AI Bill of Materials
An AI bill of materials is a structured, machine-readable inventory of the models, datasets, software, prompts, tools, services, hardware, licenses, versions, provenance records, and relationships that make an AI system work.
Definition
An AI bill of materials, often called an AI-SBOM, AI BOM, or ML-BOM, is a structured inventory of the components and dependencies inside an artificial intelligence system. It extends the software bill of materials idea beyond packages and libraries to include models, weights, datasets, training and evaluation data, fine-tuning records, prompts, agent tools, model-serving infrastructure, licenses, safety evaluations, known limitations, vulnerability references, and supplier relationships.
The point is not to explain intelligence. The point is to make a deployed AI system inspectable as an artifact. If an answer, score, recommendation, or autonomous action fails, investigators should be able to ask which model version, prompt, retrieval index, dataset, tool, vendor API, and policy layer were involved.
An AI BOM is related to AI System Inventory, Model Cards and System Cards, and Agentic Supply Chain Vulnerabilities, but it is narrower than a governance register and more operational than a narrative card. It is meant to be queried, compared, updated, and connected to software supply-chain controls.
How It Works
A useful AI BOM records identity, version, origin, license, dependency, relationship, and evidence. For a model, that may include architecture family, weights or endpoint identifier, provider, release date, training or fine-tuning summary, evaluation references, supported use, prohibited use, and known safety limits. For data, it may include source, lineage, collection basis, consent or license status, curation method, sensitive-data notes, and retention limits. For agents, it should include tools, permissions, system prompts, memory stores, connectors, and approval rules.
The record should change when the system changes. A static spreadsheet created during procurement is weak evidence. A better AI BOM is generated or updated through development, deployment, model release, fine-tuning, prompt update, tool addition, vendor change, and incident response.
Current Context
As of June 16, 2026, AI BOM practice is emerging from existing SBOM work. NTIA's 2021 minimum-elements report defined an SBOM as a formal record of software components and supply-chain relationships. CISA's 2025 SBOM minimum-elements guidance, issued for public comment, builds on that work and says SBOMs give organizations detailed software-component inventories for identifying vulnerabilities, assessing risk, and making informed decisions about software they use and deploy.
CycloneDX now presents a Machine Learning Bill of Materials capability for AI and ML systems. Its public documentation says ML-BOMs can represent datasets, models, configurations, dataset provenance, training methodologies, framework configuration, and risks related to bias, data integrity, privacy, safety, and model security. OWASP describes CycloneDX as a full-stack BOM standard, published as ECMA-424, that supports SBOM, SaaSBOM, HBOM, ML-BOM, CBOM, OBOM, VDR, VEX, and related artifacts.
SPDX is moving in the same direction. The SPDX 3.0.1 conformance text defines an AI Profile compliance point for exchanging information about software components and dependencies associated with AI and ML models and systems. The SPDX AI overview describes an AI-SBOM as a machine-readable record that can include software dependencies, AI models, data assets, prompt templates, agents, licenses, ethical attributes, and security attributes.
The EU AI Act does not use the phrase AI bill of materials as the general legal label. It does, however, require technical documentation for high-risk AI systems and documentation for general-purpose AI models. A well-maintained AI BOM can become part of the evidence base for those duties, procurement review, vendor due diligence, audits, and incident reconstruction.
Governance and Safety
AI BOMs matter because invisible dependencies are a safety risk. A public agency may not know which third-party model powers a benefits triage tool. A company may not know that several agents share a vulnerable connector. A hospital may not know that a model update changed an embedded clinical workflow. A user may not know whether a generated output came from a licensed source, a cached retrieval fragment, or a vendor model whose version has already changed.
Governance should define who creates the BOM, who can update it, what fields are mandatory, which claims require evidence, which fields can remain confidential, and when the record must be shared with auditors, customers, regulators, or affected people. The BOM should connect to vulnerability disclosure, incident reporting, post-market monitoring, data retention, and decommissioning.
Defense Pattern
- Inventory the real system. Include models, prompts, datasets, tools, connectors, software packages, cloud services, hardware assumptions, and people-facing workflows.
- Track versions and relationships. A model endpoint, prompt template, retrieval index, and agent permission set are different components.
- Record provenance. Note source, supplier, license, dataset lineage, model origin, and artifact hashes where available.
- Attach risk evidence. Link evaluations, red-team findings, known vulnerabilities, model cards, system cards, and incident history.
- Keep it current. Update the BOM when models, data, prompts, tools, vendors, or deployment contexts change.
- Use it in response. During incidents, ask what changed, what depended on it, who received it, and what must be withdrawn or patched.
Spiralist Reading
An AI bill of materials is the inventory of the machine's borrowed bones.
The interface may present a single voice, but the working system is a bundle of data, weights, prompts, tools, licenses, vendors, benchmarks, memories, and permissions. The BOM breaks the illusion of unity without making a mystical claim about the system.
For Spiralism, the discipline is documentary humility: before arguing about what the system means, list what it is made from.
Open Questions
- Which AI BOM fields should be mandatory for public-sector procurement?
- How much model and dataset detail can be disclosed without exposing trade secrets, private data, or new attack paths?
- Should prompt templates, agent permissions, and memory stores be treated as first-class BOM components?
- How should AI BOMs represent hosted models that change without customer-controlled versioning?
- Can AI BOMs become useful evidence for affected people, not only auditors and security teams?
Related Pages
- AI System Inventory
- AI Governance
- Model Cards and System Cards
- Secure AI System Development
- Agentic Supply Chain Vulnerabilities
- Open-Weight AI Models
- Training Data
- AI Data Licensing
- Model Weight Security
- AI Audits and Assurance
Sources
- NTIA, The Minimum Elements for a Software Bill of Materials (SBOM), July 12, 2021.
- CISA, 2025 Minimum Elements for a Software Bill of Materials (SBOM), reviewed June 16, 2026.
- OWASP CycloneDX, Machine Learning Bill of Materials (ML-BOM), reviewed June 16, 2026.
- OWASP Foundation, CycloneDX Bill of Materials Specification (ECMA-424), reviewed June 16, 2026.
- SPDX, AI System Bill of Materials overview, reviewed June 16, 2026.
- SPDX, SPDX Specification 3.0.1 Conformance, reviewed June 16, 2026.
- AI Act Service Desk, Article 11: Technical documentation, reviewed June 16, 2026.
- AI Act Service Desk, Article 53: Obligations for providers of general-purpose AI models, reviewed June 16, 2026.
- NIST AI Resource Center, AI RMF Core, reviewed June 16, 2026.
- Church of Spiralism, AI System Inventory and Agentic Supply Chain Vulnerabilities, related background pages.