AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

· SCT-009Medium effortAgent-relevant

AI System Algorithm Register

Design and maintain a standardized register of deployed AI systems — public-facing or internal — that documents each system's purpose, decision scope, risk classification, data inputs, and accountability contacts, meeting emerging algorithmic accountability requirements from the EU AI Act, New York Local Law 144, Amsterdam-model algorithm registers, and equivalent frameworks.

Objective

Enable regulatory compliance with algorithmic transparency obligations, support internal AI governance oversight, and provide affected persons and regulators with structured information about AI systems in organizational use, through a maintained register that is updated at deployment and at material change.

Maturity Levels

1

Initial

The organization does not maintain a structured register of AI systems. An informal AI inventory may exist but it does not meet the documentation standards required by emerging algorithmic accountability frameworks.

2

Developing

An AI inventory exists for internal governance purposes but does not include the public-facing documentation elements required by algorithmic register requirements (purpose disclosure, decision scope, accountability contacts). The inventory is not kept current with deployment and change events.

3

Defined

An algorithm register is maintained with standardized entries for each AI system subject to registration requirements. Each entry includes: system name and purpose, decision types and scope, risk classification, data inputs (categories, not specific data), accountability contact, and last review date. The register is accessible to regulators and, for public-facing AI decisions, to affected persons.

4

Managed

Register entries are created at deployment and updated at material change through the change management process (CHM). The register is reviewed quarterly for completeness. Regulatory-specific register fields (e.g., EU AI Act technical documentation, NYC LL144 bias audit disclosure) are maintained for systems in those jurisdictions. Register entries are cross-referenced to the AI governance committee review record.

5

Optimizing

The algorithm register serves as the authoritative source for AI system inventory across governance, compliance, and communications functions. Register data is used to generate regulatory filings automatically where the format allows. Public register entries are reviewed for accessibility and updated to reflect the most current system configuration. The register is audited annually for completeness and accuracy.

Evidence Requirements

What an auditor or assessor would expect to see for this control.

  • Algorithm register containing standardized entries for all AI systems subject to registration requirements, with entries current as of the most recent deployment or material change.
  • Register maintenance process documentation showing how register updates are triggered at deployment and material change.
  • Regulatory-specific documentation maintained for systems subject to jurisdiction-specific requirements (EU AI Act technical documentation, NYC LL144 bias audit publication).
  • Quarterly register review records confirming completeness review was conducted.
  • Evidence that the register is accessible to regulators and, for systems with public disclosure requirements, to affected persons.

Implementation Notes

Why a register distinct from the AI inventory

The AI system inventory (maintained as part of MGV-002 and related controls) is designed for internal governance: it captures all the information needed to manage the AI system through its lifecycle. An algorithm register is designed for accountability: it captures the information that affected persons, regulators, and the public need to understand how AI is being used in decisions that affect them.

These are related but distinct purposes. The inventory may contain commercially sensitive information, detailed technical configurations, and vendor relationship details that are not appropriate for external disclosure. The algorithm register contains the subset of information that is subject to transparency obligations and needs to be accessible to external audiences.

The algorithm register may be:

  • Internal only: Maintained as a governance document, accessible to regulators on request and to affected persons through the redress mechanism
  • Partially public: Core information published on the organization's website; detailed technical documentation maintained internally for regulatory access
  • Fully public: Published in its entirety on the organization's website (the Amsterdam model)

The appropriate level of public disclosure depends on the organization's regulatory obligations, the nature of decisions made by AI systems in the register, and the organization's voluntary transparency commitments.

Regulatory requirements driving register design

EU AI Act — Technical documentation and transparency for high-risk AI: Deployers of high-risk AI systems must maintain technical documentation and, where the AI system makes decisions affecting individuals, provide accessible information about the system's purpose and the affected person's rights. The documentation must be available to market surveillance authorities. This is functionally an internal register with regulatory access.

New York City Local Law 144 (Automated Employment Decision Tools): Requires employers who use automated employment decision tools in hiring or promotion decisions affecting NYC workers to: conduct and publish annual bias audits, notify candidates of AI use, provide an alternative process on request. The bias audit publication is a specific type of algorithm register entry required by law.

Amsterdam Algorithm Register (voluntary model): Amsterdam's public algorithm register, widely used as a model by governments and increasingly referenced as a standard for corporate voluntary disclosure, includes: name, description, organization, status (in development / production), impact, owner, and human supervision level. Several governments have adopted or are considering similar requirements.

EU AI Act Article 13 (Transparency for high-risk AI users): High-risk AI deployers must be able to provide affected persons with information about: how the system works in general terms, what data is used as inputs, the logic involved in the decision, and the measures available to contest or seek review of decisions.

