The AI Register as a Compliance Foundation
The AI register as a compliance foundation
You have recorded your AI systems. The register is in place. And now? Many companies treat the AI inventory as a mandatory exercise and then set it aside. That is a mistake. The register is not a tick-box item, but the foundation for all further compliance steps. In this article I show what practical use the register has and how it determines the further path through the NADOVO Compliance Cycle.
What the inventory delivers
A complete AI inventory answers three questions you need for every further phase.
First: what do we have? Each AI system with name, vendor, deployment type and key technical data. Without this basis you do not know what you are even talking about.
Second: who is responsible? The role determination as provider or deployer decides your obligations. Different requirements apply to deployers than to providers. Most SMEs are deployers, but the clarity has to be documented per system.
Third: where is it used? Department, user group and first indications of the purpose of use. This information is the transition to the next phase.
From register to use case
The inventory records assets. But the EU AI Act does not regulate assets, but use cases. The same chatbot can mean minimal or high risk depending on its use.
In the DEFINE phase you link each asset to its specific use case. The asset becomes an AI process. Only this process can be classified. The AI register provides the basis: you can only classify what you know.
An example: your documentation shows Microsoft Copilot in three departments. In the DEFINE phase this becomes: Copilot for email summaries in sales, Copilot for contract analysis in the legal department, Copilot for application screening in HR. One asset, three processes, possibly three different risk classes.
The path depends on the risk class
Here the practical use of the NADOVO Compliance Cycle shows. Not every AI process has to take the same route.
High-risk processes under Annex III go through the full path: DISCOVER, DEFINE, ASSESS, IMPLEMENT. The ASSESS phase includes a systematic risk assessment, mitigation measures, documentation of human oversight. That is effort, but necessary.
Processes with limited or minimal risk can skip ASSESS. After the classification in DEFINE, it goes directly to IMPLEMENT. There you implement the transparency obligations or document voluntary measures. The effort is considerably lower.
This differentiation is the reason why clean recording in DISCOVER is so important. Without complete recording you lack the overview of which processes take which path. You risk either putting too much effort into non-critical systems or overlooking critical systems.
Practical example: an SME with 12 AI systems
A mid-sized company has recorded 12 AI systems after the DISCOVER phase. In the DEFINE phase these become 18 AI processes, because some systems are used multiple times.
The classification shows: 2 processes are high-risk (HR screening, creditworthiness check), 4 processes have limited risk (chatbots with customer contact), 12 processes are minimal risk (internal productivity tools).
The compliance effort is distributed accordingly: for 2 processes the full path with ASSESS. For 16 processes the direct route to IMPLEMENT. That is manageable. Without the inventory it would have been unclear that only 2 of 18 processes need the full effort.
MONITOR closes the loop
The AI register is not static. In the MONITOR phase you monitor running processes and check for changes. New systems are recorded and go through the cycle. Existing systems with a changed purpose of use jump back to DEFINE.
The inventory becomes a living document. With annual reassessments or after incidents, you immediately know which processes are affected and what status they have. Without an AI register this overview is missing.
The ROI of good recording
The effort for a clean AI register pays off in several ways.
In audits or authority enquiries you have immediate ability to provide information. You do not have to first search for what you actually have.
In resource planning you know how many processes need the demanding path and can plan budget and staff accordingly.
With new AI rollouts you have a clear process. The system is recorded, the use case defined, the risk class determined, the appropriate path followed.
With changes in the company, for example when a department wants to use an existing tool for a new purpose, you can quickly check whether the risk class changes.
Your next step
If you already have an AI register: check whether the role determination is documented for each system. Check whether you know the use cases, not just the assets.
If you do not yet have an AI register: start with the recording. Five systems this week. Extend iteratively. The register does not have to be perfect to be useful.
The AI register is the starting point. What you do with it decides your compliance success.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...