Single source of truth for every AI asset in the company — built or bought, internally orchestrated or vendor-embedded.
You cannot govern what you cannot see. Every source article makes this point.
15.1 Registry schema
| Field | Type | Notes |
|---|---|---|
| Agent name | text | Human-readable |
| Agent ID | text | Stable slug |
| Source | enum | Internally built / Vendor-embedded / Hybrid |
| Vendor | text | If vendor-embedded — which SaaS product |
| Owner | person | Department Champion |
| Department | enum | Sales / Finance / HR / Ops / etc. |
| Status | enum | Idea / Intake / Approved / Build / Pilot / Production / Retired |
| Risk tier | enum | Low / Medium / High |
| Risk driver — PII | boolean | |
| Risk driver — Consequential decision | boolean | |
| Risk driver — Autonomous | boolean | |
| Jurisdictional exposure | multi-enum | EU / US state / Canada / UK / etc. |
| Autonomy stage | enum | Assistive / Validated / Autonomous |
| Approved by | person + date | Last approval |
| Platform | enum | n8n / LangGraph / vendor / etc. |
| LLM(s) used | text | With versions |
| Monthly cost (est.) | number | API + infra + observability |
| ROI metric | text | "20 hrs/week saved" / "12% conversion lift" / etc. |
| Last reviewed | date | Quarterly minimum |
| Source repo link | URL | For internally built |
| Monitoring link | URL | Dashboard |
| Audit log location | URL | For Medium/High |
| Notes | text | Free-form |
15.2 Vendor-embedded AI is in scope
AI features inside the SaaS tools we already use (CRM, ERP, ticketing, doc tools, email, code copilots, recording tools, HR systems) are the largest single source of shadow AI. They ship via auto-update, often silently.
Operating rules:
- Catalog every SaaS app with AI features quarterly.
- Tag each one on the three risk drivers (§10.2).
- Treat AI inside vendor tools the same as internally built agents — same Agent Card shape, same risk tier, same approval path before "turn on the AI feature" is approved for a department.
- Refresh quarterly. Vendors ship new AI features regularly without telling customers.