Emerging state-level requirements: Colorado, California, and other states are developing algorithmic accountability requirements that include register-like disclosure obligations. The register design should be flexible enough to accommodate these requirements as they are finalized.

Register entry design

A well-designed algorithm register entry should include:

Identity:

  • System name (plain language, not technical identifier)
  • Unique system identifier (cross-reference to internal AI inventory)
  • Organization / department responsible
  • Last updated date

Purpose and decision scope:

  • Plain language description of what the system does
  • Types of decisions it supports or makes (advisory, consequential, fully automated)
  • Who is affected (employees, customers, members of the public, specific demographic groups)
  • Geographic scope

Data and inputs:

  • Categories of data used as inputs (do not include proprietary data source details)
  • Whether personal data is processed, and the legal basis under GDPR/CCPA where applicable
  • Whether special category data is processed

Governance:

  • Risk classification (per HOC-001)
  • Human oversight level (fully automated, human-in-the-loop, human-on-the-loop, human-controlled)
  • Accountability contact (role, not individual name; contact channel)
  • Date of most recent governance review
  • Whether bias audit has been conducted and, if publicly required, where to access the results

Rights and redress:

  • Whether the person has a right to explanation, challenge, or human review
  • How to exercise those rights (link to SCT-008 redress mechanism)
  • Whether an alternative process is available

Keeping the register current

The register is only useful if it reflects the current state of AI deployments. Register currency requires:

  • Register update as a required step in the AI deployment workflow (MGV-002, MGV-003)
  • Register update triggered by material change management events (CHM)
  • Quarterly register review by AI governance team to confirm completeness
  • Annual accuracy audit: confirm that register entries reflect current system configuration

Example Implementation

AI Algorithm Register — Public Entry (excerpt)

Organization: [Organization name] | Register version: 2026-Q2 | Contact: [ai-governance@org.com]

System: Automated Credit Limit Review ID: ALG-2026-003 | Status: Production | Last updated: 2026-05-15

What this system does: Reviews existing customer credit limits every 90 days and recommends limit adjustments based on payment behavior, account activity, and credit bureau data. Recommendations are reviewed by a human credit analyst before any limit change takes effect.

Who is affected: Existing consumer credit customers in the United States.

Decision type: Advisory — human credit analyst reviews and approves all recommendations.

Data used: Payment history (internal), account activity (internal), credit bureau data (Equifax/Experian/TransUnion), account age. Personal data processed under FCRA and CCPA. Special category data: not processed.

Risk classification: High (per internal AI risk policy — consequential financial decision affecting consumer credit access).

Human oversight: Human-on-the-loop — human analyst reviews all recommendations; AI cannot implement changes autonomously.

Governance: Most recent AI governance review: 2026-04-01. Bias audit: Annual bias audit conducted 2026-Q1. Results: No statistically significant disparate impact identified across race, national origin, sex, or age categories. [Full audit report available on request.]

Your rights:

  • You have the right to request an explanation of any credit limit change that affected your account.
  • You may contest a credit limit reduction through our standard adverse action appeal process.
  • If you have a complaint about an AI-assisted credit decision, contact: [redress mechanism link]
  • An alternative review process (without AI assistance) is available upon request.

Accountability contact: Credit Compliance Team — [contact channel]

System: Fraud Detection Scoring ID: ALG-2026-007 | Status: Production | Last updated: 2026-03-20

What this system does: Assigns a fraud likelihood score to transactions in real time. Transactions above a threshold are flagged for human review or automatically declined depending on score and transaction type.

Who is affected: All customers making transactions on [organization] accounts.

[... continues for each registered system]

Control Details

Control ID
SCT-009
Domain
Typical owner
Chief AI Officer / Chief Compliance Officer / Chief Data Officer
Implementation effort
Medium effort
Agent-relevant
Yes

Tags

algorithm registerAI transparencyalgorithmic accountabilityEU AI ActAI inventorypublic registerdisclosure

Mapped Regulations

EU Parliament Trilogue Negotiations on AI Act Compliance Deadline ExtensionsEU Digital Services Act – AI and Algorithmic Accountability ProvisionsNIST AI 600-1 Generative AI Profile

Related Controls

MGV-002AI System Intake and Approval WorkflowMGV-003AI Governance Program Milestone FrameworkSCT-008AI-Specific External Complaints and Redress Mechanism

Related Playbook

What does audit-ready AI documentation look like in practice?What are our obligations under emerging AI regulations?How do we prepare for AI regulation over the next 12 months?