AI System Registries: The Compliance Tool Nobody Talks About
The EU AI Act Article 12 and ISO 42001 Clause 7.5 require organisations to maintain a documented, controlled AI system registry. Most organisations use spreadsheets that fail audit requirements for version control, mandatory fields, and relational integrity. This article breaks down the 30+ data fields a compliant registry needs and evaluates three tooling approaches against regulatory requirements.
Everyone's Talking About Risk Classification. Nobody's Talking About the Registry.
The EU AI Act conversation in 2026 has been dominated by risk classification. Is your chatbot high-risk? Does your recruitment tool fall under Annex III? These are important questions. But they overshadow a quieter requirement that affects every organisation deploying AI: the obligation to maintain a documented AI system registry.
This isn't optional paperwork. Article 12 of the EU AI Act mandates record-keeping for high-risk AI systems. ISO 42001 Clause 7.5 requires documented information as evidence of conformity. And the NIST AI RMF starts with Map: know what AI systems you have before you can govern them. If you can't produce a current, complete AI inventory when a regulator or auditor asks for it, every other governance activity you claim to do is suspect.
Yet most organisations we speak with at BizThriveAI are tracking their AI deployments in a shared spreadsheet last updated three months ago by someone who left the company. Here's what a compliant registry requires, and why it's more than a list.
What the Regulations Actually Demand
EU AI Act Article 12 requires providers of high-risk AI systems to keep records that include: intended purpose, training and validation data, testing procedures and results, and instructions for use. For deployers, Article 26 adds obligations around monitoring and record-keeping. The regulation doesn't specify the format. But "records" under EU regulatory interpretation means retrievable, auditable, and complete. A spreadsheet with missing rows doesn't qualify.
ISO 42001 Clause 7.5 is broader. It requires documented information to the extent necessary to have confidence that processes are carried out as planned. This includes AI system descriptions, risk assessment outputs, and monitoring results (Clause 9.1). Crucially, 7.5.3 requires control of documented information: versioning, approval, distribution, and protection. Your Google Sheet with edit access set to "anyone with the link" fails this requirement on contact.
The combined requirement isn't just "have a list." It's "maintain a controlled, versioned, auditable record of each AI system that connects purpose, data, risk classification, testing, and operational monitoring into a single thread of evidence." That's a database design problem.
What a Compliant AI System Registry Contains
Based on the overlapping requirements of Article 12, ISO 42001 7.5, and NIST AI RMF Map function, here are the minimum fields every AI registry entry should track. This is what we build into audit frameworks at BizThriveAI. See our sample audit report for how these connect in practice.
Core identification: System name, unique identifier, version, owner (named individual, not a department), deployment date, last review date.
Purpose and scope: Intended purpose as defined by the provider, actual use case in your organisation, user base, decision type (advisory, assistive, or autonomous).
Data profile: Training data provenance, input data types, whether personal information is processed (triggering OAIC APP obligations), data residency, subprocessor chain.
Risk classification: EU AI Act risk tier, ISO 42001 risk level, NIST AI RMF risk category, date of last risk assessment, residual risk score.
Vendor and model metadata: Provider name, model name and version, model type, foundation model dependency, provider terms of service version, DPA status.
Testing and validation: Test results summary, bias testing methodology, accuracy benchmarks, date of last validation, known limitations.
Governance status: Approval authority, policy compliance status, training requirements, incident log, monitoring approach.
That's 30+ fields per system. If you have 12 AI tools deployed, that's 360 data points to track, version, and keep current. Spreadsheets break at this scale. Not because they can't hold the data. Because they can't maintain referential integrity, enforce mandatory fields, or track change history with accountability. A risk assessment drifting out of sync with the system it assesses is the kind of gap auditors are trained to find.
The Tooling Landscape: What Works and What Doesn't
Organisations approach the AI registry problem in three ways. Each has failure modes worth understanding before you commit. If you're evaluating vendors more broadly, our vendor questionnaire gaps analysis covers what standard security reviews miss.
Spreadsheets (Excel, Google Sheets). The default starting point. Pros: zero cost, zero setup, everyone knows how to use them. Cons: no granular access control, no version history with accountability, no relational links between systems and risk assessments, no automated field validation, no audit trail that survives scrutiny. A spreadsheet is fine for a pilot with three tools. It is not compliant for an organisation with 20 systems under ISO 42001. If you must use spreadsheets: lock to named editors only, add a "last verified" date column, and export to PDF weekly as a snapshot.
General-purpose databases (Notion, Airtable, SharePoint lists). Better. These tools offer field types, relational links, filtered views, and change tracking. Notion databases can link a system to its risk assessment page. Airtable can enforce mandatory fields and trigger review reminders. The gap: none were designed for regulatory documentation control. They don't provide document approval workflows that map to ISO 42001 7.5.3. They don't offer immutable audit logs. And they grow fragile as linked records accumulate.
