Published
AI Initiative Inventory: The First Step to AI Governance

You can't govern what you can't see. Here's how to build an AI initiative inventory that maps every AI tool, owner, and data source across your organization.

Table of Contents

Open your laptop. Try to count the AI tools running across your organization right now. Not the ones in the official stack — all of them. The chatbot customer service spun up in March. The model finance uses to flag invoices. The plugin in HR that ranks résumés. The one a manager pays for on a personal card.

Most leaders can’t finish that count. It isn’t because they stopped paying attention. It’s because AI stopped announcing itself.

So before the policies, the committees, and the dashboards, one question comes first: what do we actually have? The answer is an inventory. Everything else in AI governance is built on top of it.

You Can’t Govern What You Can’t See

In 2024, the U.S. Government Accountability Office checked whether federal agencies could even say what AI they were running. The verdict was blunt. Of 20 agencies reviewed, only five had a complete, accurate inventory. The other 15 had incomplete or inaccurate data.

The GAO’s conclusion was just as plain: without accurate inventories, the government’s management of its use of AI will be hindered by incomplete and inaccurate data.

Read that again. These are agencies with budgets, mandates, and oversight. They still couldn’t see their own AI.

The reason is specific to this technology. As the GAO put it, AI systems “pose unique challenges to such oversight because their inputs and operations are not always visible.” A spreadsheet shows its formulas. A model doesn’t. You can’t audit, secure, or assign accountability for something you can’t name.

Why Inventory Comes First — and What the Frameworks Actually Say

This isn’t a ClearPoint opinion. It’s the consensus baked into every serious AI framework.

The NIST AI Risk Management Framework — the reference most U.S. public-sector teams start from, released as NIST AI 100-1 in January 2023 — names it directly. Its GOVERN function lists the outcome in plain words (GOVERN 1.6): “Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities.” GOVERN sets the culture, policy, and accountability that the rest of the framework runs on, and an inventory is one of its named outcomes.

Then comes MAP — the function that establishes context and frames risk. NIST is explicit about the order. The outcomes of MAP, it writes, “are the basis for the MEASURE and MANAGE functions.” You map what you have. Then you measure it. Then you manage it. Skip the map and the rest is guesswork — or in NIST’s words, “without contextual knowledge… risk management is difficult to perform.” For the full walkthrough of all four functions, see our strategy-first guide to risk management frameworks.

One honest caveat: NIST calls this iterative, not a rigid checklist, and GOVERN runs through every stage. But the starting point isn’t in dispute. Context comes first, and context starts with a list.

The federal government turned that principle into law. Under Executive Order 13960 and the Advancing American AI Act, agencies must inventory every AI use case at least once a year, then post a public version of it. The current rulebook — OMB Memorandum M-25-21, which in April 2025 replaced the earlier M-24-10 — keeps that mandate, names a Chief AI Officer to own it, and sharpens the risk practices for “high-impact” AI. The effort is working: the 2024 inventory ran past 1,700 use cases across 37 agencies, more than double the roughly 750 reported in 2023. In government, inventory isn’t a nice-to-have. It’s the floor.

Here’s the part we can prove from our own data. An inventory is only as good as the owner attached to each line. And ownership is exactly where most organizations quietly fail.

ClearPoint Platform Data
The accountability gap, in our own numbers
A named owner who never shows up is the same risk an AI inventory exists to prevent.
76.5%owners who never update
76.5% — phantom owners (never update what they own)
23.5% — owners who actively maintain it
Roughly 3 of every 4 named owners never touch what they’re accountable for.
Source: ClearPoint platform · 562 organizations · 17,700+ active plans · 360,000+ measures · 2026.

We watch this play out across the 562 organizations on our platform: 76.5% of the people listed as owners never update what they own. The name is in the system. The accountability isn’t. Now picture that same gap — except the unowned line isn’t a quarterly metric. It’s a model making decisions about residents, patients, or students. The fix starts in the same place: a record, and a person attached to it. (We dug into this pattern in The Phantom Owner Problem.)

