Identify AI assets with a clear process

The use of AI tools in organizations is subject to strict regulations, such as the AI Act. organizations should therefore have an up-to-date overview of all AI tools in use so that they can comply with such legal requirements.

As more and more AI tools (also known as AI assets) are being used by employees in organizations, a central process for identifying AI tools is essential. This ensures the following:

• Centralized recording of all AI assets
• Compliance with legal requirements (AI compliance), in particular the AI Act
• Clear responsibilities and traceability

In practice, the responsibilities and obligations for the use of AI in an organization are regulated in an internal AI policy.

The identification of AI tools also requires cooperation between different departments:

• AI Officer: Responsible for AI compliance and governance.
• Data Protection Officer (DPO): Ensures GDPR compliance.
• Information Security Officer (ISO): Ensures information security.
• IT department (including IT Asset Manager): Technical recording of assets and in-house development of AI tools.
• Specialist departments: Identification of AI tools used in specific teams (e.g., Marketing, HR).

External partners and service providers should also be involved to cover all potential AI assets.

A key element within the process is defining what actually is considered AI. In practice, a large number of software tools advertise functions based on artificial intelligence.

The scope should be defined for the initial identification of AI assets.

Positive examples can also be used, such as:

• Software with automated decision-making processes (e.g., machine learning).
• Tools for data analysis, prediction, or personalization.
• AI-driven applications such as chatbots, image recognition, or text generation.

It is advisable to set the scope broadly at the outset to ensure that no relevant tools are overlooked.

Before starting the process of identifying AI assets, it should be determined what information will be requested for each AI tool:

• Name and provider: Who provides the tool?
• Functionality: What tasks does the tool perform?
• Data types: What data is processed?
• User teams: Which departments use the tool?
• Purpose: Is the tool used internally  or is it provided to customers?

A streamlined and user-friendly questionnaire makes it easier for specialist departments to process and also increases the response rate for data collection.

Analyze relevant data sources:
Start by systematically recording all potential AI tools using central company-wide documentation:

• IT asset inventory: Central list of all IT assets, including software solutions used in the company
• Data protection management documentation: The record of processing activities contains important information about software with automated processes.
• Invoice and contract data: Identify external tools that are in use through license or service agreements.
• Surveys of specialist departments: Also consider shadow IT that may be used without official approval.

Apply targeted methods:
Use effective techniques to ensure a comprehensive overview:

• Workshops: Offer interactive sessions with specialist departments to identify the AI tools they use.
• Automated questionnaires and audits: Use user-friendly digital surveys or questionnaires to collect information efficiently and comprehensively.
• Monitoring of third-party services: Identify AI assets through SSO logs or similar IT administration tools.

With a clear combination of data sources and targeted methods, you are able to lay the foundation for a precise and complete mapping of the AI landscape in your organization.

The one-time recording of AI assets is only the first step. To ensure long-term transparency and compliance, organizations need a process that continuously identifies new AI assets.

1. Adapt the approval process for new software tools:
   The use of new AI tools should be linked to a central approval process. This includes reviews by the AI Officer, the Data Protection Officer, the Information Security Officer, and the IT department. A tool should only be used after comprehensive evaluation and approval.
2. Consider updates to existing software:
   Many software providers integrate AI functionalities into existing systems, often without explicit announcement. This requires proactive awareness-raising among the departments that use such tools. Employees should be trained to recognize potential changes and report them in a timely manner. Regular audits or surveys, e.g., on an annual basis, are therefore recommended.
3. Involve the purchasing department:
   The purchasing department plays a central role in the selection of new software. Therefore, purchasers should be equipped with standardized checklists and trained to efficiently evaluate new tools and ensure their documentation. This reduces the risk of AI functions entering the company unnoticed.

Identifying AI assets does not have to be a complex process, especially if existing resources and modern technologies are used wisely.

Leverage synergies within the organization
A lot of relevant information about AI tools in use is already available in existing areas, such as IT asset management or data protection management. This existing data forms a solid basis for efficiently identifying AI assets. Collaboration between IT, data protection, and specialist departments promotes knowledge exchange and avoids redundant work.

Automation through suitable survey tools
Initial and regular employee surveys can be facilitated by using an audit software. Such tools enable:

• Automated distribution of questionnaires: Employees receive user-friendly and clearly structured forms that encourage quick and easy responses.
• Centralized evaluation: Responses are collected, evaluated, and integrated directly into existing systems.

It is important that the forms are intuitively designed and keep the effort required by respondents to a minimum. Low-threshold surveys often deliver the best results.

Integration into the AI asset register
The collected results of the identification process should be transferred to a central AI asset register, also known as an AI application directory. This directory serves as a central source for:

• An overview of all AI tools used;
• Legal and technical assessments;
• Traceability with regard to compliance and regulatory requirements.

Use of specialized AI compliance management tools
Specialized AI compliance software such as caralegal offers comprehensive support for automating the identification and documentation process for AI applications. With intelligent solutions such as caralegal, organizations can digitally map the workflow from collection to documentation and leverage synergies with data protection management.

We have created a professional template for a questionnaire that you can easily and purposefully distribute to your workforce.

When you download the template in Word format, you will also receive our newsletter on data protection and AI compliance topics. This will keep you up to date!