Building an AI Inventory: From Spreadsheet to Living Registry

Every AI governance conversation eventually arrives at the same question: 'where's our inventory?' For most mid-market US companies, the answer is some combination of 'a spreadsheet someone made last quarter,' 'I think Procurement has it,' and 'we're working on it.' That's normal, and it's not a permanent problem — but it does have a real cost. Without an inventory, you can't apply your policy, you can't assess risk, you can't respond to incidents, and you can't answer the security questionnaire your largest customer just sent you. This is the practical path from a starter spreadsheet to a living registry, built for mid-market constraints and without requiring enterprise software.

What Belongs in the Inventory

The starting framing matters. An 'AI inventory' is not just a list of AI vendors. It's a list of AI use cases — distinct applications of AI within your business. The same vendor can serve multiple use cases with different risk profiles. The same use case can route through multiple vendors. The unit of inventory is the use case, not the vendor.

Each use case entry should capture: a unique identifier; the use case description in business terms; the responsible business owner; the responsible technical owner; the vendor(s) and model(s) involved; the data classification of inputs; the data classification of outputs; whether the use case involves automated decisions affecting individuals; the regulatory regime that applies (HIPAA, GLBA, COPPA, FCRA, sector-specific); the date of last risk assessment; the date of last bias review; and the current operational status.

Phase 1 — The Starter Spreadsheet

Don't wait for perfect tooling. The first version is a spreadsheet, and that's fine. Columns: use case ID, name, description, business owner, technical owner, vendor, model, data sensitivity, decision impact, regulatory regime, last reviewed, status. Populate it with what you know. Send it to functional leaders for additions. Aim for 80% coverage in the first pass — chasing the last 20% before publishing slows everything down.

**The hardest part is discovery.** Most AI is procured outside Procurement. Marketing has its tools. Sales has its tools. Engineering has its tools. Customer support has its tools. Run a survey, run interviews, look at expense reports for known AI vendors, look at SSO logs for AI tool sign-ins. You'll find more than you expect.

Phase 2 — Make It Authoritative

Once the spreadsheet exists, it needs to be the source of truth. That means a few things. Every AI procurement decision now requires an inventory entry as part of the approval. Every existing AI tool gets an inventory entry retroactively. Quarterly attestation by each business owner confirming their entries are current. A documented process for adding, modifying, and retiring entries. Without these process hooks, the spreadsheet decays back into a snapshot within six months.

Phase 3 — Wire In the Workflows

The inventory becomes useful when it's wired into the work. A few high-leverage connections:

**Vendor management.** Every entry in the inventory has a corresponding vendor risk assessment using our AI Vendor Risk Scorecard. The inventory carries the assessment date and outcome; the scorecard holds the detail.

**Policy compliance.** The inventory drives policy attestation. If a use case involves regulated data, the responsible owner attests annually that the use case complies with the relevant policy. If a use case involves automated decisions, the owner attests that human review is documented.

**Incident response.** When an AI incident is reported, the inventory identifies the use cases potentially in scope. Without the inventory, every incident triggers a discovery exercise; with it, scoping takes minutes.

**Bias auditing.** The inventory flags which use cases require bias auditing and when each was last audited. Cadence rolls forward from the inventory.

**Customer questionnaires.** When a customer asks 'what AI do you use to process our data?', the inventory has the answer — filtered to the customer's relevance — in minutes instead of weeks.

Phase 4 — Make It Living

A living registry has freshness mechanisms built in. The mechanisms that work in mid-market:

**Quarterly attestation cycles.** Each business owner reviews and re-attests every quarter. The inventory tracks attestation status, and overdue attestations are escalated.

**Change triggers.** Any vendor change, model change, or significant use-case change requires inventory update before going live. The change-management process enforces this.

**Periodic discovery sweeps.** Twice a year, run discovery (SSO logs, expense reports, interviews) and reconcile against the inventory. New AI tools appear constantly; the inventory has to catch them.

**Vendor self-attestation.** Major vendors are asked to self-attest their inventory entries are accurate. Many will cooperate — it reduces their own questionnaire burden.

When to Move Off the Spreadsheet

Spreadsheets work up to roughly 50-75 use cases or 4-5 stakeholder roles. Beyond that, you need a tool — something that tracks ownership, attestations, dates, and changes with auditability. Options range from purpose-built AI governance platforms to GRC tools with AI modules to building a lightweight registry on top of your existing case-management or ticketing system. The right answer depends on what tooling you already operate. For most mid-market organizations I work with, the cheapest path is to extend their existing GRC tooling rather than buy a new platform. Our AI Inventory tool is structured exactly for the starter phase — once you outgrow it, the structure ports cleanly to most GRC platforms.

What the Inventory Actually Unlocks

An AI inventory in isolation is a list. An AI inventory wired into governance is a foundation. It unlocks: defensible answers to regulators and customers; faster incident response; risk-proportionate vendor management; targeted policy and training; and — most importantly — a clear-eyed view of the AI surface area, which is the prerequisite for every other governance capability. Our broader AI Governance & Compliance practice treats the inventory as one of the six foundational capabilities, alongside policy, vendor management, monitoring, incident response, and training. The inventory is the one that has to come first, because the others depend on knowing what's actually in scope.

Common Mistakes

**Conflating vendor inventory with use-case inventory.** The vendor list misses the multiple-use-cases-per-vendor problem.

**Failing to assign business owners.** Without a named business owner, nobody updates the entry.

**Over-engineering the schema.** Start with 12 columns. Add columns only when you've felt the absence of the information.

**Treating it as a one-time exercise.** Without ongoing process hooks, the inventory ages into uselessness within two quarters.

**Hiding the inventory.** The inventory is useful when stakeholders can see it. Restricted-access inventories don't drive decisions.

The Honest Endpoint

A living AI inventory is one of the lowest-cost, highest-leverage things a mid-market governance program can stand up. The first version takes a week. The maintenance is real but proportionate. The benefits compound — every other governance capability gets easier when the inventory exists. If you're starting somewhere on AI governance and don't know where, start here. Everything else gets easier once it's in place.