See also (wiki): ai-cybersecurity · third-party-vendor-ai-risk · shai-hulud-ai-supply-chain-attack-2026
Source credibility: CISA/G7 guidance (TIER 1 — government primary), OWASP (TIER 1 — standards body), IBM Granite AIBOM (TIER 2 — vendor-published but named implementation). No enterprise production case studies exist as of May 2026 — the AIBOM space is standards-convergence stage. TIER 1 for regulatory/standards content; TIER 2 for vendor implementations.
Executive Summary
- An AI Bill of Materials (AIBOM) is a structured, machine-readable inventory of every component in an AI system: models, training data, code dependencies, infrastructure, data processing methods, and governance metadata. It extends SBOM (Software Bill of Materials) concepts to address AI-specific transparency needs.
- CISA and G7 partners published joint minimum elements guidance in August 2025 — seven clusters covering metadata, models, datasets, system properties, KPIs, security properties, and infrastructure. Voluntary, not binding.
- Standards are converging: CycloneDX 1.7 (ML-BOM), SPDX 3.0 AI Profile, OWASP AIBOM Generator, OpenChain AI Compliance Guide (Oct 2025). No enforcement mechanism exists yet.
- No named enterprise has published a production AIBOM deployment as of May 2026. IBM Granite 4.0 is the closest — a proof-of-concept JSON metadata release for one model family.
- Shai-Hulud (CVE-2026-45321, May 2026) is the first major case study making AIBOM operationally relevant: organizations with dependency tracking on AI SDK packages would have detected the malicious TanStack/Mistral AI/Guardrails AI versions automatically. Without AIBOM, most enterprise security teams learned of their exposure from public news.
What an AIBOM Contains
CISA/G7 guidance organizes AIBOM into seven clusters:
| Cluster | Contents |
|---|---|
| Metadata | AIBOM creator, timestamp, format version, unique identifier |
| Models | Model name, version, architecture, training framework, license, intended use |
| Dataset Properties | Training data sources, size, collection method, license, known biases |
| System-Level Properties | Integration architecture, APIs, external dependencies, deployment environment |
| KPIs | Performance benchmarks, accuracy metrics, evaluation datasets and results |
| Security Properties | Known vulnerabilities, adversarial robustness testing, red-team results |
| Infrastructure | Compute resources, cloud provider, data residency, access controls |
The IBM Granite 4.0 implementation covers six of the seven (excluding KPIs in the initial release). It is published as machine-readable JSON — the format preferred by CISA for automated ingestion into enterprise asset management systems.
Standards Landscape
CISA / G7 — “Software Bill of Materials for AI: Minimum Elements” (August 2025) Co-authored with Canada, France, Germany, Italy, Japan, UK, and EU. This is the most authoritative AIBOM guidance available. It is voluntary and does not specify enforcement mechanisms. Its significance is that G7 agreement on minimum elements signals the direction future regulation will take.
CycloneDX 1.7 (ML-BOM) The leading SBOM standard extended AI/ML fields in version 1.7: patent/IP metadata, data provenance citations, cryptographic transparency for model weights. Limitation: the AI-specific fields remain limited — CycloneDX was designed for software components, and model behavior, dataset provenance, and inference infrastructure require schema extensions that are still being standardized.
SPDX 3.0 AI Profile Profile-based architecture allows the SPDX 3.0 core to be extended with an optional AI profile. The AI profile covers model cards, dataset documentation, and training provenance. Status: published but adoption is nascent — most organizations using SPDX are not yet using the AI profile.
OWASP AIBOM Project Open-source AIBOM Generator for Hugging Face models. Practical tooling for organizations that want to generate AIBOMs for open-source models they deploy. Identifies gaps in CycloneDX and SPDX for AI-specific use cases. Most useful for organizations deploying open-source foundation models.
OpenChain AI Compliance Guide (October 2025) Process framework for AI compliance programs, including AIBOM as a component. Completed after public comment (July–August 2025). Provides the governance structure around AIBOM — who is responsible for creating and maintaining it, how it integrates with existing compliance workflows.
The Enterprise Adoption Gap
No named enterprise organization has published a production AIBOM implementation covering their full AI deployment portfolio as of May 2026. The closest:
IBM Granite 4.0 — IBM released machine-readable JSON metadata for the Granite 4.0 model family as a first step toward AIBOM. Covers six of seven CISA clusters. IBM explicitly frames it as a proof-of-concept and calls for industry adoption. Granite 4.0 is the first LLM family to achieve both ISO 42001 certification and a #1 ranking on the Stanford Foundation Model Transparency Index — the AIBOM is part of that transparency posture.
