Skip to main content
← All controls
GOVERN 1.2 NIST AI Risk Management Framework

AI use-case inventory

Demonstrate that the organization maintains a complete, accurate, and current inventory of all AI/ML use cases with sufficient metadata to enable risk assessment, ownership accountability, and governance oversight.

Description

What this control does

This control requires organizations to maintain a comprehensive, current inventory of all artificial intelligence and machine learning use cases deployed across the enterprise, including both internally developed and third-party AI systems. The inventory captures key metadata such as system purpose, data inputs, decision authority level, business owner, technical owner, risk classification, and deployment status. Maintaining this inventory enables risk-based governance, ensures appropriate oversight for high-risk AI applications, supports compliance with emerging AI regulations, and prevents shadow AI deployments that bypass security and ethical review processes.

Control objective

What auditing this proves

Demonstrate that the organization maintains a complete, accurate, and current inventory of all AI/ML use cases with sufficient metadata to enable risk assessment, ownership accountability, and governance oversight.

Associated risks

Risks this control addresses

  • Unauthorized or shadow AI systems processing sensitive data without security review or data protection safeguards
  • High-risk AI applications making consequential decisions about individuals without appropriate human oversight or bias testing
  • AI systems trained on or processing regulated data (PII, PHI, financial records) without proper compliance controls
  • Untracked third-party AI services creating vendor lock-in, data sovereignty issues, or undisclosed data sharing arrangements
  • Inability to respond to AI-related incidents or vulnerabilities due to lack of visibility into deployed systems
  • Failure to meet emerging AI regulatory requirements (EU AI Act, algorithmic accountability laws) due to incomplete system knowledge
  • Business continuity risks from dependencies on undocumented AI systems whose failure impact is unknown

Testing procedure

How an auditor verifies this control

  1. Obtain the current AI use-case inventory document or system export showing all registered AI/ML applications
  2. Review inventory schema to verify it captures minimum required attributes: system name, business purpose, owner, risk classification, data sources, decision type, deployment status, and last review date
  3. Interview AI governance committee or designated AI risk owner to understand inventory maintenance processes, submission requirements, and update frequency
  4. Select a sample of 10-15 business units or departments and conduct discovery interviews to identify AI systems in use, comparing findings against the official inventory
  5. Review procurement records and software asset management systems for AI/ML tools or services acquired in the past 12 months and verify all appear in the inventory
  6. Test a sample of 5-8 inventory entries by interviewing system owners to validate accuracy of recorded attributes including risk rating, data classification, and current deployment status
  7. Examine evidence of periodic inventory validation activities such as attestation campaigns, automated discovery scans, or quarterly reconciliation reviews
  8. Verify that new AI use cases undergo mandatory registration before production deployment by reviewing project approval workflows and change management records
Evidence required Auditor collects the complete AI use-case inventory export or register with all metadata fields populated, governance policy documents defining inventory requirements and submission processes, meeting minutes or attestation records demonstrating periodic validation activities, and sample project approval records showing inventory registration as a deployment gate. Additional evidence includes interview notes from discovery testing with business units and reconciliation documentation comparing the inventory against procurement and asset management systems.
Pass criteria The organization maintains a comprehensive AI use-case inventory covering all known AI/ML systems with complete metadata, demonstrates regular validation and update processes, and discovery testing identifies no more than minor gaps (fewer than 10% of sampled systems missing from inventory, with no high-risk systems untracked).

Where this control is tested

Audit programs including this control

AI Model Risk & Governance

Whether you train, fine-tune or just consume models, you need governance — inventory, risk classification, human oversight, evaluation.

8 controls · v1.0