Resources · Worked example 1

AI system inventory

Worked example · fictional company (Vesta Mutual Insurance AS) · free PDF · CC BY 4.0

The inventory is the foundation. Every other governance document keys off it: you cannot risk-assess, monitor, or write a policy for systems you have not listed. So the first question is not how to classify AI, it is how to find all of it.

Vesta built this register in three passes. A survey of department heads found 6 systems. A procurement and accounts-payable review, plus an IT pass over SSO and browser logs, found 3 more, including a meeting-transcription tool no manager had named. The gap between 6 and 9 is the whole point: self-reported inventories miss the AI people do not think of as AI, and the embedded features inside software they already use. That is why the IT log pass repeats every quarter and shadow AI stays a standing category, not a one-time cleanup.

The classification calls are where judgment shows. TalentScreen, a CV-ranking tool, is high-risk under Annex III as a recruitment system. PriceWise, Vesta's in-house life and health pricing model, is high-risk too, and because Vesta built it, Vesta carries provider duties on top of deployer ones. FraudLens is the interesting one: the AI Act's creditworthiness category explicitly excludes fraud detection, so the system stays minimal-risk, and the register records that reasoning so an authority sees the analysis, not just the verdict. Writing down why a system is not high-risk is as much the work as flagging the ones that are.

Legal references: EU AI Act Annex III (high-risk uses) · Article 3 (definition of an AI system).

What's inside

  • Purpose and scope, and the definition used to decide what counts as an AI system
  • The three-pass discovery method (survey, procurement review, SSO and log review)
  • The register: 9 systems with origin, function, AI Act classification, Vesta's role, and an owner
  • Classification notes for the borderline calls, including the documented fraud-detection exclusion
  • Shadow AI handling as a standing quarterly discovery category
  • Framework mapping to the EU AI Act, ISO/IEC 42001, and the NIST AI RMF, plus maintenance triggers

Download the PDF

Worked example for portfolio and training purposes. Vesta Mutual Insurance AS is a fictional company; all data, metrics, and names are invented. Prepared by Erik Bernath, Furioso AI Consulting OÜ. Licensed CC BY 4.0: reuse freely with attribution. Informational, not legal advice.

The other four examples

Need this documented for your own company before August 2?

That's what the literacy and governance workshop produces: your own inventory, policy, and the training record behind them.

See the workshop Book a call