CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 20, 2026

What Will Make AI BOMs Real?

Dark Reading Archived May 20, 2026 ✓ Full text saved

A brief overview of the forces at play that will get more organizations on board with creating and consuming AI bill of materials (BOMs).

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERSECURITY ANALYTICS CYBERSECURITY OPERATIONS CYBER RISK WHAT IS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. What Will Make AI BOMs Real? A brief overview of the forces at play that will get more organizations on board with creating and consuming AI bill of materials (BOMs). Ericka Chickowski, Contributing Writer May 19, 2026 3 Min Read A CLOSE UP OF A BLUE AND WHITE ROBOT Standards bodies, open-source projects, and commercial vendors are already building meaningful momentum for realizing the promise of AI BOM. OWASP, with its CycloneDX SBOM standard, and the Linux Foundation, with its SPDX standard, have both released AI-specific extensions. The OWASP AI SBOM Initiative holds weekly open meetings and has developed the OWASP AI BOM Generator, the first open-source tool to automatically generate AIBOMs from Hugging Face models in CycloneDX format. And the SPDX standard added dedicated AI and dataset profiles in version 3.0, providing field mappings for model training and data provenance. Meanwhile, the OpenSSF AI/ML Working Group formalized a model-signing specification in 2025, with contributions from Google, HiddenLayer, and NVIDIA. Additionally, CISA's AI SBOM Tiger Team published foundational guidance in 2025, though the agency's significant personnel cuts this year have cast uncertainty over many of its ongoing initiatives.  Related:Is 2026 the Year AI Bills of Materials Get Real? On the commercial side, vendors are adding AI BOM capabilities to their platforms. Manifest Cyber released its AI supply chain security product in summer 2025, developed in partnership with major IT, defense, and automotive companies, and has been running an AIBOM generator for over 18 months. Cycode launched AI & ML Inventory and AI BOM generation in October 2025 as part of its application security posture management platform. JFrog is extending its platform to manage AI models with the same rigor as software artifacts, unveiling a Universal MCP Registry in March 2026. Apiiro and others are building similar integrations. Academic work is progressing too — a January 2026 paper introduced AIBoMGen, a proof-of-concept platform for generating cryptographically signed AIBOMs during model training. Regulatory pressure is also adding a sense of urgency. The EU AI Act comes into full effect in August 2026, with documentation requirements that align directly with AI BOM content. Organizations deploying high-risk AI systems must have conformity assessments completed, technical documentation finalized, and EU database registration in place by that date. The act specifically requires logging capabilities that cover situations where the system might present a risk, data for post-market monitoring, and operational monitoring by deployers, all of which align with the provenance and telemetry documentation that AI BOMs are designed to capture. US regulators are moving too. New language in the FY26 National Defense Authorization Act requires vendors selling software to the DoD to account for AI components in their SBOMs — effectively mandating AI BOMs for defense contractors. Additionally, the SEC has identified AI governance as an examination priority for 2026, and examiners are asking pointed questions about AI policies and governance even without new dedicated rules.  Plus, cyber insurers are following the same playbook they used after ransomware reshaped underwriting in 2021. Carriers are beginning to condition coverage on AI governance documentation, treating the absence of a model inventory as a risk signal rather than an oversight. CyberCube's April 2026 Global Threat Briefing recommends that underwriters evaluate "the governance of AI agents, including permissions, API scope control, logging, and segregation of duties." These are the kinds of controls that agentic-ready AI BOMs could help organizations document and demonstrate. AI BOM adoption remains largely aspirational as the industry races to define standards and build practical tooling before regulatory deadlines hit. Read Is 2026 the Year AI Bill of Materials Get Real? to see how security leaders are addressing the current visibility challenges.  About the Author Ericka Chickowski, Contributing Writer Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars You May Also Like CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS How Agentic AI Can Boost Cyber Defense by Jeffrey Schwartz DEC 04, 2025 CYBERSECURITY ANALYTICS Mideast, African Hackers Target Gov'ts, Banks, Small Retailers by Nate Nelson, Contributing Writer OCT 23, 2025 CYBERSECURITY ANALYTICS Commentary Section Launches New, More Opinionated Era by Becky Bracken OCT 10, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK Checkbox Assessments Aren't Fit to Measure Risk MAY 13, 2026 CYBER RISK Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations MAY 5, 2026 CYBERSECURITY OPERATIONS Anthropic's Mythos Has Landed: Here's What Comes Next for Cyber APR 30, 2026 CYBERSECURITY OPERATIONS Helping Romance Scam Victims Requires a Proactive, Empathic Approach APR 24, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? Loading... BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 20, 2026
    Archived
    May 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