Step 1: inventory every AI system in use
You cannot comply with the EU AI Act for systems you do not know about. Build a complete inventory: sanctioned tools, embedded AI features in software you already run, internal assistants, and shadow usage staff adopted on their own. Capture the purpose of each, who owns it, and where it sits. Most teams find the real inventory is larger than the approved one, and the systems missing from the diagram are usually the ones carrying unmanaged risk.
Step 2: trace data flows and providers
For each system, follow the data. What goes in, what categories of personal or sensitive data it includes, which model providers the request reaches, and what comes back. This is where exposure becomes visible: a tool that quietly sends customer data to an external provider is a different risk than one that stays inside your boundary. The data-flow map is also what later lets you target redaction and routing controls at the flows that matter most.
Step 3: classify each system by risk tier
The EU AI Act assigns obligations by risk. Place each system in a tier: prohibited uses to eliminate, high-risk uses such as recruitment, credit, or critical infrastructure that carry the heaviest duties, limited-risk uses with transparency obligations, and minimal-risk uses. Document the reasoning for each classification, because an assessor will ask why a system landed where it did. The tier determines what you owe, so getting it right is the hinge of the whole exercise.
Step 4: record obligations against each system
For every high-risk and limited-risk system, list the specific duties it triggers: risk management, data governance, human oversight, transparency, and record-keeping. Attach an owner to each obligation. This turns an abstract law into a concrete checklist tied to real systems, and it surfaces where you currently have no way to meet a duty, which is the gap your controls have to close.
Step 5: connect the map to enforcement
A map is a snapshot, and AI usage changes faster than an annual review. Connect it to a runtime layer that enforces the obligations you recorded and keeps the picture current as new systems appear in the traffic. When the same layer that maps the flows also enforces redaction, access, and routing, and records evidence, the map stops being a document that ages and becomes a live view of what you actually govern. That is what carries an EU AI Act review rather than a static spreadsheet.
Frequently asked questions
Which systems count as AI under the EU AI Act?
The Act defines AI systems broadly, covering machine-learning and related systems that generate outputs such as predictions, recommendations, or decisions. Embedded AI features and internal assistants count, not only standalone tools.
How often should the AI system map be updated?
Continuously. AI adoption moves faster than annual cycles, so a map connected to runtime traffic stays current automatically, while a static inventory drifts out of date between reviews.