Building an AI System Registry That Actually Satisfies Regulators

When an EU AI Act regulator asks to see your AI system registry, you need to produce an accurate, current record of every AI system your organisation uses — with classification, documentation status, and compliance evidence for each. A PDF report dated six months ago, covering only the AI tools IT approved through procurement, will not satisfy the requirement.

The EU AI Act registry is not a one-time compliance artefact. It is a live document. Systems are added as they are adopted. Statuses change as documentation progresses. Risk levels are updated when system purposes change. Enforcement authorities have the right under Article 74 to request registry access at any time — and the burden of proof that a system has been properly assessed falls on the deployer, not the regulator.

What the EU AI Act Actually Requires

The EU AI Act does not specify a registry format, but the compliance documentation requirements for High-Risk systems define what information must be available and auditable. Articles 9, 11, 13, 14, and 17 collectively require deployers to maintain documentation that covers:

• A complete inventory of AI systems in use, with risk classification for each
• Technical documentation for High-Risk systems — training data, architecture, accuracy assessments, known limitations
• Human oversight procedures — how a human can intervene in or override AI outputs
• Post-market monitoring records — ongoing accuracy and performance tracking
• Incident and malfunction logs for High-Risk systems
• Registration in the EU AI database for High-Risk systems in certain categories

The registry is the index that connects all of this documentation to specific systems. Without a maintained registry, none of the underlying documentation is findable or auditable under time pressure. When an enforcement officer arrives, the registry is the first document they will request.

What a Compliant Registry Entry Must Contain

A complete registry entry covers eleven fields that span every EU AI Act compliance tier:

The Shadow AI Problem: Why Manual Inventories Fail

A manual registry building process starts with what IT knows about and works outward. The tools that went through procurement, the licences in the SaaS catalogue, the APIs the engineering team requested access to — these are findable by asking IT. Everything else is invisible.

The invisible portion is substantial. Shadow AI — personal ChatGPT, Copilot, Gemini, and Perplexity subscriptions used for work — accounts for 63% of enterprise AI usage according to BlackFog research (January 2026). AI capabilities embedded in approved SaaS platforms (Notion AI, Salesforce Einstein, HubSpot AI, Slack AI) are in the environment without anyone having specifically adopted them as AI systems. AI in developer codebases — GitHub Copilot integrations, LLM API calls in internal tools, model-backed scripts — are invisible to non-technical compliance teams.

A manual inventory process catches the tip of the iceberg and files it as the whole picture. The EU AI Act registry obligation covers all AI systems the organisation deploys or uses — including systems nobody explicitly decided to adopt. For a full analysis of the shadow AI problem and how to govern it, see our guide to the shadow AI governance gap.

The Five-Stage Compliance Workflow

Every AI system in the registry moves through five stages. The stage tracks compliance progress at the individual system level — so an organisation can see at a glance which systems are fully documented, which are in progress, and which have not yet been assessed.

Stage 1 — Discovered: The system has been identified and added to the registry through LLM Discovery, the pre-loaded catalog, or manual entry. The system exists in the registry with basic information — vendor, name, initial description. Its profile has not yet been completed.

Stage 2 — Profile Done: The 15-question EU AI Act classification questionnaire has been answered for this system. LLM Discovery pre-fills all 15 answers based on what the system actually does — its purpose, use context, affected persons, decision-making role, and data inputs. A human reviewer confirms or corrects the pre-filled answers. Profile Done means the organisation understands what the system does and has the information needed to classify it accurately.

Stage 3 — Classified: The risk tier has been assigned: Prohibited, High Risk, Limited Risk, Minimal Risk, or GPAI. The classification is generated from the questionnaire answers against the 15-point decision tree aligned with Annex III categories. Once classified, the compliance obligations for that tier are generated automatically — the specific documentation, testing, oversight, and registration requirements that apply to this system. For a guide to the classification logic itself, see our EU AI Act risk classification guide.

Stage 4 — Documented: For High-Risk and GPAI systems, the conformity obligations checklist is being completed. Each obligation is tracked individually with a completion percentage. The compliance team can see exactly what is complete, what is outstanding, and what documentation has been attached. Vendor documentation is linked. Domain mapping is finalised. Human oversight procedures are written.

Stage 5 — Approved: All compliance obligations for the system's risk tier are satisfied. The system is approved for continued use. The full evidence package — registry entry, questionnaire answers, conformity checklist with completion evidence, and classification rationale — is exportable as CSV or JSON for regulatory review.

Keeping the Registry Live

The EU AI Act does not specify an update frequency, but the intent of "live" is clear: the registry must reflect the organisation's current AI posture, not its posture at the time of the last annual compliance review. Practical maintenance cadence:

• New AI systems: Added within 30 days of adoption — whether through formal procurement or discovered through shadow AI governance channels
• Classification reviews: Triggered when a system's purpose changes materially — an AI tool adopted for administrative tasks that begins influencing hiring decisions may change risk tier
• Checklist updates: Reviewed quarterly — particularly for High-Risk systems where post-market monitoring obligations require ongoing documentation
• Full discovery re-scan: Semi-annual — catching newly adopted tools, AI features added to existing SaaS platforms, and new LLM integrations in developer codebases

Govarix's pre-loaded system catalog makes ongoing additions straightforward. When a new common enterprise AI tool is released, it is added to the catalog with a pre-filled profile. Adding it to your registry is one click. LLM Discovery can be re-run against an updated codebase or document set to catch tools adopted since the last scan.

What Happens During a Regulatory Inspection

EU AI Act enforcement is conducted by national competent authorities designated by member states. The enforcement process under Articles 74–78 gives authorities the right to request documentation, access premises, inspect AI systems, and demand evidence of compliance.

Based on the EU AI Office's published guidance, a typical first-contact inspection sequence is:

1. Request for the organisation's AI system inventory and risk classifications
2. Review of High-Risk system technical documentation for one or two systems selected by the authority
3. Verification that human oversight procedures exist and are operationalised — not just documented
4. Evidence of post-market monitoring for High-Risk systems
5. Verification of EU AI database registration for applicable High-Risk systems

An organisation with a complete Govarix registry produces the regulator-ready export at step one — a structured file with every system, its risk level, classification date, compliance status, vendor, and documentation status. The authority can identify which High-Risk systems to inspect at step two, and the full conformity checklist with attached evidence for those systems is immediately accessible.

An organisation with a manual spreadsheet registry spends days reconstructing what should be instantly available. An organisation with no registry has no first-line response to the inspection's opening request — and that absence is itself evidence of a governance programme failure.

Registry and Governance Layer Integration

A registry that is separate from the AI governance platform is incomplete governance. The registry tells you what AI systems exist and what risk tier they belong to. The governance platform tells you what controls are applied to those systems in real time.

In Govarix, the registry and the governance layer are integrated: the risk classification assigned to an AI system in the registry determines which content policy templates are applied to it, which access controls govern who can use it, and which audit log fields are captured for interactions with it. A High-Risk system classification automatically triggers stricter governance controls than a Limited Risk classification — without manual reconfiguration by the compliance team.

This integration is the model the EU AI Act's risk-based approach was designed to incentivise: classification drives proportionate controls, controls generate audit evidence, and evidence supports the registry's documented compliance status. For a guide to the full relationship between governance controls and compliance documentation, see our analysis of AI governance vs AI compliance. For what the resulting audit trail must contain to serve as regulatory evidence, see our guide to AI audit logs as compliance evidence.

Frequently Asked Questions