AI INVENTORY · OUTER SPHERE

Find every AI in the company.
Register it. Classify the risk.

The first compliance question and the first cost question are the same: what AI is actually running here? The outer sphere of the Kosmoy model finds the answer — across systems you run, systems you bought, and agents that live on someone else's platform.

Most large enterprises don’t have a clean inventory of their AI today. Pilots in different business units. Agents on Azure AI Foundry or Bedrock. AI features inside SaaS tools. Developer coding agents. Pilots that quietly went to production. The team responsible for governance is the last to know.

The EU AI Act and ISO/IEC 42001 both make inventory and risk classification the precondition for everything else. Kosmoy starts there. Five registries, one source of truth, internal and external. Plus a risk classification module built on the EC AI Office’s compliance checker (March 2026), customised for the enterprise.

Once the inventory is real, every other layer of the platform has something to govern. Until then, governance is a PDF and a spreadsheet.

AI Systems Registry, Model Registry, Agent Registry and MCP Server Registry feed an EU AI Act risk classification flow.AI Inventory · Outer Radar LayerAI Systems Registry. One source of truth.AI SystemsRegistryOwner and sponsorRisk tierRuntime statusGateway / Capsule linkModelRegistryLLMs and SLMsEmbeddingsFine-tuned modelsApproval stateAgentRegistryInternal agentsExternal platformsRuntime typePermissionsMCP ServerRegistryApproved serversCapabilitiesAccess rulesLogging requirementsEU AI Act risk classification1Qualify2Systeminfo3Operatorrole4Riskclass5ObligationsInventory before monitoring, governance and containment.Every downstream control attaches to an AI System record.

Five registries

One source of truth.

1

AI Use Case Registry

Every AI initiative — idea, pilot, production. Owner, sponsor, business process, autonomy level, data classes, jurisdictions. The record stays alive as the system ships and runs.

2

AI Systems Registry

Systems that integrate one or more AI models — chatbots, RAG systems, custom apps, embedded SaaS AI. Captures the system as a whole, not just its parts.

3

Model Registry

LLMs, SLMs, embedding models, fine-tuned models. Provider, version, deployment mode, approval state, allowed use cases.

4

Agent Registry

Internal and external agents. Agents in Action Capsules. Agents on Azure AI Foundry, Bedrock, and other platforms. Owner, runtime type, status, permissions.

5

MCP Server Registry

Approved MCP servers. Capabilities exposed, access rules, log requirements. Internal MCP servers and public ones.

Inventory covers what you don’t run, too.

For agents you run inside an Action Capsule, you get the full set — inventory, observability, guardrails, routing, kill switch. For agents on someone else’s platform you get inventory and AI Act risk classification, plus basic observability where the upstream platform exposes telemetry. Same dossier. Two depths of control.

Three large columns compare external AI, AI calls governed by the Kosmoy AI Gateway, and runtime control through Action Capsules.One inventory. Three depths of control.From visibility to governance to contained runtime.ExternalKnown, not governedThe upstream platform remains the control point.Inventory and registryRecorded in Kosmoy.EU AI Act risk classificationRisk tier and owner tracked.Cost and usage observabilityPartial, where upstream telemetry exists.GovernedAI Gateway in the pathCalls pass through Kosmoy before they reach models, tools or agents.Everything in ExternalRegistry, risk, cost and usage context.Guardrails on every callPII, toxic, injection, AI Act and custom policies.Budget controlSpend limits and cost-aware routing.Model and tool routingApproved destinations only.Egress control and enforcementThe Gateway becomes the governed exit path.ControlledAction Capsule runtimeThe runtime is contained. The paired Gateway is the only egress.Everything in GovernedSame Gateway policies and evidence trail.Just-in-time credentialsRun-scoped secrets and leases.Live kill switchStop the runtime, not only the request.Compute resource enforcementCPU, memory, GPU, timeout and concurrency.Contained egressModels, MCP, A2A and HTTPS through the paired Gateway.Governed adds the AI Gateway. Controlled adds the Action Capsule around the runtime.

EU AI Act

From qualification to obligations.

The risk classification module sits on top of the registries. Qualification → System info → Operator role → Risk class → Obligations. Built on the structure of the EC AI Office compliance checker, customised for the enterprise.

See the AI Act module

Module questions, answered straight.

Why is inventory the outermost sphere?

Because you can't observe, govern, or contain what you don't know exists. The AI Act and ISO/IEC 42001 both put inventory and risk classification first.

Does Kosmoy actually find AI we don't know about?

Kosmoy doesn't auto-discover AI on third-party platforms. What it does is give every team — IT, business unit owners, vendor managers — one form to register what they're building or using, and then it links those records to runtime evidence as the system operates. The discovery work is human; the consolidation is automated.

Can we import an existing AI inventory spreadsheet?

Yes. CSV import is supported on the Use Case Registry and the AI Systems Registry. Field mapping is configurable.

How does external-agent inventory stay in sync?

The Agent Registry has connectors that pull agent metadata from supported external platforms (Azure AI Foundry, Bedrock; more added over time). Inventory stays in sync within the limits of what those platforms expose. For platforms with no API, agents are entered manually and tagged accordingly.

Does the inventory satisfy ISO/IEC 42001?

ISO/IEC 42001 requires an organisation to maintain an inventory of AI systems, document their purpose and risk, and operate a management system around them. Kosmoy provides the registry, the risk classification, and the operational evidence. The organisation still owns the management system itself — Kosmoy supplies the substrate.

Related modules

See the AI Inventory in action.

Walk through the five registries and the AI Act risk classification module with someone who built them.

Book a demoEmail sales@kosmoy.com