AboutBlogBusiness First AIFounder FreedomBook a conversation

Build your AI register in an afternoon

Person reviewing a spreadsheet at a desk with a pen in hand
TL;DR

An AI register is a single spreadsheet recording every AI tool the business runs, what data each one processes, and who owns it. It takes an afternoon to build and fifteen minutes a month to maintain, and it is the foundation that a risk register, an AI policy, and a due-diligence data room all depend on.

Key takeaways

- An AI register is a single shared spreadsheet recording every AI tool the business uses, what data it touches, and who is responsible for it. - Ten columns are worth building from the start, covering tool name, purpose, data processed, data classification, vendor, DPA status, training opt-out, cost, owner, and last review date. - The register is the foundation for the risk register and the AI policy, both of which depend on knowing which tools are in use. - A fifteen-minute monthly review keeps the register current; an annual rebuild is the failure mode to avoid. - Building the register starts with a team survey, not a blank sheet, to surface what AI tools people are already using before adding anything yourself.

The question usually arrives without warning. Someone in a board meeting, or across a Slack message from the founder, asks you to produce a list of what AI the business is actually running. You pause on it and realise there is no list. The tools are out there, the team is using them, but nobody has written any of it down.

That is the moment the AI register earns its existence.

What is an AI register?

An AI register is a single shared spreadsheet recording every AI tool the business uses, what each one does, what data it processes, and who is responsible for it. That is the whole definition. No committee required, no specialist to hire. A well-built register for a ten-person owner-managed business fits on one tab and takes an afternoon to assemble.

The ten columns that earn their place are tool name, purpose, data processed, data classification, vendor, DPA (Data Processing Agreement) status, training opt-out, cost, owner, and date of last review. Each column answers a specific question a board member or regulator is likely to ask.

Tool name and purpose are self-explanatory. Data processed records what kind of information the tool handles, such as customer contact details, employee records, or financial data. Data classification assigns a sensitivity level from your own scheme, typically Public, Internal, Confidential, or Restricted. Vendor names who built and operates the tool. DPA status records whether a Data Processing Agreement is in place with that vendor, a UK GDPR requirement when a third party processes personal data on your behalf. Training opt-out records whether the vendor has confirmed that your data is not used to train their model, the distinction that separates free tiers from paid enterprise agreements across major AI platforms. Cost records the monthly or annual spend. Owner names the person inside the business accountable for that tool. Last review records when the entry was last checked.

Start with those ten. Add more later only if the business genuinely needs them.

Why does it matter for your business?

The register is the document your risk register and your AI policy both depend on. Your risk register cannot assess exposure across AI use without knowing which tools are in play. Your policy cannot set guardrails without knowing what it is governing. If the business is preparing for investment or acquisition, the due-diligence data room will ask for a technology inventory, and this is it.

There is also a more immediate regulatory reason. The ICO’s guidance on AI and data protection makes this explicit. Using an AI system to process personal data activates obligations around lawful basis, transparency, and, in many cases, a Data Protection Impact Assessment. You cannot begin to address those obligations without knowing which tools are processing personal data. The register is the prerequisite, not the end product.

The DPA Status column is often where the biggest surprises sit. When you run the team survey that populates the register, you will commonly find tools running on free tiers with no agreement in place, meaning the vendor may be training on whatever data the team has been feeding it. The Samsung ChatGPT incident of 2023, where employees shared semiconductor design specifications and source code via the free tier, showed what unvetted tool adoption can cost. A register built the previous month would have flagged the problem first.

For exit-minded businesses, the register also signals governance maturity to an acquirer. It is evidence that the business understands what is running in its operation, and that somebody owns each piece of it.

Where will you actually meet it?

The question arrives in one of a few forms. A board member asks what AI the business is running and what oversight exists. An acquirer’s due-diligence team asks for a technology inventory. The ICO asks how personal data is being processed. In each case, the register is the document you want to have already built, not be assembling in a hurry.

Sector regulators are another encounter point. The Solicitors Regulation Authority expects law firms to understand the AI tools they are using and to have appropriate controls in place. The Financial Conduct Authority’s requirements around model risk management and outsourced services mean that an FCA-regulated business using AI for any material function needs documented oversight, and the register is where that documentation starts.

The survey that builds the register is also where you will encounter shadow AI. When you ask the team what tools they are using, you will find tools the business did not officially approve. A team member found something that helped them draft faster or summarise documents, and they started using it. The survey turns that shadow adoption from a governance blind spot into a line on the register, and a line on the register into a decision. Sanction it, move it to a paid tier with a DPA, or retire it.

NIST’s AI Risk Management Framework uses the term “Map” for this exact step, meaning cataloguing the AI systems in use, understanding what each one does, and placing each in a governance context. The register is the Map step, run inside a spreadsheet rather than an enterprise platform.

When does the register need a fresh pass?

A monthly fifteen-minute review, checking whether any new tools have appeared and whether anything on the list has changed ownership or DPA status, keeps the register current without rebuilding from scratch. The failure mode is a document that is accurate on the day it is created and ignored by the following quarter, because no trigger was set to review it.

The review does not need to be elaborate. A standing calendar reminder, a scan of the register, and a short message to the team asking whether anything has changed is sufficient. At the quarterly governance review, when the risk register and the AI policy also get checked, the register gets a more thorough pass. Are all the tools still in use? Has any vendor changed their data practices? Has any new tool appeared without an approval step?