Why enterprise adoption is lagging:
- No compliance mandate. CISA guidance is voluntary. Until a regulation (EU AI Act, SEC disclosure rules, or a post-Shai-Hulud executive order) requires AIBOM, the business case is speculative for most organizations.
- Tooling is immature. CycloneDX and SPDX extensions for AI are recent; enterprise asset management systems (ServiceNow, Archer) don’t yet have AIBOM ingestion workflows.
- Model inventory doesn’t exist. Most organizations cannot enumerate the AI models in use across their enterprise — AIBOM presupposes a model inventory that most don’t have.
- Third-party model opacity. Vendors (OpenAI, Anthropic, Google) do not publish AIBOMs for their proprietary models. An enterprise AIBOM for a GPT-4o deployment would have incomplete upstream provenance.
Shai-Hulud as the AIBOM Use Case
Shai-Hulud (May 2026) is the first concrete demonstration of what AIBOM would prevent.
The attack compromised 170+ npm/PyPI packages including: TanStack, Mistral AI Python SDK, Guardrails AI, UiPath, OpenSearch client libraries, and SAP packages. These are packages that AI engineering teams commonly install as dependencies of their AI coding environments and agent frameworks.
An organization with a functioning AIBOM or AI dependency inventory would have:
- Known that their AI coding environment depended on TanStack (via Claude Code) and Mistral AI SDK
- Received an automated alert when the malicious versions of those packages appeared in the registry
- Had the ability to roll back or isolate affected developer environments within hours, not days
Most enterprise security teams learned of their Shai-Hulud exposure from public news coverage — the gap between “attack published” and “we know if we’re affected” was measured in days, not hours. That gap is the AIBOM value proposition made concrete.
Cross-reference: See shai-hulud-ai-supply-chain-attack-2026.md for full attack chain detail and immediate mitigation priorities.
The Regulatory Direction
The AIBOM landscape is moving toward mandatory disclosure in high-risk contexts:
- EU AI Act: High-risk AI systems must maintain technical documentation that overlaps substantially with AIBOM content (training data description, model architecture, performance metrics, known limitations). Effective August 2026 for new deployments.
- SEC AI Disclosure (proposed): The SEC Investor Advisory Committee (Dec 2025) recommended requiring issuers to disclose material AI deployments — AIBOM-like documentation would support this disclosure.
- Federal Procurement: OMB M-25-21 requires AI compliance plans for federal agencies — AIBOM is a logical component.
- Post-Shai-Hulud regulatory response: CISA has indicated it is reviewing whether voluntary SBOM/AIBOM guidance needs enforcement teeth following the attack. No formal action as of May 2026.
Practical First Steps for Enterprise Teams
Organizations that want to get ahead of mandatory AIBOM requirements should start with:
-
Model inventory first. Build a register of every AI model in use: vendor models (OpenAI, Anthropic, etc.), open-source models (Hugging Face), and internally fine-tuned models. This is AIBOM prerequisite zero.
-
Dependency tracking for AI packages. Extend existing SBOM tooling (FOSSA, Snyk, Mend) to flag AI/ML packages explicitly: PyTorch, Transformers, LangChain, LlamaIndex, MCP SDKs, Guardrails AI. Shai-Hulud demonstrates this is now a security requirement, not a compliance checkbox.
-
Use CycloneDX 1.7 ML-BOM for open-source model deployments. If you’re running Hugging Face models, the OWASP AIBOM Generator + CycloneDX provides an automated starting point.
-
Require AIBOM from AI vendors. Add to security questionnaires: “Do you publish an AIBOM or equivalent transparency documentation for your models?” Vendors without AIBOMs represent unquantified supply chain risk.
Sources
| Source | Details | Tier |
|---|---|---|
| CISA / G7 (Aug 2025) | “Software Bill of Materials for AI – Minimum Elements” — joint guidance, 7 clusters | TIER 1 |
| OWASP AIBOM Project (2025) | Open-source generator; CycloneDX/SPDX gap analysis | TIER 1 |
| CycloneDX 1.7 ML-BOM (2025) | ML/AI fields in CycloneDX standard | TIER 1 |
| SPDX 3.0 AI Profile (2025) | SPDX extension for AI provenance | TIER 1 |
| OpenChain AI Compliance Guide (Oct 2025) | Process framework for AI supply chain compliance | TIER 1 |
| IBM Granite 4.0 AIBOM (2026) | First named enterprise AIBOM implementation (PoC) | TIER 2 (vendor-published) |
| arXiv 2601.11678 (Jan 2026) | Survey: BOM types across hardware, software, AI, datasets | TIER 2 |
| Frontiers in Computer Science (2026) | “Operationalising AIBOM for Verifiable AI Provenance” | TIER 2 |