Registry & Discovery
The Registry is your standing inventory of AI systems. Discovery is how you find AI that is in use but not yet registered, so the inventory stays honest.
The Registry
Section titled “The Registry”The Registry holds every AI system the organisation governs. Each record is structured, with the fields governance and audit actually need:
- Identity and ownership: name, system ID, version, owner, owner email, department, and a responsible-AI contact.
- Nature of the system: AI technique, model type, autonomy level, human-oversight model, vendor, deployment type and environment.
- Data and exposure: data classification, personal-data involvement and detail, data sources, users and affected persons, geographies and regulatory exposure.
- Governance state: risk tier, conformity status, registration status, ACRS score, and review dates (deployment, last review, next review).
- Lifecycle stage: from
developmentthrough in-use to retired.
The Registry is the anchor of the platform: assessments, evidence, findings, model cards and reports all attach to a registry record. See Register your first AI system for the steps.
Discovery
Section titled “Discovery”The hardest part of AI governance is knowing what exists. Discovery is a governed pipeline for surfacing AI systems, GenAI tools and emerging agentic workflows that are in use but not yet registered. It is built from four connected object types:
| Object | What it is |
|---|---|
| Sources | Where signals come from: connector-based collectors or manual imports, with a cadence, owner and run history. |
| Rules | Normalisation rules that map raw signals to a canonical app and vendor by domain or pattern, and tag sanction status and risk level. |
| Candidates | Suspected AI in use, each with a signal type, a detector, a confidence level, guessed owner/vendor/environment, and a review decision. |
| Artifacts | The underlying evidence (usage signals, code references, endpoints, model references) with a fingerprint and a reconciliation status. |
A discovery run executes a source, produces candidates and artifacts, and records a summary
and count. Candidates move through a review (new to a decision), and artifacts carry a
reconciliation status so each piece of evidence is either tied to a known asset or flagged as
unreconciled.
From discovery to registry
Section titled “From discovery to registry”Reviewed candidates are promoted into the Registry, where they go through intake and risk tiering like any other system. Discovery finds the shadow AI; intake classifies and routes it; the Registry holds it. Nothing is governed until it is a registry record, and discovery is how things get there.
Why this matters
Section titled “Why this matters”An inventory that misses systems produces governance that looks complete but is not. Registry and Discovery together give you an inventory you can defend: comprehensive, owned, current, and with a documented trail showing how each system was found and brought under governance.
- Intake & risk tiering: classify and route a promoted system.
- Assessments & control testing: score systems against frameworks.
- Model cards: document the models behind registered systems.