What Is Shadow AI — the Half You Didn’t Approve?

Some of your AI was chosen, reviewed, and signed off. Most of it wasn’t.

Shadow AI is any AI tool employees adopt on their own — without IT or governance approval — often feeding sensitive data into public models nobody vetted. It’s the shadow-IT problem, reborn with a far larger blast radius. The scale is not small: IDC found in 2025 that 56% of employees use unauthorized AI tools, while only 23% use AI their organization actually governs. The AI you didn’t authorize is precisely the AI you can’t govern — and in the public sector, that can mean citizen PII in a chatbot, records-retention rules ignored, and no audit trail when someone asks how a decision was made.

A complete inventory is how shadow AI stops being invisible. Done right, it has three traits a spreadsheet usually lacks. It’s mandatory, so nothing is optional. It repeats on a schedule, so it never goes stale. And it never lets a tool quietly vanish — retired systems get marked, not deleted. That last rule is what turns a list into a control. We cover the broader discipline in our complete 2026 guide to AI governance.

What Every Inventory Entry Must Capture

A tool name on a list isn’t an inventory. It’s a rumor. A real entry answers five questions — the same five the federal government now requires of itself.

What you recordIn plain termsWhere it comes from
A named ownerA person, not a department — plus the responsible office and a point of contact.OMB M-25-21 (a Chief AI Officer owns the inventory); GAO required data elements.
The data it accessesSources and origins of the data — and whether any of it leaves your perimeter.GAO AI Accountability Framework, Data principle 2.1.
The decisions it influencesWhat it outputs: a prediction, a recommendation, or a decision.Federal AI use-case data dictionary, field 12_outputs.
Its risk tierRights-impacting, safety-impacting, both, or neither — now grouped as “high-impact AI.”Federal field 17_impact_type; OMB M-25-21.
Its lifecycle statusPre-deployment, pilot, deployed, or retired — and retired entries stay on the list, marked.Federal field development_stage / 16_dev_stage.

Notice what these five have in common. They map cleanly onto NIST’s MAP function — categorize the system, document what it does, name who’s accountable. The federal data dictionary even hands you the field names. You don’t have to invent the schema. You have to fill it in.

How Do You Build an AI Inventory? A Four-Week Sprint

The mistake is trying to build the perfect inventory on day one. You won’t. Start with what you can see, then widen the net. Four weeks is enough to move from “we’re not sure” to a living system. Two patterns hold almost every time we watch a team do this. The audit finds more than the survey ever will. And the tool nobody will put a name on is the one that should worry you most.

Week 1 · Survey
Ask every department what they’re using
Cast a wide net. Most organizations get the bulk of their first-pass inventory from this one step.
  • □  Send a five-question survey to every department head: list every AI or automation tool your team has tried.
  • □  Sit down with your five largest teams for 30 minutes each.
  • □  Prompt by category: chatbots, content generators, code assistants, analytics copilots, automation bots.
  • □  Capture five things per tool: name, vendor, owner, purpose, data it touches.
Deliverable: a first-pass list of the AI tools people will admit to.
Week 2 · Audit
Find what the survey missed
Where self-reporting ends, logs and procurement records begin. This is where shadow AI surfaces.
  • □  Pull SaaS apps from your SSO (Okta, Entra ID) and flag anything AI, GPT, Copilot, or ML.
  • □  Review OAuth grants across Microsoft 365 and Google Workspace.
  • □  Sweep expense reports for the usual names: ChatGPT, Claude, Perplexity, and the rest.
  • □  Cross-reference against Week 1. The gaps are your shadow AI.
Deliverable: a reconciled inventory — self-reported next to discovered.
Week 3 · Classify
Give every tool the five fields
A name isn’t enough to govern a tool. Each one needs the five fields above before it counts.
  • □  Record the data each tool touches and whether it leaves your perimeter.
  • □  Tag each one rights-impacting, safety-impacting, both, or neither.
  • □  Assign a named owner — a person, never a department.
  • □  Flag your highest-impact tools for executive review first.
Rule of thumb: if no one will put their name on it, it doesn’t get to keep running.
Week 4 · Operationalize
Move from spreadsheet to system
A list you update once is a snapshot. A list with a process behind it is governance.
  • □  Track each AI tool as an initiative with an owner, a risk tier, and a review date.
  • □  Review high-impact tools quarterly, the rest once a year.
  • □  Build one board-ready view of the whole portfolio.
  • □  Gate procurement: no new AI tool gets bought until it’s on the list.
Deliverable: a live system — intake gating, scheduled reviews, board reporting.

