employees, or regulated decisions.
Minimum fields
A useful inventory records system name, purpose, owner, users, data categories, vendor or model provider, deployment location, access route, business process, risk notes, review owner, evidence links, and next review date.
Why procurement cares
Buyers need to understand whether AI introduces security, data protection, legal, ethical, operational, or contractual risk. A clear inventory turns a vague AI story into something reviewable.
Practical evidence checklist
- Create one row per AI system, feature, vendor tool, model, or material AI use case.
- Add owner, purpose, user group, affected people, and deployment context.
- Map personal, confidential, customer, sensitive, and special category data where relevant.
- Capture vendor, model, hosting, subprocessor, and data-retention information.
- Add risk notes, oversight route, escalation contact, and review date.
- Link to supporting evidence, including policies, DPIAs, security docs, vendor docs, and customer-facing summaries.
FAQ
Should pilots and experiments be included?
Yes, if they touch real users, customer data, employee data, confidential data, production workflows, or buyer-facing commitments. Low-risk lab experiments can be marked separately.
Can this live in a spreadsheet?
Yes. A spreadsheet is often enough to begin. The important thing is that it has clear ownership, regular updates, and links to evidence.
Who maintains the inventory?
Product or technology teams often maintain the operational detail, with input from security, data protection, legal, and commercial teams.