How to complete your AI Register

Purpose of the AI Register

The AI Register is the core evidence source for all AI systems your organisation develops or uses. It supports risk management, lifecycle oversight, transparency to interested parties, and performance monitoring as required by the Artificial Intelligence Management System (AIMS) and ISO/IEC 42001:2023.

The register captures information about every AI system, including its purpose, risk, oversight mechanisms, data sources, monitoring activities, and how information is shared with stakeholders. The AI Register is used in conjunction with your AIMS Manual, risk processes, and governance activities.

The type of AI system (for example, in-house developed or third-party provided) may affect how much information is available and where supporting evidence is maintained. However, it does not change the governance expectations. All AI systems in use — including third-party or off-the-shelf tools — require appropriate oversight, risk and impact assessment, monitoring, and due diligence, which should be reflected across the relevant fields in the AI Register.

Scope

Include all AI/ML tools, such as:

Internal models and algorithms (e.g. predictive scoring, NLP tools)
Third-party tools or APIs using AI (e.g. OpenAI, AWS Rekognition)
Off-the-shelf AI features in SaaS products
AI tools or services used by employees or contractors as part of organisational activities, whether formally deployed or informally adopted.

How to Complete Each Field

Field	What to Enter	Why It Matters
System / Tool Name	Enter the name of the AI tool, model, or product (e.g. "ChatGPT", "Internal Risk Model v2")	Identifies the AI system clearly in audits and reports
AI System Type	Select how the AI system is provided (In-house, Third-party, Hybrid, Open-source)	Supports proportionate governance and oversight
Business Use Case	Briefly describe what the tool is used for (e.g. “automated CV screening”, “customer churn prediction”, "customer support", "fraud detection")	Helps determine risk level, transparency needs, and regulatory scope
Owner	Select the individual responsible for the AI system	Assigns accountability for oversight, risk, and data governance
Review date	Select the date the AI system is next due for review	Supports periodic review and ongoing suitability
Vendor / Source	Enter the vendor or source of the AI system, if applicable	Clarifies third-party reliance and due-diligence needs
Status	Select the current lifecycle status: Proposed, Active, Suspended or Retired	Indicates whether the AI system is in use and its lifecycle stage
Risk Category	Use the drop down to select from:Minimal, Limited, High or Unacceptable	Helps to identify and prioritise controls required.
Data Types Processed	Describe the types of data processed (e.g. personal, financial)	Supports privacy, security, and regulatory assessment
System Impact Assessment	Describe whether the AI makes, assists, or autom ates decisions with material impact	Identifies potential operational and business impact
Individual Impact Assessment	Describe potential impacts on individuals or groups	Supports ethical and legal risk assessment
Societal Impact Assessment	Describe potential wider societal impacts	Helps assess broader ethical considerations
Privacy Risk Level	Select Low, Medium, or High	Indicates privacy risk requiring management
Bias Risk Level	Select Low, Medium, or High	Highlights potential fairness or discrimination risks
Training Data Source(s)	Select applicable sources (Internal, Public, Third-party, Synthetic)	Supports data governance and traceability
Level of Autonomy	Select the level of autonomy (Fully autonomous, Human-in-the-loop, Human-in-command)	Clarifies decision authority and oversight needs
Human Oversight Defined	Select Yes or No	Confirms escalation and operator controls exist
Explainability Required	Select Yes or No	Identifies transparency obligations for stakeholders
Monitoring in Place	Select Yes or No	Confirms ongoing performance and risk monitoring
Last Model Update	Enter the date of the most recent update	Supports lifecycle and change tracking
Information Provided to Interested Parties	Select Yes, No, or Not applicable	Indicates whether transparency information is communicated externally
Regulatory Relevance	Describe applicable regulations (e.g. GDPR, ISO/IEC 42001)	Supports compliance assessment
Comments / Notes	Enter any additional relevant information	Provides context or supporting detail

Best Practices

Assign clear ownership
Ensure each AI system has a named owner responsible for oversight, risk management, and ongoing review.
Keep the register up to date
Add AI systems as soon as they are proposed or adopted, and regularly review entries to suspend or retire systems that are no longer in use.
Use risk categorisation effectively
Use the Business Use Case, Risk Category, and Impact Assessment fields to prioritise oversight and review frequency, particularly for systems affecting people, finances, or critical operations.
Review systems periodically
Use the Review Date and Status fields to support ongoing suitability, ensuring AI systems remain appropriate as risks, usage, or regulatory requirements change.
Record oversight and monitoring consistently
Ensure fields relating to autonomy, human oversight, explainability, and monitoring are completed accurately to demonstrate responsible and controlled use of AI systems.

Benefits of Completion

Helps identify AI systems that may be subject to heightened regulatory obligations, including potential classification under emerging AI regulations such as the EU AI Act
Supports data-protection compliance by identifying AI systems that process personal or sensitive data
Provides a structured foundation for AI risk and impact assessment in line with ISO/IEC 42001 requirements
Creates a clear audit trail to support internal reviews, external audits, and regulatory enquiries
Strengthens accountability by clearly identifying ownership and responsibility for each AI system, supporting effective governance and oversight