From Spreadsheet to System of Record

Most inventories start in a spreadsheet. That’s fine for week one. But a spreadsheet doesn’t enforce a review date. It doesn’t flag a stale owner. And it doesn’t produce the board report a regulator will eventually ask for.

This is where a system of record earns its keep — and it’s how teams use ClearPoint for AI governance. You don’t need a separate “AI module”; you treat each AI tool the way you’d treat any other strategic initiative. Every tool becomes a tracked entry with a named owner, a risk tier, a review cadence, and a live status, all on one scorecard. When a board member asks “what AI are we running, and who owns it?” the answer is one screen and a board-ready report in minutes, not a three-day scramble.

For public-sector teams, that scale is real. The median local-government organization we host runs 18 plans and 136 projects. Add ungoverned AI tools on top of that load, and a spreadsheet stops being a record. A system keeps it honest. If you want to see what that looks like with your own portfolio, request a demo.

What Inventory Makes Possible

Inventory isn’t the finish line. It’s the foundation. Once you can see your AI, everything else opens up: risk assessments, performance metrics, review cadences, incident response, the board update that doesn’t cause a panic. It’s the same discipline that underpins any serious strategic plan — you can’t execute on what you haven’t written down.

Without it, every other move is a guess. You write policy for tools you can’t name. You assign risk to systems you can’t see. You report on performance you never tracked.

Say it plainly: a model in production with no owner isn’t innovation. It’s a liability with a login.

So start where every framework, every auditor, and every new law already starts. Count what you have. Name who owns it. Write it down.

Governance doesn’t begin with a policy. It begins with a list.

Frequently Asked Questions

What is an AI initiative inventory?

An AI initiative inventory is a complete catalog of every AI tool, model, and system in use across an organization. Each entry records a named owner, the data the system accesses, the decisions it influences, a risk tier, and its lifecycle status — the same fields the U.S. federal AI use-case inventory requires.

Why is an AI inventory the first step in AI governance?

You cannot govern what you have not inventoried. The NIST AI Risk Management Framework names inventory as a GOVERN outcome (GOVERN 1.6), and its MAP function — the context the other functions depend on — starts with cataloging your systems. The U.S. GAO found that agencies without accurate inventories could not effectively manage their use of AI.

What is shadow AI, and why does it matter for governance?

Shadow AI is any AI tool employees adopt without IT or governance approval, often feeding sensitive data into public models nobody vetted. IDC found in 2025 that 56% of employees use unauthorized AI tools while only 23% use governed AI. A complete, recurring inventory is how organizations surface shadow AI and bring it under governance — in the public sector, that protects citizen PII, records retention, and the audit trail.

What does each AI inventory entry need to capture?

Five things: a named owner (a person, not a department), the data the tool accesses and whether it leaves your perimeter, the decisions it influences, its risk tier (rights-impacting, safety-impacting, both, or neither), and its lifecycle status. These map to NIST’s MAP function and to the field names in the U.S. federal AI use-case data dictionary.

How long does it take to build an AI inventory?

A focused team can stand up a working inventory in about four weeks: survey every department in week one, audit SSO and procurement logs for shadow AI in week two, classify each tool with the five required fields in week three, and move from a spreadsheet to a system with owners, review dates, and board reporting in week four.