AIBOM: What Belongs Inside an AI Bill of Materials

AI Security

AI Bill of Materials extends SBOM thinking to models, datasets, and embeddings. Regulators are pushing it hard. The tooling is rough but the practice is becoming non-negotiable for anyone shipping AI to enterprise customers.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 11, 2024 · 7 min read

Last month a procurement team at a Fortune 100 bank sent our client a 47-question questionnaire about every component in their AI product. Base model lineage, training data provenance, embedding model, fine-tuning data sources, evaluation datasets, post-training filters. Six years ago that questionnaire was twelve questions about software libraries. The transition from SBOM to AIBOM happened faster than the standards bodies expected.

An AIBOM answers a single question for the buyer: if something goes wrong in your AI system, what are all the upstream dependencies that could be the cause and who is accountable for each. SBOM did this for code. AIBOM has to do it for code, models, data, and the relationships between them.

What goes into an AIBOM

The CycloneDX 1.5 spec added ML-BOM fields and the SPDX 3.0 work expanded similar territory. The fields converge on roughly the same list. We tell clients to populate these whether or not they have committed to a specific format yet.

• Model identity: name, version, hash of weights, base model lineage, fine-tuning steps with dataset references.
• Training data: source identifiers, licenses, collection dates, processing steps, consent basis where applicable.
• Evaluation data: which benchmarks, which private evals, results with confidence intervals.
• Inference dependencies: tokenizer version, embedding model, retrieval index source, system prompt hash.
• Known limitations: refusal categories, demographic eval gaps, hallucination rate on domain test set.
• Provenance signatures: who built each component, when, with what review.

Who actually consumes them

Three audiences in practice. Procurement teams at regulated buyers, especially financial services, healthcare, and government. Internal security teams running AI risk reviews. Regulators under the EU AI Act, NIST AI RMF, and similar frameworks. Each one wants slightly different fields, which is why a structured format matters more than a PDF.

The procurement use case is the most immediate revenue driver. We have watched two deals slip a quarter because the vendor could not produce data lineage on their fine-tuning corpus. The buyer's risk team would not sign off without it. By the time the vendor scrambled together a PDF, the buyer had moved on.

Regulatory pressure in 2026

The EU AI Act technical documentation requirements for high-risk systems map almost one-to-one onto AIBOM fields. NIST's AI RMF 1.0 and the GenAI Profile expect the same provenance, just less prescriptively. The UK AI Safety Institute and the Singapore IMDA are converging on similar expectations. None of these are AIBOM-mandates by name. All of them require the underlying data.

Tooling state in 2026

Still rough. CycloneDX has the most mature ML-BOM tooling and the syft fork that emits ML components is usable. Hugging Face's model card metadata is partial. Anthropic and OpenAI publish model cards that cover some fields but not in a parseable format. Most production teams end up writing their own generators that pull from training pipelines, dataset registries, and CI/CD logs.

1. Start by inventorying what exists. Most teams cannot list every model, embedding, and dataset in production. Fix that first.
2. Add provenance capture at training time. Hash datasets, record git commits, log fine-tuning configs. Retrofitting later is expensive.
3. Pick CycloneDX 1.5 ML-BOM as the output format. It is closest to a real standard right now.
4. Generate AIBOMs in CI. Buyer questionnaires hit unpredictably. The answer should already exist.
5. Review them quarterly. Models drift, datasets refresh, dependencies change. Stale AIBOMs are worse than none.

What we tell clients to prioritize

Data provenance is the field that takes longest and matters most. Buyers can verify model versions trivially. They cannot verify your training data without you telling them. The vendors that win regulated deals in 2026 are the ones who can answer dataset questions in hours, not weeks. Build the pipeline now. The questionnaires get harder every quarter.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.