Purpose-built AI governance platforms (Credo AI, Holistic AI, FairNow). These tools are designed for this problem. They offer pre-built schema for AI inventories, automated risk classification, policy-to-control mapping, and audit-ready reporting. The downside is cost (typically $40K-$120K/year) and implementation time (3-6 months). For an organisation that hasn't done the basics of listing what AI it uses, committing to a platform before understanding your AI footprint is buying a warehouse management system when you don't know what's on your shelves.
The right tool depends on where you are. Fewer than 10 AI systems and no regulatory obligation beyond general privacy law? A well-structured Notion database with a documented process beats a six-figure platform. Deploying high-risk AI under the EU AI Act and pursuing ISO 42001 certification? You will eventually need a purpose-built platform. The key is recognising when to transition and planning data migration before the spreadsheet breaks. Our AI governance audit services include registry maturity assessment to help you decide.
What Buyers Should Verify Before Committing to Any Tool
Whether you're evaluating a governance platform or building your own registry, these questions separate audit-ready tooling from expensive busywork.
Does it enforce mandatory fields? A registry where "risk classification" is optional will have empty risk classifications. The tool must prevent incomplete records from being marked as current.
Does it maintain an immutable change log? ISO 42001 7.5.3.2 requires documented information to be protected from unintended changes. If your tool lets anyone overwrite the risk classification without recording who did it and when, it fails.
Does it support relational linking? A system entry should link to its risk assessment, vendor DPA, incident log, and testing results. These are not independent documents. They are a single evidence thread.
Does it generate an export that an auditor can read? A PDF report pulling data from linked records into a single document, with version numbers and dates, is table stakes. If the export is a CSV requiring manual formatting, the auditor won't trust it.
Does the schema map to regulatory requirements? Every field should trace to a specific obligation. "Risk classification" maps to EU AI Act Annex III and ISO 42001 6.1.2. "Data provenance" maps to Article 12. "Monitoring approach" maps to Article 26 and ISO 42001 9.1.
The Registry Is Your First Line of Defence
The AI system registry isn't glamorous. It doesn't make headlines the way risk classification does. But it is the foundation every other governance activity sits on. You cannot assess the risk of systems you haven't catalogued. You cannot demonstrate conformity to an auditor without a controlled, current record of what you're conforming to.
The EU AI Act's first obligations apply from August 2, 2026. That is less than three weeks from now. Organisations deploying AI in the EU need their registry in place before that date. Not perfect. Not platform-grade. But documented, controlled, and current enough to show a regulator you know what AI you have and why you believe it's compliant.
If your AI inventory lives in a spreadsheet nobody's updated since March, start there. Lock it down. Fill the gaps. Version it. Schedule the quarterly review. The tool matters less than the discipline. But the discipline is the part most organisations skip. Talk to us if you need help getting started.
Written by David Swan, reviewed and fact-checked against primary regulatory sources. AI-assisted but human-directed.
Frequently asked questions
Does the EU AI Act require every organisation to maintain an AI system registry?
Article 12 of the EU AI Act requires record-keeping for providers of high-risk AI systems. Deployers have obligations under Article 26 for monitoring records. ISO 42001 Clause 7.5 requires documented information for any organisation implementing an AI management system. Even outside high-risk classification, documenting your AI systems is the foundation of defensible governance.
Can I use a spreadsheet for my AI system registry and still be compliant?
A spreadsheet can work for small deployments (fewer than 10 AI systems) but has structural limitations: no granular access control, no immutable change history, no relational linking between systems and risk assessments, and no automated field validation. For ISO 42001 certification or EU AI Act high-risk compliance, a controlled database or purpose-built governance platform is expected. If you must use a spreadsheet, lock it to named editors, add version dates, and export snapshots regularly.
What fields should an AI system registry contain?
At minimum: system name, version, owner, intended purpose, data types processed, personal information status, risk classification, vendor/model metadata, DPA status, testing results, approval authority, and last review date. Each field should trace to a specific regulatory requirement. A compliant registry typically requires 30+ fields per system.
What's the difference between a general-purpose database like Notion and a purpose-built AI governance platform?
Notion and Airtable offer flexible schema, relational links, and change tracking but lack regulatory-specific features: document approval workflows (ISO 42001 7.5.3), immutable audit logs, automated risk classification, and policy-to-control mapping. Purpose-built platforms like Credo AI and Holistic AI include these features but cost $40K-$120K/year and take months to implement. Choose based on your deployment scale and regulatory obligations.
When does the EU AI Act enforcement begin?
The first obligations under the EU AI Act (Regulation 2024/1689) apply from August 2, 2026. This includes prohibitions on unacceptable AI practices. High-risk AI system obligations phase in over the following 12-36 months depending on the system category. Organisations deploying AI in the EU should have their AI registry in place before these deadlines to demonstrate compliance readiness.
How does BizThriveAI help with AI system registries?
BizThriveAI provides AI governance audits that include registry maturity assessment: we review your existing AI inventory against ISO 42001 documentation requirements, identify gaps in field coverage and version control, and provide a remediation roadmap. Our audit frameworks include the 30+ field schema mapped to EU AI Act and ISO 42001 requirements, which clients can adopt directly.


