[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59540":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":21,"dateCreation":22,"dateUpdate":23,"mainCategory":24,"categories":40,"metaDatas":87,"imageUrl":88,"imageThumbUrls":89,"id":97},false,"Imagine a company deploying dozens of AI projects simultaneously: predictive models, intelligent chatbots, recommendation systems... A year later, some projects have progressed, others remain in the pilot stage, and a few have been forgotten.In the meantime, teams have changed, regulations have tightened... and an external audit is knocking at your door.\r\n\r\nThis is precisely where **AI system mapping** comes into play: a crucial step for governing, securing, and mastering the use of artificial intelligence within your organization.\r\n\r\nWhile the GDPR mandated the maintenance of a **record of personal data processing** in 2018, the **AI Act** now encourages organizations to adopt a similar logic for their **AI systems**. Though not always mandatory, this practice is expected to become **central in demonstrating compliance, managing risks, and governing AI responsibly**.\r\n\r\n---\r\n\r\n## Regulatory framework: the AI Act\r\n\r\nThe **European regulation on artificial intelligence (AI Act)** was definitively adopted in 2024. It will gradually come into effect between 2025 and 2026. This regulation creates a **typology of AI systems based on their risk level**, with tailored obligations:\r\n\r\n- **Unacceptable risk**: prohibited systems (e.g., cognitive manipulation, social scoring).\r\n\r\n- **High risk**: systems subject to documentation, risk management, transparency, and registration in a European database (e.g., recruitment, HR management, or credit systems).\r\n\r\n- **Limited risk**: enhanced transparency obligations (e.g., generative AI, chatbots).\r\n\r\n- **Minimal risk**: no direct regulatory obligations, but best practices encouraged.\r\n\r\n> Thus, for high-risk systems, the **maintenance of a formal registry** becomes a **legal obligation**. Beyond this requirement, the **registry of AI systems brings clear benefits for all types of organizations and all risk levels.**\r\n>\r\n> Want to grasp the AI Act quickly? [Here are the key points you need to know.](https://www.dastra.eu/en/article/ai-act-key-points-of-the-regulation-at-a-glance/59538)\r\n\r\n---\r\n\r\n## Why keep a record of AI Systems?\r\n\r\n### 1. **Map Uses and Detect Blind Spots**\r\n\r\nAI systems are often deployed in a fragmented manner across business departments: task automation, data scoring, natural language processing, generative AI...\r\n\r\nA record allows for **centralizing and cataloging all used systems**, including those introduced without supervision.\r\n\r\n👉 This prevents overlooking a **risky use**, sometimes deployed without legal consultation.\r\n\r\n---\r\n\r\n### 2. **Assess risks and anticipate regulatory obligations**\r\n\r\nDocumenting the systems allows for **evaluating their risk level under the AI Act**, as well as under the GDPR, consumer law, or internal ethical principles.\r\n\r\nMapping helps identify:\r\n\r\n- systems with a **high risk** (e.g., those impacting individual rights or critical business processes),\r\n\r\n- areas requiring additional resources, supervision, or in-depth audits.\r\n\r\n> **Example**: An AI system used in HR for performance evaluation carries more legal and ethical risks than a tool intended to automate B2B emails.\r\n\r\n👉 This is the first step towards **proactive compliance**: implementation of DPIAs, robustness tests, bias audits, transparency obligations.\r\n\r\n---\r\n\r\n### 3. **Enhance transparency and accountability**\r\n\r\nMaintaining a registry helps to **ensure traceability of automated decisions**, the models used, data sources, and human oversight mechanisms. This serves two objectives:\r\n\r\n- **Internal**: informing teams, transparency between management.\r\n\r\n- **External**: demonstrating that AI is used in a fair, explainable, and controlled manner.\r\n\r\n---\r\n\r\n### 4. **Prepare for audits and controls**\r\n\r\nNational authorities will have **increased control powers**. Being able to present a **structured, up-to-date registry consistent with the GDPR processing record** will be a sign of maturity and diligence.\r\n\r\n---\r\n\r\n### 5. **Connect AI governance and data dovernance**\r\n\r\nAIs consume data in all its forms. Keeping a record allows you to **link AI systems to associated data processing**, thus:\r\n\r\n- Ensuring consistency between the two records.\r\n\r\n- Identifying automated decisions subject to Article 22 of the GDPR.\r\n\r\n- Simplifying the traceability of purposes, legal grounds, and retention periods.\r\n\r\n---\r\n\r\n## How to maintain a good record of AI Systems?\r\n\r\n**Scope**: include all areas, thus all tools used by employees, customer interactions, as well as third-party platforms integrating AI.