AHKORIS
← Back to resources

Guides

AI Act guide for companies: inventory, classify and govern AI use

Preparing for the AI Act starts before the legal discussion. Organisations need to know where AI is used, for what purpose, what data enters the process, which suppliers are involved and what impact exists on people or the business.

By Ahkoris Lda · Updated 21 May 2026 · Practical experience in privacy, audit, risk and compliance.

Inventory before policy

The first step is to create an inventory of AI uses: internal tools, embedded software features, supplier models and automated processes supporting decisions.

Without an inventory, the organisation cannot classify risk, assign responsibilities or demonstrate control.

Essential questions

  • Which AI systems are used and by whom?
  • What is the purpose and what data is processed?
  • Is there an impact on employees, clients or citizens?
  • Is the system supplied by a third party or developed internally?
  • What documentation, logs, tests and oversight exist?
  • Is there a link with GDPR, security, procurement or supplier governance?

Risk, suppliers and evidence

Maturity does not depend only on an AI policy. It depends on approval processes, risk assessment, user instructions, supplier review, human oversight mechanisms and records that prove decisions.

The AI Act should be connected to GDPR, information security and supplier management, avoiding another regulatory silo.

How Ahkoris can support

Ahkoris supports AI inventories, risk diagnostics, governance design, documentation, supplier criteria and integration with privacy and compliance programmes.

Sources and regulatory context

Related reading

Data, Privacy & AICompliance DiagnosticData Centres + AI and sustainability

Want to turn this topic into a concrete plan?

Book a diagnostic