AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Guide

Inventorying your AI systems for the AI Act: how to approach it

Adopted 2026-06-16 ยท ≈ 3 min read ยท Dirk Baaijen

Inventorying starts with classification: for each AI system, determine whether it is prohibited, high-risk, limited-risk or minimal-risk under Article 6 and Annexes I and III. Then map each system to its role and obligations.

Short answer: Inventorying your AI systems for the AI Act (Regulation (EU) 2024/1689) begins with classification: for each system, establish which risk category it falls into. The Regulation sets out four categories โ€” prohibited (Article 5), high-risk (Article 6 with Annexes I and III), limited-risk with transparency obligations (Article 50), and minimal-risk with no specific obligations. Only once that classification is settled can you determine the applicable obligations per system and the role your organisation plays.

Start by defining scope: what is an AI system

The first step is establishing what you need to inventory at all. Article 3(1) of the Regulation defines an AI system as a machine-based system that operates with some degree of autonomy, may adapt after deployment, and infers from its input how to generate outputs such as predictions, recommendations or decisions. Not every automated rule or classical statistical model qualifies; scoping is therefore a factual assessment for each system.

Compile a list of all systems that may fall within this definition โ€” both in-house developed and procured software, and both standalone applications and AI embedded in a product or service. For each system, record the purpose, the data used, the output, and the context of use. You will need this information for classification and, later, for the technical documentation that high-risk systems require.

Classify each system: the four categories

For each system on your list, determine the risk category. Start with Article 5: practices such as certain forms of manipulation, social scoring and โ€” subject to conditions โ€” biometric categorisation are prohibited. If a system falls within these, it may not be used.

If it is not prohibited, assess it against Article 6. A system is high-risk if it is a safety component of, or is itself a product covered by, the harmonisation legislation listed in Annex I and requires a third-party conformity assessment, or if it falls within one of the use areas of Annex III (such as recruitment, critical infrastructure or access to essential services). Article 6(3) provides an exception where the system does not pose a significant risk to health, safety or fundamental rights; that assessment must be documented.

If a system is not high-risk but does fall under Article 50 โ€” for example chatbots or systems that generate synthetic content โ€” transparency obligations apply. The remainder is in principle minimal-risk, with no specific obligations under the Regulation.

Map role and obligations to each system

Classification alone is not enough: obligations also depend on your role. The Regulation distinguishes, among others, the provider (the party that develops a system, or has it developed, and places it on the market under its own name) and the deployer (the party that uses the system under its own authority). For procured systems you are typically the deployer; with in-house development or substantial modification you may become a provider, with heavier obligations.

In your inventory, record for each system: the classification, its justification, your role, and the resulting obligations. This produces a register that forms the basis for further compliance and that you can update as systems or the legal framework change. The exact dates of application for high-risk obligations are still under discussion; consult the timeline for these.

Read more: AI Act: timeline of obligations.

Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689: Article 3 (definitions), Article 5 (prohibitions), Article 6 with Annexes I and III (classification), Article 50 (transparency).
  2. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
    European Commission policy page on the AI Act, with the current state of implementation and guidance.

Share on LinkedIn

Read next

A

Which AI systems are high-risk? The Commission's draft Article 6 guidelines

On 19 May 2026 the Commission published draft guidelines on which AI systems are high-risk under Article 6: the two routes (Annex I and Annex III), the Article 6(3) filter and practical examples. Non-binding; the targeted consultation was extended to 23 July 2026, final text expected later in 2026.

U

AI in the judiciary and justice: high-risk under Annex III

AI that assists judicial authorities in researching facts or applying the law is high-risk under Annex III of the AI Act. Purely administrative support falls outside it. The judge remains the decision-maker; AI may advise, not adjudicate.

U

AI in recruitment and HR: what every employer needs to know

AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk โ€” for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.