May 28 2026
Artificial Intelligence

What Is an AI Bill of Materials?

As regulations and risks increase, these directories of AI components help boost confidence.
Alexandra Frost
by

Alexandra Frost is a Cincinnati-based freelance journalist, content marketing writer, copywriter and editor.

When an AI system makes a “bad decision,” most companies can’t really explain why. They aren’t entirely sure which data trained it, where the error was, which version it was running or which third-party components were involved. This is an ethical and regulatory blind spot that creates risk for business tech leaders in companies of all sizes, and it’s driving interest in a newer framework called the AI bill of materials. 

If you’ve ever seen a software bill of materials, or SBOM, then you already understand concept. But many companies have not yet thought about applying that framework and process to the AI systems they use. That will change: Regulations are prompting implementation of AIBOMs, according to Arpita Soni, a senior member of the technology professional society IEEE. “I’m seeing a lot of stress on the inventory, on BOM models around it because of increased guardrails,” Soni says. “Organizations are bending more toward this model because they need to be part of compliance and audits.”

For some, the decision follows former President Joe Biden’s 2024 executive order on AI usage and development, among other factors. Given increases in regulatory mandates, and companies’ desire to mitigate risk, here’s why AIBOMs are on the rise, and what organizations should consider as they build and implement them.

Click the banner below to learn how organizations are unlocking artificial intelligence’s potential.

XS_Q225_AI_cta_desktop04_0_0.gif XS_Q225_AI_cta_mobile04_0_0.gif

 

What Is an AI Bill of Materials?

The National Institute of Standards and Technology calls AIBOMs “enablers for AI software transparency and security,” pointing to their ability to also “foster trust” and “facilitate innovation.” Specifically, it is a “repository or inventory,” Soni says, “that can be read by your machines, by your systems, and it comprises components including your data sets, your prompts, your models, your specific configurations, version history, pipelines and third-party dependencies.” 

Katie Norton, research manager for DevSecOps and software supply chain security at IDC, says that for organizations already using SBOMs, AIBOMs are a logical next step: “While an SBOM provides visibility into application code, libraries and dependencies, an AIBOM captures the components that define AI behavior.”

What Goes Into an AI Bill of Materials?

AIBOMs typically have similar components, though they might vary a bit based on company size, needs and systems. 

Norton says that these structured, machine-readable inventories document multiple layers of the AI systems in the business, including components and questions to ask for each: 

  • The data layer includes training and validation data sets, provenance, licensing and sensitivity. This layer answers the questions, “Where did your training data come from? What are the licensing terms? Does it contain personally identifiable information?”
  • The model layer includes architecture, weights, hyperparameters, versioning and lineage. It answers the questions, “What architecture? What version? What was the training configuration?”
  • The infrastructure and dependency layers include frameworks and hardware required to run the model. It answers the question, “What frameworks and libraries does it rely on, and where does it run?”
  • The governance metadata layer includes intended use, known limitations and risk mitigations. It answers the questions, “What is this model supposed to do? What are its limitations? What safeguards are in place?” 

Norton adds that companies need an AIBOM in addition to their SBOM. “An SBOM alone is insufficient for AI systems because it only inventories code,” she says. “AI systems are data-driven and often nondeterministic; their behavior emerges from training data and model configuration rather than explicitly written logic. Without an AIBOM, IT leaders lack visibility into the ‘cognitive layer’ of the system, making it difficult to audit decisions, reproduce results or assess supply chain risk.”

DIVE DEEPER: Data governance strategies help foster responsible artificial intelligence use.

Why the AI Bill of Materials Is Gaining Traction Now?

AI is not new, so why is the AIBOM just starting to become more widely adopted? Because AI has to be “ethical, transparent and fair,” Soni says, a framework is needed to analyze those principles, and AIBOMs have begun to do just that — especially important at a time when “blind spots” have become apparent and the need for regulatory compliance has become mandatory.