\r\n\r\n**Organization**: undertake the exercise in partnership with all relevant stakeholders: data, IT, business, compliance, legal teams, but also at the group level, subsidiaries, and local entities.\r\n\r\n> Want a quick overview of the key elements of an AI system record? \r\n>\r\n> {% button href=\"https://www.dastra.eu/en/article/ai-act-key-questions-for-your-ai-systems-registry/59553\" text=\"Click here\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n### 🔄 Organizational best practices:\r\n\r\n- Update the record **with each system change** or purpose alteration.\r\n\r\n- Make it **accessible to internal stakeholders** (legal, IT, business, ethics…).\r\n\r\n- Add the record to the procedure followed when registering new AI systems from the design stage.\r\n\r\n- Align the AI record with the **GDPR ROPA (record of processing acitivites)**.\r\n\r\n---\r\n\r\n## Dastra:\r\n\r\nDastra offers a **dedicated feature for the record of AI systems**, designed to meet the requirements of the GDPR, AI Act, and international best practices. It enables you to:\r\n\r\n- **Catalog all AI systems** in just a few clicks.\r\n\r\n- **Automatically assess their risk level**.\r\n\r\n- **Link each system to a data processing** or an external supplier.\r\n\r\n- **Centralize documentation**: DPIA, technical documentation, logs, validations.\r\n\r\n- **Export or archive the record** in case of an audit.\r\n\r\n## In a nutshell\r\n\r\nMaintaining a record of AI systems is no longer an option reserved for large organizations or the most sensitive cases. **It is an essential governance practice**, in line with new regulatory and ethical requirements.\r\n\r\nBy anticipating the obligations of the AI Act, aligning AI with GDPR, and adopting a structured approach with the right tools, **you enhance transparency, accountability, and trust** in your AI use cases.\r\n\r\n---\r\n\r\nCheck out the next article in this “AI Series”:","\u003Cp>Imagine a company deploying dozens of AI projects simultaneously: predictive models, intelligent chatbots, recommendation systems... A year later, some projects have progressed, others remain in the pilot stage, and a few have been forgotten.\u003Cbr />\r\n\u003Cbr />\r\nIn the meantime, teams have changed, regulations have tightened... and an external audit is knocking at your door.\u003C/p>\r\n\u003Cp>This is precisely where \u003Cstrong>AI system mapping\u003C/strong> comes into play: a crucial step for governing, securing, and mastering the use of artificial intelligence within your organization.\u003C/p>\r\n\u003Cp>While the GDPR mandated the maintenance of a \u003Cstrong>record of personal data processing\u003C/strong> in 2018, the \u003Cstrong>AI Act\u003C/strong> now encourages organizations to adopt a similar logic for their \u003Cstrong>AI systems\u003C/strong>. Though not always mandatory, this practice is expected to become \u003Cstrong>central in demonstrating compliance, managing risks, and governing AI responsibly\u003C/strong>.\u003C/p>\r\n\u003Chr />\r\n\u003Ch2 id=\"regulatory-framework-the-ai-act\">Regulatory framework: the AI Act\u003C/h2>\r\n\u003Cp>The \u003Cstrong>European regulation on artificial intelligence (AI Act)\u003C/strong> was definitively adopted in 2024. It will gradually come into effect between 2025 and 2026. This regulation creates a \u003Cstrong>typology of AI systems based on their risk level\u003C/strong>, with tailored obligations:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Unacceptable risk\u003C/strong>: prohibited systems (e.g., cognitive manipulation, social scoring).\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>High risk\u003C/strong>: systems subject to documentation, risk management, transparency, and registration in a European database (e.g., recruitment, HR management, or credit systems).\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Limited risk\u003C/strong>: enhanced transparency obligations (e.g., generative AI, chatbots).\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Minimal risk\u003C/strong>: no direct regulatory obligations, but best practices encouraged.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>Thus, for high-risk systems, the \u003Cstrong>maintenance of a formal registry\u003C/strong> becomes a \u003Cstrong>legal obligation\u003C/strong>. Beyond this requirement, the \u003Cstrong>registry of AI systems brings clear benefits for all types of organizations and all risk levels.\u003C/strong>\u003C/p>\r\n\u003Cp>Want to grasp the AI Act quickly? \u003Ca href=\"https://www.dastra.eu/en/article/ai-act-key-points-of-the-regulation-at-a-glance/59538\">Here are the key points you need to know.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"why-keep-a-record-of-ai-systems\">Why keep a record of AI Systems?\u003C/h2>\r\n\u003Ch3 id=\"map-uses-and-detect-blind-spots\">1. \u003Cstrong>Map Uses and Detect Blind Spots\u003C/strong>\u003C/h3>\r\n\u003Cp>AI systems are often deployed in a fragmented manner across business departments: task automation, data scoring, natural language processing, generative AI...\u003C/p>\r\n\u003Cp>A record allows for \u003Cstrong>centralizing and cataloging all used systems\u003C/strong>, including those introduced without supervision.\u003C/p>\r\n\u003Cp>👉 This prevents overlooking a \u003Cstrong>risky use\u003C/strong>, sometimes deployed without legal consultation.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"assess-risks-and-anticipate-regulatory-obligations\">2. \u003Cstrong>Assess risks and anticipate regulatory obligations\u003C/strong>\u003C/h3>\r\n\u003Cp>Documenting the systems allows for \u003Cstrong>evaluating their risk level under the AI Act\u003C/strong>, as well as under the GDPR, consumer law, or internal ethical principles.\u003C/p>\r\n\u003Cp>Mapping helps identify:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>systems with a \u003Cstrong>high risk\u003C/strong> (e.g., those impacting individual rights or critical business processes),\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>areas requiring additional resources, supervision, or in-depth audits.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Example\u003C/strong>: An AI system used in HR for performance evaluation carries more legal and ethical risks than a tool intended to automate B2B emails.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>👉 This is the first step towards \u003Cstrong>proactive compliance\u003C/strong>: implementation of DPIAs, robustness tests, bias audits, transparency obligations.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"enhance-transparency-and-accountability\">3. \u003Cstrong>Enhance transparency and accountability\u003C/strong>\u003C/h3>\r\n\u003Cp>Maintaining a registry helps to \u003Cstrong>ensure traceability of automated decisions\u003C/strong>, the models used, data sources, and human oversight mechanisms. This serves two objectives:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Internal\u003C/strong>: informing teams, transparency between management.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>External\u003C/strong>: demonstrating that AI is used in a fair, explainable, and controlled manner.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch3 id=\"prepare-for-audits-and-controls\">4. \u003Cstrong>Prepare for audits and controls\u003C/strong>\u003C/h3>\r\n\u003Cp>National authorities will have \u003Cstrong>increased control powers\u003C/strong>. Being able to present a \u003Cstrong>structured, up-to-date registry consistent with the GDPR processing record\u003C/strong> will be a sign of maturity and diligence.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"connect-ai-governance-and-data-dovernance\">5. \u003Cstrong>Connect AI governance and data dovernance\u003C/strong>\u003C/h3>\r\n\u003Cp>AIs consume data in all its forms. Keeping a record allows you to \u003Cstrong>link AI systems to associated data processing\u003C/strong>, thus:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Ensuring consistency between the two records.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Identifying automated decisions subject to Article 22 of the GDPR.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Simplifying the traceability of purposes, legal grounds, and retention periods.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch2 id=\"how-to-maintain-a-good-record-of-ai-systems\">How to maintain a good record of AI Systems?\u003C/h2>\r\n\u003Cp>\u003Cstrong>Scope\u003C/strong>: include all areas, thus all tools used by employees, customer interactions, as well as third-party platforms integrating AI.\u003C/p>\r\n\u003Cp>\u003Cstrong>Organization\u003C/strong>: undertake the exercise in partnership with all relevant stakeholders: data, IT, business, compliance, legal teams, but also at the group level, subsidiaries, and local entities.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Want a quick overview of the key elements of an AI system record?\u003C/p>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/ai-act-key-questions-for-your-ai-systems-registry/59553\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">Click here\u003C/a>\u003C/div>\r\n\u003C/blockquote>\r\n\u003Ch3 id=\"organizational-best-practices\">🔄 Organizational best practices:\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Update the record \u003Cstrong>with each system change\u003C/strong> or purpose alteration.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Make it \u003Cstrong>accessible to internal stakeholders\u003C/strong> (legal, IT, business, ethics…).