The question comes up in almost every first conversation about AI Act compliance: "Do we need an AI register?" The short answer: the EU AI Act contains no article that literally requires organizations to keep an internal AI register. The honest answer: without one, you cannot demonstrably comply with almost any obligation in the regulation, and regulators and auditors start their questions exactly there.
This article breaks down what the law does and does not require, where the register expectation comes from in practice, and how to build an AI inventory that is more than a spreadsheet that goes stale in three months.
What the AI Act literally requires
The regulation contains several registration and documentation obligations, but they are more specific than "keep a register":
Providers of high-risk AI systems will face a registration obligation in the EU database (Article 49 and Article 71). That database is managed by the European Commission and is partly public. This obligation follows the high-risk regime, which the Digital Omnibus moved to 2 December 2027 for the standalone high-risk systems of Annex III.
Public authorities deploying high-risk AI face a registration obligation in the EU database as well, on the same high-risk timeline.
Everyone using AI has been subject to the AI literacy provision of Article 4 since 2 February 2025: organizations take measures to ensure staff working with AI systems are sufficiently AI literate. You cannot target those measures, let alone substantiate them, without knowing which AI systems are running and who works with them.
From 2 August 2026 the transparency obligations of Article 50 apply: chatbots must identify themselves as AI and AI-generated content must be recognisable. Compliance again starts with knowing which systems fall under that obligation.
So the internal AI register is not a standalone legal duty, but the indispensable foundation under obligations that very much exist. Compare it to the record of processing activities under the GDPR: that one is explicitly required (Article 30 GDPR), and many organizations extend precisely that record with an AI dimension.
Why you get stuck without one
Three practical reasons why virtually every serious AI governance effort starts with an inventory:
1. Risk classification requires a list. The AI Act works with risk categories: prohibited practices, high-risk, transparency obligations and minimal risk. You can only classify a system once it is in view. Shadow AI, the tools departments buy or use for free on their own, is the biggest blind spot in practice; organizations structurally underestimate how many AI applications they run.
2. Regulators ask for it. Supervisory authorities consistently ask for an overview in their algorithm inquiries: which systems, which purposes, which risks, who owns them. In the Netherlands, public bodies additionally publish impactful algorithms in the national Algorithm Register. Whoever cannot show an inventory starts that conversation at a disadvantage.
3. Buyers and clients ask for it. More and more tenders and enterprise procurement processes contain AI governance questions. The first is almost always a variant of: "Which AI systems do you use and how have they been assessed?" An up-to-date register then stops being a compliance burden and becomes sales material.
What belongs in a workable AI register
A register that does its job contains, per AI system, at minimum:
- Name and description of the system and its concrete use
- Owner: the internal role responsible (not the vendor)
- Role under the AI Act: are you provider, deployer, importer or distributor for this system
- Risk classification: prohibited, high-risk (with Annex III category), transparency obligation, or minimal risk, including the reasoning
- Vendor and contract status: who supplies it, which guarantees and documentation are contractually secured
- Data processing: which personal data, the link to the GDPR processing record and any DPIA
- User groups: who works with it, relevant for Article 4 measures
- Status and review date: pilots become production without anyone updating the register, so an expiry date per row is not a luxury
The trap is completeness as a goal in itself. A forty-column register nobody maintains always loses to a ten-column register that is reviewed quarterly and that decisions actually depend on.
How to start: from zero to register in weeks
The fastest route that works in practice:
- Collect what already exists. The GDPR processing record, contract administration, IT's application landscape and procurement's invoice list together contain most of the truth.
- Ask the organization short, concrete questions. Not "do you use AI?" but "which tools does your team use to draft texts, prepare decisions, assess candidates or answer customer questions?"
- Classify roughly first. Sort systems into three piles: directly affects people (candidates, customers, citizens, patients), supports internal work, or experimental. The first pile gets priority in formal risk classification.
- Assign an owner per system. A register without owners is a photograph; with owners it becomes a process.
- Attach decision-making to it. New AI tools only enter use through an intake that feeds the register. That prevents the inventory from going stale immediately.
How this connects to the rest of your AI Act dossier
The register is the foundation, not the end point. From the inventory follow the risk classification per system, the gap analysis against the obligations that apply to your role, the DPIA or FRIA where needed, the vendor dossiers and the Article 4 measures per user group. Whoever skips the register and writes policy first is building a roof without a foundation.
Want to see where your organization stands? You can search the full articles and annexes of the AI Act on this platform. For a guided start, from inventory to roadmap at a fixed price, see Embed AI.