AI Bills of Materials (AI BOMs) are gaining traction as a critical tool for AI risk management, extending the SBOM concept to cover models, datasets, training history, and operational metadata. Regulators in the EU and US are beginning to require them for high-risk AI systems, and the G7 has released minimum-element guidance. Despite growing momentum from bodies like CISA, NIST, OWASP, and the Linux Foundation, practical adoption remains largely aspirational — most organizations lack the granularity of data needed. The AI supply chain attack surface is expanding rapidly, with JFrog reporting a 6.5x increase in malicious models on Hugging Face. Experts argue that starting with a small, practical set of required fields is the right approach, with agentic AI systems likely requiring further expansion of AI BOM standards in the near future.
Sort: