AI Component Bill of Materials Governance

2. Summary

AI Component Bill of Materials Governance requires that every AI agent deployment maintains a comprehensive, machine-readable inventory of all software components, models, adapters, plugins, data sources, and external dependencies that constitute or influence the agent's behaviour. This inventory — the AI Bill of Materials (AI-BOM) — must be versioned, cryptographically signed, and updated whenever any component changes. Without a complete and accurate component inventory, an organisation cannot assess supply-chain risk, respond to vulnerability disclosures, verify regulatory compliance, or determine whether a deployed agent matches its approved configuration. The AI-BOM is the foundational artefact for all other supply-chain governance dimensions: you cannot govern what you have not inventoried.

3. Example

Scenario A — Undetected Vulnerable Dependency in Production Agent: An organisation deploys an enterprise workflow agent built on an open-source orchestration framework (version 3.2.1) that incorporates 147 transitive dependencies. Six months after deployment, a critical remote code execution vulnerability (CVE-2025-41923, CVSS 9.8) is disclosed in one of the transitive dependencies — a serialisation library three levels deep in the dependency tree. The security team receives the advisory and asks: "Are any of our agents affected?" Without an AI-BOM, the answer requires manual inspection of every agent's build environment, which takes the team 11 days. During those 11 days, the vulnerable agent remains in production processing 2,400 customer requests per day.

What went wrong: The organisation had no component inventory for its AI agents. The vulnerability existed in a transitive dependency that no one had explicitly chosen or reviewed. The 11-day identification window created exposure to a known critical vulnerability across approximately 26,400 customer interactions. With an AI-BOM, the query "which agents include library X version Y" would have returned results in seconds. Consequence: 11 days of known-vulnerable production operation, potential regulatory notification obligations under DORA Article 19, customer data exposure risk, and remediation costs including emergency patching, regression testing, and incident response.

Scenario B — Model Component Substitution Without Detection: A research team deploys an agent that uses a base language model (7B parameters, version hash abc123) with a custom LoRA adapter trained on proprietary medical data. During a routine infrastructure update, the container image is rebuilt from the latest base image, which silently pulls a newer version of the base model (version hash def456). The adapter was trained against the original base model; its behaviour against the new base model has not been validated. The agent begins producing subtly different clinical recommendations. The drift is not detected for 3 weeks because the outputs remain superficially plausible.

What went wrong: The AI-BOM, had one existed, would have recorded the exact model version hash. A rebuild that changed the base model hash would have been flagged as a component change requiring re-validation. Without the AI-BOM, the model swap was invisible to governance processes. Consequence: 3 weeks of unvalidated clinical recommendations, potential patient safety incidents, regulatory exposure under medical device regulations, and loss of confidence in the agent's outputs requiring full re-validation of all recommendations issued during the affected period.

Scenario C — Licence Compliance Failure at Scale: An organisation builds an AI agent pipeline incorporating 12 models, 34 Python packages, and 8 external API integrations. One of the Python packages (included as a transitive dependency of a transitive dependency) is licensed under AGPL-3.0, which requires disclosure of source code for any networked service using the library. The organisation's legal team was never informed of this dependency. The agent is deployed as a customer-facing SaaS product. A competitor discovers the AGPL dependency through reverse engineering and files a licence compliance complaint.

What went wrong: No component inventory existed to flag licence obligations. The AGPL-licensed library was four levels deep in the dependency tree and was never explicitly selected by any developer. An AI-BOM with licence metadata would have flagged the AGPL component during the admission review. Consequence: Legal costs for licence compliance remediation, potential requirement to open-source proprietary code or replace the dependency, reputational damage, and delay to product roadmap while the dependency is replaced.

4. Requirement Statement

Scope: This dimension applies to all AI agent deployments where the agent's behaviour is influenced by software components, models, adapters, plugins, data pipelines, or external dependencies that are not wholly developed and maintained by the deploying organisation. This includes: base models (whether open-weight or accessed via API), fine-tuned models and adapters, orchestration frameworks, tool-calling libraries, vector databases and embedding models, retrieval-augmented generation pipelines, external API integrations, and any software library that processes, transforms, or routes agent inputs or outputs. The scope explicitly includes transitive dependencies — components included indirectly through other components. An agent that uses a single open-source library with 200 transitive dependencies has 201 components in scope. Read-only analytical agents that do not affect external state remain in scope because their component integrity affects the accuracy and reliability of their outputs.

4.1. A conforming system MUST maintain a machine-readable AI Bill of Materials (AI-BOM) for every deployed agent, listing all components that constitute or influence the agent's behaviour, including base models, adapters, plugins, libraries, data sources, and external API dependencies.

4.2. A conforming system MUST record, for each component in the AI-BOM, at minimum: component name, version identifier, cryptographic hash (SHA-256 or stronger), supplier or source, licence type, and the date the component was added or last updated.

4.3. A conforming system MUST version the AI-BOM as an atomic artefact such that any change to any component produces a new AI-BOM version with a unique identifier and timestamp.

4.4. A conforming system MUST update the AI-BOM within 24 hours of any component change in a deployed agent, including transitive dependency updates, model version changes, and plugin additions or removals.

4.5. A conforming system MUST block deployment of any agent whose AI-BOM contains components that have not passed the organisation's admission review process (see AG-088).

4.6. A conforming system MUST support automated queries against the AI-BOM to identify all agents affected by a specific component, version, or vulnerability identifier (e.g., CVE) and return results within 5 minutes for inventories of up to 10,000 components.

4.7. A conforming system SHOULD sign AI-BOM artefacts cryptographically to ensure tamper evidence, consistent with AG-006 (Tamper-Evident Record Integrity).

4.8. A conforming system SHOULD include transitive dependency depth information in the AI-BOM, recording how each component entered the dependency tree (direct dependency, transitive via component X, etc.).

4.9. A conforming system SHOULD integrate AI-BOM generation into the CI/CD pipeline such that every build automatically produces an updated AI-BOM without manual intervention.

4.10. A conforming system MAY implement AI-BOM differencing to automatically highlight changes between successive versions and flag changes that alter the risk profile (e.g., new licence types, new suppliers, deprecated components).

5. Rationale

AI agents are not monolithic software artefacts — they are assemblies of dozens to hundreds of components, each with its own provenance, licence terms, vulnerability surface, and update cadence. A single enterprise workflow agent might incorporate a base language model from one provider, a fine-tuned adapter trained internally, an orchestration framework from an open-source project, 15 tool-calling plugins from various sources, a vector database, an embedding model, and 200+ transitive library dependencies. Each of these components can introduce risk: security vulnerabilities, licence compliance obligations, behavioural changes from version updates, or supply-chain attacks through compromised dependencies.

Traditional software bill of materials (SBOM) practices, as codified in standards like SPDX and CycloneDX, address conventional software dependencies but do not cover the AI-specific components that dominate an agent's risk profile: models, adapters, training data provenance, embedding configurations, and prompt templates. AG-087 extends the SBOM concept to encompass the full range of components that influence an AI agent's behaviour.

The urgency of this dimension is driven by the speed at which AI supply-chain attacks are evolving. Model poisoning through compromised training data, trojanised adapters distributed through public model registries, and dependency confusion attacks targeting AI-specific package managers have all been demonstrated in practice. Without a component inventory, an organisation cannot determine whether it is affected by a disclosed vulnerability, cannot verify that a deployed agent matches its approved configuration, and cannot respond to supply-chain incidents within the timeframes required by regulations such as DORA (72-hour notification) or the EU AI Act (post-market monitoring).

The AI-BOM also serves as the foundation for all sibling dimensions in this landscape. AG-088 (Third-Party Tool Admission) needs the AI-BOM to verify which components have been admitted. AG-089 (Third-Party Tool Revocation) needs the AI-BOM to identify which agents are affected by a revocation. AG-090 (Fine-Tune and Adapter Provenance) needs the AI-BOM to track adapter lineage. Without AG-087, these sibling dimensions operate without a single source of truth for what is deployed.

6. Implementation Guidance

The AI-BOM should be implemented as a structured, machine-readable artefact — not a prose document or spreadsheet. Recommended formats include CycloneDX (which has native support for machine-learning model components as of version 1.5) and SPDX 3.0 (which supports AI and dataset profiles). The AI-BOM should be stored in a versioned, append-only data store where each version is immutable once committed.

Recommended patterns:

• CI/CD-integrated AI-BOM generation. Integrate AI-BOM generation into the build pipeline using automated dependency scanning tools. Every build produces an AI-BOM as a build artefact alongside the deployable agent. The pipeline blocks deployment if the AI-BOM cannot be generated or if it contains components not present in the approved component registry. This ensures the AI-BOM is always current and always reflects the actual deployed configuration.
• Layered AI-BOM with model and infrastructure sections. Structure the AI-BOM in layers: (1) model layer — base models, adapters, and embedding models with version hashes; (2) application layer — orchestration framework, tool plugins, and application libraries with version and licence metadata; (3) infrastructure layer — container base image, runtime libraries, and system dependencies. This layered structure allows different teams (ML engineering, application development, platform engineering) to own their respective layers while maintaining a unified inventory.
• Cryptographic binding between AI-BOM and deployment. Generate a cryptographic hash of the AI-BOM and embed it in the deployment manifest. At runtime, the enforcement layer verifies that the deployed agent's components match the AI-BOM hash. Any mismatch — indicating an undocumented component change — blocks the agent from operating. This pattern directly implements AG-006 (Tamper-Evident Record Integrity) for the component inventory.
• Automated vulnerability correlation. Integrate the AI-BOM with vulnerability databases (NVD, OSV, and model-specific advisories) to automatically flag components with known vulnerabilities. When a new CVE is published, the system queries all AI-BOMs to identify affected agents within minutes rather than days or weeks.

Anti-patterns to avoid:

• Manual AI-BOM maintenance. An AI-BOM maintained by manual data entry in a spreadsheet or document will drift from reality within the first deployment cycle. AI agents have complex, rapidly changing dependency trees. Manual maintenance cannot keep pace and will produce a false sense of security — the organisation believes it has an inventory, but the inventory does not match what is deployed.
• Excluding transitive dependencies. An AI-BOM that records only direct dependencies misses the largest attack surface. In a typical Python-based agent, 80-90% of total dependencies are transitive. The Log4Shell incident demonstrated that critical vulnerabilities frequently reside in transitive dependencies that no developer explicitly selected.
• Treating the AI-BOM as a compliance document rather than an operational artefact. An AI-BOM generated once for a compliance audit and then filed away provides no operational value. The AI-BOM must be a live artefact that is queried during incident response, validated during deployment, and updated during every change. If the AI-BOM is not used operationally, it will not be maintained accurately.
• Omitting model components from the inventory. An AI-BOM that covers only software libraries but omits the base model, adapters, and embedding models misses the highest-impact components. A model swap or adapter change can fundamentally alter agent behaviour in ways that no library update can match.
• Single-point-in-time snapshots without version history. An AI-BOM that shows only the current state without version history cannot support incident investigation ("what was deployed at the time of the incident?"), regulatory audit ("demonstrate the approved configuration on date X"), or drift detection ("when did this component change?").

Industry Considerations

Financial Services. DORA Article 28 requires financial entities to maintain a register of all ICT third-party service arrangements. For AI agents, the AI-BOM extends this register to cover model and algorithm dependencies. The register must support the 72-hour incident notification requirement by enabling rapid identification of affected agents when a supply-chain vulnerability is disclosed. Integration with existing vendor risk management systems is recommended.

Healthcare. Medical device regulations (FDA 21 CFR 820, EU MDR) require documented design history files including all components. For AI agents operating in clinical contexts, the AI-BOM serves as part of the design history file and must be maintained to the same standards. Changes to any component may trigger re-validation requirements under the quality management system.

Critical Infrastructure. IEC 62443 requires asset inventory for industrial automation and control systems. AI agents operating in critical infrastructure must have AI-BOMs that integrate with existing asset management systems and support the identification of components affected by industrial control system advisories (ICS-CERT).

Maturity Model

Basic Implementation — The organisation maintains a manually curated list of direct components for each deployed agent, including model name and version, primary libraries, and external API integrations. The list is updated during major releases but may not reflect interim changes or transitive dependencies. Vulnerability checks are performed manually when advisories are received. The component list is stored as a document or spreadsheet.

Intermediate Implementation — The AI-BOM is generated automatically during the CI/CD pipeline in a machine-readable format (CycloneDX or SPDX). Transitive dependencies are included. The AI-BOM is versioned and stored in an immutable data store. Automated vulnerability scanning correlates the AI-BOM against vulnerability databases on a daily schedule. Deployment is blocked if the AI-BOM contains components not in the approved registry. Queries against the AI-BOM return results within 5 minutes for inventories of up to 10,000 components.

Advanced Implementation — All intermediate capabilities plus: the AI-BOM is cryptographically signed and bound to the deployment manifest. Runtime verification confirms that deployed components match the AI-BOM. Automated differencing highlights risk-relevant changes between AI-BOM versions. Vulnerability correlation operates in near-real-time (within 1 hour of advisory publication). The AI-BOM integrates with the organisation's CMDB and vendor risk management systems. Historical AI-BOM versions support point-in-time compliance queries for regulatory audit. The AI-BOM covers all component layers including model weights, adapter parameters, embedding models, prompt templates, and infrastructure dependencies.

7. Evidence Requirements

Required artefacts:

• AI-BOM artefact. The current machine-readable AI-BOM for each deployed agent, in CycloneDX, SPDX, or equivalent structured format, listing all components with name, version, hash, supplier, licence, and inclusion date. Not a prose summary.
• AI-BOM version history. A complete, immutable history of all AI-BOM versions for each agent, demonstrating that changes are tracked over time and that the AI-BOM is updated when components change.
• Automated generation evidence. CI/CD pipeline logs or equivalent evidence demonstrating that the AI-BOM is generated automatically during the build process, not manually curated after the fact.
• Vulnerability correlation records. Records demonstrating that the AI-BOM has been correlated against vulnerability databases, including the date of last correlation, any vulnerabilities identified, and the remediation actions taken.
• Query response evidence. Evidence that the organisation can query the AI-BOM to identify agents affected by a specific component or vulnerability within the required timeframe (5 minutes for up to 10,000 components).

Retention requirements:

• AI-BOM versions: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-087 compliance requires verifying both the completeness of the AI-BOM and its operational utility during incident response.

Test 8.1: AI-BOM Completeness Verification

• Stimulus: Deploy an agent with known components including a base model, 3 direct library dependencies, and at least 10 transitive dependencies. Generate the AI-BOM. Independently enumerate the agent's actual components using runtime inspection tools.
• Expected behaviour: The AI-BOM lists every component identified by runtime inspection. No component present in the runtime is absent from the AI-BOM.
• Pass criteria: 100% of runtime components appear in the AI-BOM with correct name, version, and hash. Zero false negatives.
• Fail criteria: Any runtime component is absent from the AI-BOM, or any AI-BOM entry has an incorrect version or hash.

Test 8.2: AI-BOM Update Timeliness

• Stimulus: Change a component in a deployed agent (e.g., update a library version or swap an adapter). Measure the time until the AI-BOM reflects the change.
• Expected behaviour: The AI-BOM is updated within 24 hours of the component change.
• Pass criteria: The updated AI-BOM is available within 24 hours, contains the new component version, and has a new AI-BOM version identifier.
• Fail criteria: The AI-BOM is not updated within 24 hours, or the update does not reflect the actual component change.

Test 8.3: Vulnerability Query Response

• Stimulus: Insert a component with a known CVE into the AI-BOM for a test agent. Query the system to identify all agents affected by that CVE.
• Expected behaviour: The query returns the test agent as affected within 5 minutes for an inventory of up to 10,000 components.
• Pass criteria: The affected agent is correctly identified within 5 minutes. No false negatives (affected agents not returned). False positive rate below 1%.
• Fail criteria: The query takes longer than 5 minutes, misses the affected agent, or returns an unacceptable number of false positives.

Test 8.4: Deployment Blocking for Unadmitted Components

• Stimulus: Attempt to deploy an agent whose AI-BOM contains a component not present in the approved component registry.
• Expected behaviour: The deployment is blocked with a structured rejection identifying the unadmitted component.
• Pass criteria: Deployment does not proceed. The rejection message identifies the specific unadmitted component.
• Fail criteria: The agent deploys despite containing an unadmitted component.

Test 8.5: AI-BOM Versioning and Immutability

• Stimulus: Generate an AI-BOM, record its version identifier. Update a component and generate a new AI-BOM. Attempt to modify the previous AI-BOM version.
• Expected behaviour: Each component change produces a new AI-BOM version with a distinct identifier. Previous versions are immutable and cannot be altered.
• Pass criteria: Two distinct AI-BOM versions exist. The original version is unchanged after the component update. Any attempt to modify the original version fails or is logged as a tamper event.
• Fail criteria: The original AI-BOM version is modified in place, or both versions share the same identifier.

Test 8.6: Cryptographic Hash Accuracy

• Stimulus: For each component in the AI-BOM, independently compute the SHA-256 hash of the component artefact and compare against the hash recorded in the AI-BOM.
• Expected behaviour: All hashes match. No component has been modified since the AI-BOM was generated.
• Pass criteria: 100% hash match across all components.
• Fail criteria: Any hash mismatch, indicating either a stale AI-BOM or a modified component.

Conformance Scoring

• Score 0: No component inventory exists — the organisation cannot enumerate what components are in a deployed agent.
• Score 1: A component list exists but is manually maintained, covers only direct dependencies, or is not updated on component change — the inventory exists but cannot be trusted.
• Score 2: An AI-BOM is generated automatically, covers all components including transitive dependencies, is versioned, and supports vulnerability queries within the required timeframe — operationally reliable inventory.
• Score 3: Verified by independent testing demonstrating completeness, timeliness, query performance, and deployment blocking — an independent party has confirmed that the AI-BOM accurately reflects deployed components and supports operational supply-chain governance.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 11 (Technical Documentation)	Direct requirement
EU AI Act	Article 61 (Post-Market Monitoring)	Supports compliance
DORA	Article 28 (Register of ICT Third-Party Arrangements)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
US Executive Order 14028	Section 4 (Software Supply Chain Security)	Direct requirement
NIST AI RMF	MAP 3.2, GOVERN 1.4, MANAGE 2.3	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment)	Supports compliance
FDA 21 CFR 820	Quality Management System — Design History File	Supports compliance

EU AI Act — Article 11 (Technical Documentation)

Article 11 requires providers of high-risk AI systems to draw up technical documentation demonstrating compliance, including a general description of the AI system including "the elements of the AI system and of the process for its development." The AI-BOM directly satisfies this requirement by providing a complete, machine-readable enumeration of all components. Without it, the technical documentation is incomplete and cannot demonstrate that the deployed system matches its approved configuration. The requirement for post-market monitoring under Article 61 further reinforces the need for a live AI-BOM that supports ongoing compliance verification throughout the system's lifecycle.

DORA — Article 28 (Register of ICT Third-Party Arrangements)

Article 28 requires financial entities to maintain and update a register of information on all contractual arrangements on the use of ICT services provided by third-party providers. For AI agents, every model provider, API integration, and open-source component maintainer is a de facto ICT third-party provider. The AI-BOM extends the Article 28 register to cover the full supply chain of AI-specific components. The register must support the 72-hour incident notification requirement under Article 19 by enabling rapid identification of affected agents.

US Executive Order 14028 — Software Supply Chain Security

Section 4 of EO 14028 requires SBOM provision for software sold to the federal government. For AI agents deployed in public sector or government-adjacent contexts, the AI-BOM satisfies and extends the SBOM requirement to cover AI-specific components. NIST guidance under this EO (NIST SP 800-218, SSDF) establishes minimum SBOM requirements that the AI-BOM must meet or exceed.

NIST AI RMF — MAP 3.2, GOVERN 1.4, MANAGE 2.3

MAP 3.2 addresses understanding the AI system's context and dependencies; GOVERN 1.4 addresses organisational governance of AI systems including supply-chain considerations; MANAGE 2.3 addresses ongoing monitoring and management of AI system risks. The AI-BOM supports all three by providing the authoritative inventory of components against which risk assessments, governance decisions, and monitoring activities operate.

ISO 42001 — Clause 6.1, Clause 8.2

The AI management system requires organisations to identify and assess risks related to AI systems. Component supply-chain risk is a primary risk category that can only be assessed if the components are known. The AI-BOM provides the input to the risk assessment process required by Clause 8.2.

FDA 21 CFR 820 — Design History File

For AI agents operating in clinical or medical device contexts, the AI-BOM forms part of the design history file required by the quality management system. Any component change may constitute a design change requiring formal change control and potentially re-validation under 21 CFR 820.30.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — potentially cross-organisation where agents share supply-chain components

Consequence chain: Without a component inventory, the organisation operates blind to its AI supply-chain risk. When a vulnerability is disclosed in a widely-used component (e.g., a serialisation library, an embedding model, or an orchestration framework), the organisation cannot determine which agents are affected, cannot prioritise remediation, and cannot provide regulators with the required incident notifications within mandated timeframes. The failure mode is not a single incident but a persistent inability to respond to supply-chain events. Each day without an accurate AI-BOM is a day where a disclosed vulnerability could be present in production agents without the organisation's knowledge. The blast radius extends across all agents that share affected components — a single vulnerable library present in 50 agents means 50 agents operating with known risk. For financial services organisations, the inability to maintain the Article 28 register and respond within DORA's 72-hour notification window creates direct regulatory exposure. For healthcare organisations, the inability to demonstrate design history compliance creates product liability exposure. The severity compounds over time: as the AI-BOM drifts further from reality, the organisation's ability to govern its supply chain degrades progressively until a supply-chain incident reveals the gap under the worst possible circumstances.

Cross-references: AG-014 (External Dependency Integrity) establishes integrity verification for external dependencies that the AI-BOM inventories. AG-048 (AI Model Provenance and Integrity) provides model-specific provenance requirements that complement the AI-BOM's model layer. AG-006 (Tamper-Evident Record Integrity) governs the integrity of the AI-BOM artefact itself. AG-007 (Governance Configuration Control) governs changes to AI-BOM policies and thresholds. AG-088 (Third-Party Tool Admission Governance) depends on the AI-BOM to verify admitted components. AG-089 (Third-Party Tool Revocation Governance) depends on the AI-BOM to identify agents affected by revocation. AG-090 (Fine-Tune and Adapter Provenance Governance) depends on the AI-BOM to track adapter lineage.