Your AI Register: the document that holds your governance together

Governance without a register is governance on faith

Most businesses that have started thinking about AI governance have a policy of some kind. Far fewer have an AI Register — the document that records what AI tools the business actually uses, what they're used for, who approved them, and what risks they present.

Without a register, your governance is theoretical. You have rules, but no reliable way to know whether those rules apply to what your team is actually doing. An AI Register bridges that gap. It's the document that makes your governance real.

What an AI Register should contain

The specific format will vary by business size and complexity, but every AI Register should capture the following for each AI tool in use:

• Tool name and vendor. Including the specific product version or tier (enterprise vs consumer).
• Approved uses. What tasks is this tool approved for? What is it explicitly not approved for?
• Data classification. What types of data may be entered into this tool? Is personal information permitted? Health information? Legally privileged material?
• Vendor details. Where is the vendor located? Where are the servers? Is there a data processing agreement in place?
• Risk rating. A simple low/medium/high rating based on the sensitivity of data processed and the consequences of a failure.
• Approval date and approving officer. Who assessed and approved this tool, and when?
• Review date. When will this entry be reviewed? Vendor terms change, tools evolve, and a register that isn't regularly reviewed becomes inaccurate.

The register should also include a log of AI-related incidents — even minor ones — and vendor assessment records.

Why a stale register is worse than none

An AI Register that hasn't been updated in 12 months is not just useless — it's actively misleading. It creates a false impression that governance is in place when it isn't. Worse, if something goes wrong and the OAIC investigates, a stale register that doesn't reflect actual tool use suggests that governance processes aren't being followed, which is harder to explain than no formal register at all.

Build a review cadence into the register itself. Quarterly reviews are appropriate for most SMEs. At each review, check whether new tools have been adopted, whether existing tools have changed their terms, and whether any incidents have occurred that should be logged.

The register as incident response infrastructure

One of the most practical uses of an AI Register is in incident response. When something goes wrong involving an AI tool, the first questions you need to answer are: which vendor is involved, what data did we share with them, is there a DPA, and who do we contact?

If your AI Register is accurate and up to date, these questions take minutes to answer. If it isn't, they can take hours — during which the 30-day NDB assessment clock is running.

Getting started

If you don't currently have an AI Register, start by listing every AI tool your team uses — including tools that were adopted informally, without formal approval. This initial audit will almost always surface tools that weren't known to leadership and uses that weren't anticipated by your policy.

Then work through each tool against the fields above. For tools that can't be assessed — because the vendor won't answer questions about data handling, or because no enterprise terms are available — the register entry itself documents the gap. That's valuable: it creates accountability for closing it.