This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If different staff members are trying AI tools without one central record, that is a common starting point rather than a sign your business has failed. This guide explains what an AI register is, what information is useful to record, and how to build a practical list that can grow with your business.
In short: An AI register is a living list of the AI tools and AI-enabled systems used by your business. It records why each tool is used, who is responsible for it, what information it handles, how risky the use appears, whether it has been approved, and when it should be reviewed again.
What an AI register does
An AI register gives a business one reliable place to see where AI is being used. It can include public tools such as chat assistants, AI features inside existing software, specialist systems purchased by a department, and free browser tools adopted by individual staff. The purpose is visibility, not paperwork for its own sake.
For Alex, the owner of a small professional services firm, the starting point may be scattered and informal. A marketing employee uses a writing assistant, an administrator uses meeting transcription, and a consultant uploads documents to a summarisation tool. After completing the register, Alex can see the purpose of each tool, the data it touches, the internal owner, its risk level and the next review date in one place.
The register does not decide whether a tool is legally compliant or safe. It helps the business organise the facts needed for better decisions, such as whether a tool should be approved, restricted, replaced, reviewed by an adviser, or removed from use.
Why businesses lose track of AI tools
Most AI use enters a business through ordinary software decisions, not a formal technology project. An employee opens a free account to finish a task, an existing platform adds an AI feature, or a department buys a low-cost subscription on a company card. Each decision may look minor by itself, but the combined result can be a large collection of tools with no clear owner.
This is often called shadow AI, meaning AI use that has not been formally reviewed or recorded. The immediate problem is not that every unrecorded tool is dangerous. The problem is that the business cannot answer basic questions when a client, insurer, customer, regulator or senior manager asks how AI is being used.
A register also reduces repeated work. Without one, different managers may review the same product separately, staff may keep paying for duplicate subscriptions, and an old tool may continue receiving business information after the employee who introduced it has left.
What regulators and standards say about AI inventories
International frameworks increasingly treat an inventory of AI systems as a basic governance building block. They do not all impose the same duties on every business, but they show why organisations are being encouraged to know which systems they use before trying to manage risk.
The US National Institute of Standards and Technology AI Risk Management Framework is a voluntary framework for managing AI risk. NIST supporting material includes mechanisms to inventory AI systems and suggests documenting intended uses, responsibilities and risk management activities. This makes an AI register useful even for businesses outside the United States because the underlying management question is universal: what systems exist, and who is accountable for them?
ISO/IEC 42001 sets out requirements for an AI management system. ISO describes it as a structured approach to managing AI-related risks and opportunities, including governance, accountability, transparency and continual improvement. A simple register does not create ISO certification, but it can support the practical work of identifying systems within the scope of an AI management programme.
The EU Artificial Intelligence Act also includes registration requirements for certain high-risk AI systems in an EU database under Article 71 and related provisions. Those requirements do not mean that every small business must publicly register every AI tool it uses. They do show that formal system identification and traceability are part of the wider regulatory direction for higher-risk uses.
This template is a general planning tool, not a legal assessment. The rules that apply depend on your location, industry, role in the AI supply chain and how a system is used. Check official guidance or obtain professional advice for a specific compliance question.
Who should keep an AI register
Any business with more than occasional, purely personal AI use can benefit from a register. It becomes particularly useful when staff handle customer records, confidential documents, employee information, financial data, health information, intellectual property or decisions that affect people.
A five-person firm may only need a short spreadsheet reviewed twice a year. A 50-person manufacturer may need separate owners for production, quality, human resources, sales and finance systems. The format can stay simple, but the level of detail and review frequency should match the consequences of something going wrong.
Businesses supplying services to larger organisations may also be asked to disclose AI use during tenders, security reviews or contract negotiations. A current register makes those conversations easier because the information has already been collected rather than assembled under deadline pressure.
What to record for each AI tool
A useful register records enough detail to support a decision without becoming too difficult to maintain. The free template below includes the core fields most small and medium businesses can start with.
| Tool or system name | The product name, service name or AI feature being used. |
|---|---|
| Business purpose | The specific task it supports, such as drafting proposals, transcribing meetings or screening applications. |
| Department and users | The team using it and, where practical, the people or roles with access. |
| Internal owner | The person responsible for keeping the entry accurate and responding to review questions. |
| Data handled | The types of information entered, generated, accessed or stored by the tool. |
| Decision impact | Whether the output only assists staff or influences decisions about customers, workers or other people. |
| Risk level | A simple low, medium or high rating with a short reason. |
| Approval status | Proposed, under review, approved, approved with restrictions, paused or prohibited. |
| Vendor and plan | The supplier, account type and whether the service is free, individual or business-grade. |
| Data and contract notes | Known storage location, training settings, retention terms, security documents and relevant contract links. |
| Review date | The next date when the business will confirm the tool, purpose, settings and risk rating are still accurate. |
How to assign a simple risk level
A risk rating should help you prioritise review, not create false precision. A practical starting point is to consider the sensitivity of the information, the importance of the task, the people affected, the ability of staff to check the output, and the difficulty of reversing a mistake.
Low-risk use might include brainstorming generic social media topics without entering confidential information. Medium-risk use might include drafting internal documents that a qualified employee reviews before use. High-risk use might include analysing sensitive records, influencing recruitment or credit decisions, providing professional advice, controlling machinery, or producing output that people may act on without meaningful human checking.
The rating is an internal flag, not a legal classification. A tool may be low risk in one context and high risk in another. For example, a chat assistant used to rewrite a public product description is different from the same service being used to summarise a confidential client file.
How to build your first register
Start by finding actual use, then improve the detail over time. Trying to create a perfect governance programme before asking staff what they use usually produces an attractive spreadsheet with missing tools.
- Name a register owner. Choose one person to maintain the master copy, coordinate reviews and follow up incomplete entries.
- Ask every team. Send a short, non-punitive request asking staff to list AI tools, AI features and browser extensions they use for work, including free accounts.
- Check purchasing and sign-in records. Review company cards, expense claims, software lists, identity-provider logs and browser management records where available.
- Record the basics first. Capture the tool, purpose, owner, users, data handled and approval status before researching every contract detail.
- Prioritise higher-risk entries. Review tools touching sensitive data, employment, safety, professional advice or consequential decisions first.
- Set review dates. Use a shorter cycle for higher-risk or rapidly changing systems and a longer cycle for stable, low-risk uses.
- Connect the register to everyday processes. Add a register check to software purchasing, employee onboarding, security reviews and contract renewal.
When asking staff, make it clear that the first goal is visibility rather than punishment. Employees are more likely to disclose informal tools when they believe the business wants to understand and improve current practice. Immediate threats of discipline can drive the same use further out of sight.
How to keep the register current
An outdated register can create misplaced confidence, so maintenance matters more than the initial spreadsheet. The simplest approach is to give each entry an owner and a next review date, then make updates part of existing business routines.
Review an entry when a vendor changes its terms, a tool adds a major feature, staff begin using it for a new purpose, the data being entered becomes more sensitive, an incident occurs, or the business changes subscription level. Also remove tools that are no longer used and record whether accounts, integrations and stored data have been closed or deleted.
A quarterly check is a reasonable starting rhythm for active AI use, while a small business with only a few stable tools may choose a six-monthly review. Higher-risk systems may need closer oversight. The right interval depends on change and consequence, not the size of the vendor.
Common mistakes to avoid
The most common mistake is treating the register as a list of approved subscriptions only. That misses free tools, trial accounts, AI features built into existing products, automated functions supplied by contractors, and systems used by a single department.
- Do not record only the vendor name. Write the specific business purpose.
- Do not use one vague owner such as “IT” for every entry. Name an accountable role or person.
- Do not assume a business plan automatically makes all data use suitable.
- Do not rate the product once and ignore how staff actually use it.
- Do not delete retired entries without recording that access and data were addressed.
- Do not turn the register into a 50-column form that staff cannot complete.
Free AI register template
Copy the template below into a spreadsheet and adapt the fields to your business. One row should represent one tool and one distinct use. If the same tool is used for two very different purposes, create separate rows so the data, owner and risk can be assessed clearly.
AI Register Template
Suggested spreadsheet columns:
| Register ID | Tool or system | AI feature | Business purpose | Department | Users | Internal owner | Vendor | Plan or account type | Data handled | Sensitive data? | Output or decision affected | Human review | Integrations | Risk level | Risk reason | Approval status | Restrictions | Contract or privacy link | Date added | Last reviewed | Next review | Retirement notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AI-001 | Example meeting assistant | Transcription and summary | Create internal meeting notes and action lists | Operations | Office manager and team leads | Operations manager | Example vendor | Business plan | Staff names, discussion content, client references | Sometimes | Internal notes only | Meeting owner checks summary before sharing | Calendar, video meeting platform | Medium | May capture confidential discussion | Approved with restrictions | No highly sensitive client matters; confirm consent rules where relevant | Insert vendor links | 2026-07-14 | 2026-07-14 | 2026-10-14 | |
| AI-002 | Proposed |
Optional supporting tabs
- Approved tools: a short staff-facing list showing permitted uses and restrictions.
- Vendor documents: links to contracts, privacy notices, security reports and assessment notes.
- Review log: dates, reviewers, decisions and changes made.
- Retired tools: closed accounts, removed integrations and data deletion notes.
Practical starting point: Complete the first six columns for every known tool before researching every vendor term. A mostly complete basic inventory is more useful than one perfectly assessed tool and twenty missing ones.
Questions to ask during each review
A review should confirm that the recorded use still matches reality. Ask whether staff use the tool for any new purpose, whether different data is now being entered, whether access is still appropriate, and whether the vendor or product has materially changed.
Also check whether staff can verify the output, whether incidents or complaints have occurred, whether a cheaper or safer approved tool now covers the same task, and whether the current restrictions are understood. Record the decision and the reason so the next reviewer can see what changed.
AI register FAQ
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our free AI acceptable use policy template and our AI governance by region.
Free tools: AI Tool Pricing Tracker to check current pricing across the major AI platforms | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
What is an AI register?
An AI register is a central list of the AI tools and AI-enabled systems a business uses. It normally records the purpose, owner, users, data handled, risk level, approval status and review date for each use.
Does every business need an AI register?
There is no single global rule requiring every business to keep the same register. However, a register is a practical governance tool for any organisation that uses AI with business, customer, employee or confidential information.
Should free AI tools be included?
Yes. Free accounts, trials, browser extensions and AI features inside existing software can handle the same sensitive information as paid products. Cost is not a reliable measure of risk.
Is an AI register the same as an AI policy?
No. A policy sets the rules for how staff may use AI, while a register records the actual tools and uses within the business. The two work best together because the register shows where the policy is being applied.
How often should an AI register be reviewed?
Set a review date for every entry and update it whenever the use, data, vendor terms, features or risk changes. Many businesses can begin with quarterly checks for active or higher-risk tools and six-monthly checks for stable, low-risk uses.
Does this template make a business compliant with AI laws?
No. The template helps organise information and responsibilities, but it does not determine which laws apply or confirm compliance. Use official regional guidance and qualified advice for specific legal questions.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
This template is provided as a general starting point for internal business documentation. It is general information only and does not constitute legal or professional advice. Requirements vary by jurisdiction and business circumstance. We recommend reviewing any template with a qualified legal or privacy professional before use or distribution.
Once your AI register is in place, a shadow AI audit tells you whether it is actually complete. The audit process surfaces tools your staff are using that have not been formally recorded, giving you an accurate starting point rather than a partial one.
Run a Shadow AI Audit