SBOM for AI

SBOM is already a basic good practice in software development and cybersecurity. If we build, operate, buy or audit software, we should know its components, dependencies, versions, licenses, vulnerabilities and supply chain relationships.

The same logic is now moving into AI, but with a broader scope.

The G7 guidance “Software Bill of Materials for AI — Minimum Elements” explains that transparency about AI system components and dependencies is critical for AI cybersecurity, vulnerability management and risk management.

Photo: freepik

Traditional SBOMs still remain valid for AI systems, but AI requires additional minimum elements.

In AI, we need to understand:

➡️ which models are used,

➡️ who produced them,

➡️ what versions are deployed,

➡️ what data was used,

➡️ what training or fine-tuning was performed,

➡️ how data flows through the system,

➡️ what external services are connected,

➡️ whether sensitive data is processed,

➡️ what security controls exist.

The G7 document proposes seven clusters of minimum elements:

➡️ Metadata

➡️ System Level Properties

➡️ Models

➡️ Dataset Properties

➡️ Infrastructure

➡️ Security Properties

➡️ Key Performance Indicators

At the system level, SBOM for AI should capture components, producer, version, data flow, data usage, input/output properties and intended application area. AI systems are often not a single model, but a combination of models, databases, APIs, agents, tools and external services.

For models, the document points to elements such as model name, identifier, version, producer, description, hash, properties, training properties, license and external references. For datasets, it includes content, identifier, hash, provenance, sensitivity, dependencies and license.

The dataset sensitivity element is especially important because many AI risks start not in the model, but in the data: PII, medical records, financial data, copyrighted content or other sensitive information.

The guidance also includes general and AI-specific security controls: encryption, data minimization, access controls, API authentication, anomaly detection, adversarial robustness, prompt injection controls, input/output filters and data-level controls for training data.

Link

Author: Sebastian Burgemejster