An AI tools register is a formal inventory of every AI system your business uses professionally. It is the foundation of a defensible EU AI Act compliance position — and most businesses discover they are using more AI than they realised when they build one.
An AI tools register is a structured inventory of every AI system your business uses in a professional context. It records what each tool is, who made it, what your team uses it for, what risk level it carries, and which staff members interact with it.
It is the starting point for EU AI Act compliance because you cannot document that your staff understand how to use AI responsibly until you know which AI systems they are actually using.
The EU AI Act requires businesses that use AI to take measures to support the AI literacy of their staff. That obligation is impossible to fulfil without first knowing which AI systems are in use across the organisation.
Most businesses, when they sit down to compile this list for the first time, discover they are using significantly more AI than they realised. AI-powered features are embedded throughout modern software — in email clients, design tools, CRM platforms, project management software, and customer service systems. The register forces that audit.
The most common finding when businesses build their first AI tools register is that individual team members have been using AI tools their employer was unaware of. A marketing executive using an AI writing assistant. A finance team member using an AI spreadsheet tool. An HR manager using AI screening features in recruitment software.
You cannot govern what you have not inventoried. The register creates the organisational visibility that compliance depends on.
The EU AI Act does not prescribe a specific format. A defensible register is one that gives a clear, accurate picture of your organisation’s AI usage. The following fields represent what a well-structured register should include:
| Field | What to record |
|---|---|
| Tool name | The name of the AI system as it is commonly known (e.g. ChatGPT, Microsoft Copilot, Canva AI) |
| Vendor | The company that provides the tool (e.g. OpenAI, Microsoft, Canva) |
| Business purpose | What your team uses the tool for — specific to your context, not a generic description |
| Risk classification | Whether the use case falls into minimal, limited, or high-risk categories under the EU AI Act |
| Roles or users | Which job roles or named individuals interact with the tool professionally |
| Data handling | Whether personal or sensitive data is entered into the tool, and any relevant data handling considerations |
| Last reviewed | The date the entry was last checked for accuracy — important for demonstrating ongoing oversight |
Every entry in your register needs a risk classification. The EU AI Act organises AI systems into risk tiers, and the tier determines the level of compliance obligation that applies to that tool.
ChatGPT for drafting, Canva AI for design, Grammarly for writing. No decisions affecting individuals. Basic literacy measures are sufficient.
Chatbots interacting with customers, AI-generated content tools. Transparency obligations apply — users should know they are interacting with AI.
AI used in recruitment, credit scoring, healthcare diagnostics, education assessment. Significantly stricter obligations. Deadline: 2 December 2027.
A common mistake is treating the AI tools register as a list of dedicated AI software. In practice, AI capabilities are embedded in tools your team already uses every day, and those embedded features need to be included too.
Your register should include:
If you are uncertain whether a tool qualifies, the test is simple: does it use machine learning or AI to generate outputs, make predictions, or take actions? If yes, it belongs in the register.
A register that was accurate six months ago and has not been reviewed since is not a defensible compliance position. New tools get adopted. Staff join and leave. AI features get added to software your team already uses.
A robust register includes a review date for each entry, and the register as a whole should be revisited whenever a significant change occurs: a new tool is adopted, a team member joins who uses AI, or a vendor adds AI capabilities to software you already use.
The EU Digital Omnibus agreement of May 2026 adjusted the wording of the AI literacy obligation from “ensure a sufficient level” of AI literacy to “take measures to support” AI literacy. This shifts the emphasis from proving an outcome to demonstrating the steps taken. Maintaining an accurate, current AI tools register is one of the most tangible steps a business can take. The Omnibus text is pending formal adoption, expected before August 2026.
No. The EU AI Act does not prescribe a specific format for an AI tools register. What matters is that it gives an accurate, clear picture of your organisation’s AI usage and can be produced promptly if a regulator or client requests it. A well-structured document or spreadsheet is sufficient; a professional, formatted PDF carries more credibility when presented to a procurement team.
Yes, if they are used professionally. The distinction is not between paid and free tools — it is between personal and professional use. A team member using ChatGPT’s free tier to draft client communications is using it professionally, and it belongs in the register. The same tool used for personal purposes outside work does not.
There is no prescribed update frequency, but a register that has not been reviewed in over a year is unlikely to reflect your current AI usage accurately. Best practice is to review the register whenever a new tool is adopted, a team member who uses AI joins or leaves, or a vendor adds AI capabilities to software you already use. An annual formal review at minimum is sensible.
Start with the tools your team uses most frequently and that have the highest potential impact on individuals — any tool used in HR, customer decisions, or financial assessments should be prioritised. Then work through the rest systematically. A structured assessment that asks team members which tools they use is the most reliable way to capture the full picture, since individual tools are often adopted without central oversight.
These terms are used interchangeably. Whether it is called a register, inventory, catalogue, or log, the purpose is the same: a structured record of the AI systems your organisation uses. The EU AI Act does not use the term “AI tools register” — it simply requires businesses to take measures to support AI literacy, and maintaining an accurate inventory of AI usage is a core element of demonstrating that those measures have been taken.
Answer a short assessment about your business and the AI tools your team uses. We generate a complete, formatted AI tools register — along with your full compliance pack — in under 10 minutes.
Start your free assessment14-day free trial — no credit card required