Norton points to three things converging to create the need for AIBOMS now: “First, generative AI made it trivially easy for developers to drop open-source models into applications without anyone in security knowing about it. Organizations suddenly realized they had no idea what models were running in production. Second, regulators caught up. The EU AI Act and NIST AI Risk Management Framework now expect transparency around training data and model lineage — things SBOMs were never designed to capture.”

And last, “the tooling finally exists. Standards like the Software Package Data Exchange (SPDX) and CycloneDX now have AI-aware profiles, so generating an AIBOM is no longer a custom engineering project. The risk was always there; now we have the means to address it,” Norton says.

While Gartner predicts SBOM adoption will rise from 56% among large enterprises in 2025 to 85% by 2028, the adoption rate for AIBOMs is yet to be determined.

Who Really Needs an AI Bill of Materials?

All businesses running AI systems, no matter their size, need AIBOMs. Small businesses might assume they don’t need one, but they’re necessary for market access, Norton says: “If you’re selling into regulated industries or large enterprises, documenting your model provenance and data sources is becoming a prerequisite for winning contracts. The organizations that can demonstrate AI governance will have a competitive advantage.” 

Larger enterprises, meanwhile, should consider them as a way to manage complex systems, she adds. “When you have hundreds of AI workloads in production, manual tracking breaks down. You need systematic governance to satisfy regulators and manage risk at scale.” 

McKinsey reports that two-thirds of organizations are still in the experimentation or pilot phase of integrating AI, rather than scaling. So, building an AIBOM early can help you have transparency and regulations in mind as you scale, not after.

Click the banner below to learn more about finding an effective cyber resilience strategy for your business. 

x_security_q325_animated_click_desktop_02_0.gif x_security_q325_animated_click_mobile_02_0.gif

 

How to Maintain an AIBOM

Building an AIBOM is just part of the battle — maintaining it is the rest. With models changing even daily, Soni says, AIBOMs can be hard to preserve. From vendor changes to behavior changes with how the company is using AI systems, the dynamic nature of AI in organizations can make this “problematic,” she adds. 

Retraining cycles are key. “A model can drift as real-world data shifts,” Norton says. “Every retraining cycle creates a new version. Models are often distributed as black boxes with minimal metadata. And because AI adoption has such low barriers, organizations face significant model sprawl — teams spinning up models without centralized oversight.” 

Norton recommends updating whenever the model or its input changes in a way that might impact behavior or risk. “This includes every retraining or fine-tuning cycle, any update to training or inference data sources, changes to software dependencies or frameworks, and material performance shifts such as detected model drift. Each of these events effectively creates a new version of the system that requires fresh documentation,” she says. “You can’t inventory AI once and walk away. It requires continuous discovery and automated documentation,” she adds.

LEARN MORE: Discover how AI is forcing businesses to rethink their infrastructure strategies.

You Can’t Afford to Skip an AI Bill of Materials

For some organizations, AI governance is an “aspiration” when it should be a practice, Norton shares. Instead of scrambling to assemble documentation for a regulator’s request, she says, having that audit-ready artifact demonstrating that you’ve already done your due diligence is a lot more reassuring.

“For responsible AI, requiring explicit documentation of data sources and limitations makes it harder to deploy a model inappropriately or let bias go unexamined,” Norton says. “An AIBOM answers a question most organizations can’t right now: If this model makes a bad decision, can you explain why?”

Like any new process, Soni recommends taking baby steps at first. “Don't make it complex. Go simple. Take it step by step and repeat; take it step by step, repeat. And when there is a manual process, think ‘What can be automated?’ Where it is possible, conduct a feasibility study. Does the automation tie back to your continuous integration/continuous delivery pipelines? Repeat the loop.”

Before long, your AIBOM will be the reason you sleep well at night in an age of fast-moving and dynamic AI regulation and adoption.

Sergio Ingravalle/Ikon Images

More On

Related Articles

Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Click Here to Read the Report