\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Add the record to the procedure followed when registering new AI systems from the design stage.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Align the AI record with the \u003Cstrong>GDPR ROPA (record of processing acitivites)\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch2 id=\"dastra\">Dastra:\u003C/h2>\r\n\u003Cp>Dastra offers a \u003Cstrong>dedicated feature for the record of AI systems\u003C/strong>, designed to meet the requirements of the GDPR, AI Act, and international best practices. It enables you to:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Catalog all AI systems\u003C/strong> in just a few clicks.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Automatically assess their risk level\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Link each system to a data processing\u003C/strong> or an external supplier.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Centralize documentation\u003C/strong>: DPIA, technical documentation, logs, validations.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Export or archive the record\u003C/strong> in case of an audit.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"in-a-nutshell\">In a nutshell\u003C/h2>\r\n\u003Cp>Maintaining a record of AI systems is no longer an option reserved for large organizations or the most sensitive cases. \u003Cstrong>It is an essential governance practice\u003C/strong>, in line with new regulatory and ethical requirements.\u003C/p>\r\n\u003Cp>By anticipating the obligations of the AI Act, aligning AI with GDPR, and adopting a structured approach with the right tools, \u003Cstrong>you enhance transparency, accountability, and trust\u003C/strong> in your AI use cases.\u003C/p>\r\n\u003Chr />\r\n\u003Cp>Check out the next article in this “AI Series”:\u003C/p>\r\n","Why mapping AI Systems is key","Mapping your AI systems: a strategic step for compliance, transparency, and responsible governance.",896,5,0,null,"en","why-mapping-ai-systems-is-key","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":12,"blogUrl":12,"color":12,"userId":17,"creationDate":20},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-08-25T10:34:00","2025-08-25T10:34:31.7560198","2025-09-01T13:09:35.6513743",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":30},2,"Blog","A list of curated articles provided by the community","article","#28449a",[31,34,37],{"lang":32,"name":26,"description":33},"fr","Une liste d'articles rédigés par la communauté",{"lang":35,"name":26,"description":36},"es","Una lista de artículos escritos por la comunidad",{"lang":38,"name":26,"description":39},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[41,46,67],{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":42},[43,44,45],{"lang":32,"name":26,"description":33},{"lang":35,"name":26,"description":36},{"lang":38,"name":26,"description":39},{"id":47,"name":48,"description":49,"url":50,"color":51,"parentId":25,"count":12,"imageUrl":12,"parent":52,"order":11,"translations":57},9,"News","Stay up to date with the latest news from data protection authorities: decisions, fines, guidelines, and regulatory trends in GDPR and privacy.","news","#1676ca",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":53},[54,55,56],{"lang":32,"name":26,"description":33},{"lang":35,"name":26,"description":36},{"lang":38,"name":26,"description":39},[58,61,64],{"lang":32,"name":59,"description":60},"Actualités","Suivez les dernières actualités des autorités de protection des données (CNIL, EDPS, etc.) : décisions, sanctions, lignes directrices et tendances réglementaires en matière de RGPD et de privacy.",{"lang":35,"name":62,"description":63},"Actualidad","Todos los artículos relativos a las autoridades de protección de datos",{"lang":38,"name":65,"description":66},"Nachrichten","Alle Artikel mit Bezug zu Datenschutzbehörden",{"id":68,"name":69,"description":70,"url":71,"color":72,"parentId":25,"count":12,"imageUrl":12,"parent":73,"order":10,"translations":78},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":74},[75,76,77],{"lang":32,"name":26,"description":33},{"lang":35,"name":26,"description":36},{"lang":38,"name":26,"description":39},[79,81,84],{"lang":32,"name":69,"description":80},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":38,"name":82,"description":83},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":35,"name":85,"description":86},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-original.jpg",[90,91,92,93,94,95,96],"https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-1000.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-1500.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-800.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-600.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-300.webp","https://static.dastra.eu/content/391851fb-a4d1-486f-a407-b667395480ad/visuel-article-27-100.webp",59540]