The register decays fastest in two situations. When the Owner column says “the team” rather than a named person, no one feels accountable for keeping it current. When new tools are adopted without any notification step, they appear in the next team survey but go undocumented in the meantime.

Building the register is an afternoon’s work. Keeping it current is fifteen minutes a month. Letting it decay and rebuilding it under pressure is a half-day job at the worst possible moment.

What else connects to the register?

Beyond the register itself, three concepts come up in any AI governance conversation and are worth knowing before you build further. The risk register is a second tab or a separate document that records what could go wrong with each tool and what controls are in place. The AI policy is the rulebook covering which tools are approved, what data each can process, and what requires sign-off before adoption.

The Data Processing Agreement is what the DPA Status column tracks for each vendor. It is a contract between you as the data controller and the vendor as the data processor, committing the vendor to specific obligations including how long data is retained, whether it is used for training, and what happens in a breach. Major AI platforms offer these on paid tiers; free tiers typically do not.

The Data Protection Impact Assessment, a legal requirement under UK GDPR when AI processing of personal data poses a high risk to individuals’ rights and freedoms, is the third. You cannot assess whether one is needed without knowing which tools are processing personal data. The register surfaces that, and the risk register picks up the assessment from there.

ISO/IEC 42001, the international AI management systems standard, and the UK Government’s Algorithmic Transparency Recording Standard both ask for documented inventories of AI systems in use. The register satisfies both at a scale that fits an owner-managed business, without specialist support.

The list does not exist until someone builds it. Once it exists, board queries, regulatory visits, and due-diligence requests all reference it. The next governance task references it too. Build it this week, not the week the question arrives.

If you want to think through what AI governance looks like at your size of business, Book a conversation.

Sources

- Information Commissioner's Office (2024). Guidance on AI and data protection. Explains when processing personal data via AI triggers UK GDPR obligations including DPIA, lawful basis, and transparency requirements. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - National Institute of Standards and Technology (2023). AI Risk Management Framework 1.0. Describes the Map function, cataloguing AI systems in use and understanding their context, which the AI register operationalises at the scale of an owner-managed business. https://airc.nist.gov/RMF - UK Government (2022). Algorithmic Transparency Recording Standard. Sets out the information organisations should document about their algorithmic and AI systems, including purpose, data processed, and accountability. https://www.gov.uk/government/publications/algorithmic-transparency-reporting-standard - ISO (2023). ISO/IEC 42001: AI Management Systems Standard. International standard requiring a governance programme anchored in a documented inventory of AI systems in use. https://www.iso.org/standard/81230.html - Solicitors Regulation Authority (2024). Artificial intelligence guidance for law firms. Confirms that SRA-regulated firms are expected to understand the AI tools they use, maintain appropriate controls, and protect client data from unvetted AI processing. https://www.sra.org.uk/solicitors/resources/technology/artificial-intelligence/ - Financial Conduct Authority (2024). Artificial intelligence in financial services. Requires FCA-regulated firms to document AI use, apply model risk management, and maintain human oversight of material AI-assisted decisions. https://www.fca.org.uk/firms/innovation/artificial-intelligence - Information Commissioner's Office (2024). Data Protection Impact Assessments. Sets out when a DPIA is legally required; systematic AI processing of personal data frequently triggers the obligation, making a tool inventory a prerequisite. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/ - OWASP (2025). LLM Top 10 for Large Language Model Applications. Security risk framework covering data leakage, excessive agency, and overreliance, risks made manageable only when AI tools are inventoried and owned. https://owasp.org/www-project-top-10-for-large-language-model-applications/

Frequently asked questions

How many columns does an AI register need?

Ten columns cover the essentials for any owner-managed business. Tool name, purpose, data processed, data classification, vendor, DPA status, training opt-out status, cost, owner, and date of last review. You can add sector-specific fields later, but these ten give you everything a board or regulator is likely to ask for, and they can all be filled in from memory and a quick team survey in a single sitting.

Do I need an AI register if the business is small?

Size does not determine whether UK GDPR or sector regulations apply. Any business processing personal data through AI tools needs to document what is running and why. For owner-managed businesses of five to fifty people, a single spreadsheet with ten columns is both sufficient and proportionate, and there is no specialist required to build it.

What is DPA status and why does it appear on the register?

DPA status records whether a Data Processing Agreement is in place with the vendor for each AI tool. UK GDPR requires a DPA when a third-party vendor processes personal data on your behalf. Without one, the processing may lack a lawful basis. The register makes DPA gaps visible so they can be closed before a regulator or acquirer identifies them.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two people at a desk reading a short printed document together, one pointing at the page

Write an AI acceptable-use policy your team will actually follow

A sixty-page enterprise template sits unread. Here is how to write an AI acceptable-use policy that is short, default-allow, and genuinely followed.

Two colleagues at a meeting table reviewing a printed contract, one pointing to a section on the page

Who owns the AI in your agency, and what do you tell the client?

Two questions decide whether agency AI is an asset or a liability, and neither is technical.

Business owner in conversation at a boardroom table with colleagues, natural light from windows

What your board actually wants when it asks about AI

When your board raises AI, the question underneath is almost always about risk, accountability, and competitive standing. Here is how to read what they are actually asking.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd