What is a System Visibility and Classification?
AI system visibility and classification is the discipline of maintaining a complete, current inventory of every AI system an organisation owns, operates, or depends on, and classifying each by risk and purpose. It is the foundational governance domain because nothing else can be assured if the systems themselves are not known.
Most organisations underestimate their AI footprint by an order of magnitude. AI is no longer confined to flagship products: it is embedded in CRM platforms, recruitment tools, payment processors, fraud detection, document review, and the everyday Copilot or ChatGPT use of individual staff. A complete inventory captures all of these — internally built, procured, embedded, and informally used — under a single record.
Classification then attaches a risk profile to each entry: what the system does, who it affects, what data it processes, and which regulations apply (EU AI Act risk tier, GDPR Article 22, sector-specific rules). This classification drives every subsequent governance action: which controls apply, what assurance is required, who must oversee the system, and how it must be monitored.
In the Veridio AI Governance Framework, this is domain D1 and contains seven principles covering inventory completeness, ownership accountability, risk classification, intended use documentation, system boundaries, third-party AI cataloguing, and lifecycle status tracking. Without scoring well on D1, most other domains cannot meaningfully score above baseline because they apply to a population that has not been defined.
Common questions about system visibility & classification
What counts as an "AI system" for governance purposes?
Any system that produces outputs (decisions, predictions, recommendations, content, classifications) influencing real-world actions and that uses machine learning, large language models, statistical inference, or rule-based AI. This includes embedded AI in SaaS tools (Copilot, Salesforce Einstein, HubSpot AI), API-accessed models (OpenAI, Anthropic, Bedrock), in-house models, and AI features in third-party platforms.
Why is AI inventory the first step in AI governance?
You cannot govern what you cannot see. Inventory establishes the population of systems to which all other controls apply: risk assessments, transparency, oversight, monitoring. The EU AI Act, ISO/IEC 42001, and NIST AI RMF all assume an organisation can enumerate its AI systems before assessing them.
What does AI risk classification involve?
For each AI system in the inventory, classification records: the intended purpose; the affected population (employees, customers, public); the data categories used; the EU AI Act risk tier (prohibited, high-risk, limited-risk, minimal-risk); applicable sectoral rules; and an internal severity rating. This produces a tiered list that drives proportionate controls.
How often should the AI inventory be updated?
Continuously, with at least quarterly formal review. Mature organisations integrate inventory updates into procurement (every new SaaS contract triggers a classification check) and software development (every model deployment registers automatically). Annual review is the minimum the EU AI Act expects for high-risk systems.
What template helps build an AI system inventory?
The Veridio AI System Register template (T-D1-01) provides a pre-built spreadsheet with 15+ governance fields covering identification, ownership, purpose, risk classification, lifecycle, and regulatory mapping. A free starter version (the AI Inventory Tool) is available at templates.veridio.co.uk/free-inventory-tool.