Khairos AI

EU AI Act Compliance

Build Your EU AI Act System Inventory in 30 Minutes

Every EU AI Act compliance obligation starts with one thing: knowing which AI systems you actually deploy. Here's how to build a complete AI system inventory in under 30 minutes.

· 5 min read · By Khairos AI

Your Compliance Starts With a List

Building an AI system inventory is the single most important first step any European SME can take toward EU AI Act compliance. Without it, you cannot classify risk, assign owners, meet documentation requirements, or demonstrate compliance to a regulator. Everything else in the Act, from Article 26 deployer obligations to Article 50 transparency duties, assumes you already know what AI you are running.

The good news: you do not need a specialist team or expensive software. You need about 30 minutes and a structured approach.

Step 1: Hunt the Hidden AI (Minutes 0-10)

Most SMEs dramatically undercount their AI exposure on the first pass. They think "AI system" means a custom-built model. It does not. Under Article 3 of the EU AI Act, an AI system is any machine-based system that infers outputs such as predictions, recommendations, or decisions from the inputs it receives. That definition catches a lot of everyday software.

Start by listing tools across these five categories:

1. Productivity and communication. Microsoft 365 Copilot, Google Workspace AI features, Grammarly Business, Zoom IQ. If your staff use any of these, they are almost certainly interacting with an AI system.

2. HR and recruitment software. Tools like Personio, Workday, SAP SuccessFactors, or any ATS (Applicant Tracking System) that scores CVs, ranks candidates, or flags attendance anomalies. These are high-sensitivity tools under the Act.

3. CRM and sales platforms. Salesforce Einstein, HubSpot AI features, Pipedrive's lead scoring. These generate recommendations that influence business decisions.

4. Finance and accounting. Tools that flag unusual transactions, automate invoice matching, or predict cash flow. Even some accounting add-ons now embed AI.

5. Customer-facing systems. Chatbots on your website, AI-powered helpdesks, automated email triage tools.

Do not try to assess risk yet. Just write down every tool name, the vendor, and the department using it. A shared spreadsheet or even a Notes document works fine at this stage.

Step 2: Classify by Risk Category (Minutes 10-18)

Now open Annex III of the EU AI Act, which lists the high-risk AI use cases that trigger the heaviest compliance obligations. Read through the eight areas and check each tool on your list against them.

The categories most relevant to SMEs are:

  • Employment, workers management, and access to self-employment (Annex III, point 4): AI used to recruit, select, promote, monitor performance, or terminate. If your HR software scores candidates or flags underperformance, it is very likely high-risk.
  • Access to essential private services and public services (Annex III, point 5): AI used in credit scoring or insurance risk assessment.
  • Education and vocational training (Annex III, point 3): AI that evaluates learners or determines access to educational programmes.

For each tool, assign one of three labels:

  • High-risk (Annex III): Triggers Article 26 obligations including conformity documentation review, human oversight procedures, and staff training under Article 4.
  • Limited risk: Triggers transparency obligations under Article 50 (e.g., chatbots must disclose they are AI).
  • Minimal risk: Still worth logging, but no specific obligations apply yet.

When in doubt, classify higher. You can always revise downward after a proper legal review. Classifying downward without justification is the error that attracts regulatory attention.

Step 3: Document the Data Flows (Minutes 18-24)

For every tool you have classified as high-risk or limited-risk, add three data columns to your spreadsheet:

  1. What personal data does this system process? Names, CVs, behavioural data, financial records, health information?
  2. Who does it make decisions about? Employees, job applicants, customers, patients?
  3. Where does the data go? Is it processed on EU servers, transferred to the US under an adequacy decision, or handled by a sub-processor you haven't reviewed?

This step matters for two reasons. First, Article 26 of the EU AI Act requires deployers to use high-risk AI systems in accordance with the instructions of use provided by the provider, and to monitor operation. Knowing the data flow is essential to that monitoring. Second, the AI Act does not replace the GDPR. Personal data processed by AI systems remains subject to AVG obligations in the Netherlands and Belgium. Your Data Protection Officer needs to see this list.

If you identify a high-risk AI system processing special-category data (health, ethnicity, biometrics, trade union membership), flag it immediately. That intersection is where a DPIA under GDPR Article 35 is almost certainly required alongside your AI Act obligations.

Step 4: Assign Owners (Minutes 24-30)

An inventory without owners is just a list. For every system on your register, name two people:

  • The operational owner: The department head or team lead who uses the tool day-to-day. They are responsible for monitoring outputs and flagging anomalies.
  • The compliance owner: Usually the Compliance Officer or DPO, who is responsible for ensuring documentation is maintained and that the system's use aligns with the provider's instructions of use.

This two-owner model matters because Article 26 places obligations on the deployer organisation, not just the IT team. When a regulator asks who is responsible for human oversight of your AI recruitment tool, "the software vendor" is not an acceptable answer.

Set a calendar reminder to review the inventory every six months. AI features are added to SaaS products constantly, often buried in release notes. A tool that was minimal-risk in January may have gained a high-risk feature by July.

What Your Inventory Unlocks

Once your inventory is complete, it becomes the foundation for every other compliance task under the AI Act:

  • Article 4 AI literacy training can be scoped to the specific systems your staff actually use, rather than a generic course.
  • Fundamental Rights Impact Assessments (FRIAs) under Article 27, required for certain deployers in the public sector or for high-risk systems, can be scoped from the inventory.
  • Incident reporting under Article 73 requires you to know which system caused an issue. Without an inventory, you cannot report accurately.
  • Vendor contract reviews become structured. You know exactly which providers you need to request technical documentation from under Article 26(1)(b).

The EU AI Act's enforcement provisions are live. Article 99 sets fines for deployers at up to €15 million or 3% of global annual turnover for breaches of certain obligations. The Dutch Autoriteit Persoonsgegevens and the Belgian APD/GBA are both actively building AI supervisory capacity. When they audit, the first question will be: show us your AI system register.

Having an incomplete inventory is a risk. Having no inventory at all is indefensible.

Your Next Action

Open a spreadsheet right now. Add five columns: Tool Name, Vendor, Department, Risk Classification, Owner. Spend 30 minutes populating it using the steps above. You will not have a perfect compliance programme by the end of the hour. But you will have the one document that makes every other compliance step possible.

Once your inventory draft is in place, run it through the free 2-minute compliance check at comply.khairos.ai to identify which of your systems trigger obligations under the Act and what your priority next steps are.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →