Dark ReadingArchived May 20, 2026✓ Full text saved
A brief overview of the forces at play that will get more organizations on board with creating and consuming AI bill of materials (BOMs).
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERSECURITY ANALYTICS
CYBERSECURITY OPERATIONS
CYBER RISK
WHAT IS
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
What Will Make AI BOMs Real?
A brief overview of the forces at play that will get more organizations on board with creating and consuming AI bill of materials (BOMs).
Ericka Chickowski, Contributing Writer
May 19, 2026
3 Min Read
A CLOSE UP OF A BLUE AND WHITE ROBOT
Standards bodies, open-source projects, and commercial vendors are already building meaningful momentum for realizing the promise of AI BOM.
OWASP, with its CycloneDX SBOM standard, and the Linux Foundation, with its SPDX standard, have both released AI-specific extensions. The OWASP AI SBOM Initiative holds weekly open meetings and has developed the OWASP AI BOM Generator, the first open-source tool to automatically generate AIBOMs from Hugging Face models in CycloneDX format. And the SPDX standard added dedicated AI and dataset profiles in version 3.0, providing field mappings for model training and data provenance. Meanwhile, the OpenSSF AI/ML Working Group formalized a model-signing specification in 2025, with contributions from Google, HiddenLayer, and NVIDIA. Additionally, CISA's AI SBOM Tiger Team published foundational guidance in 2025, though the agency's significant personnel cuts this year have cast uncertainty over many of its ongoing initiatives.
Related:Is 2026 the Year AI Bills of Materials Get Real?
On the commercial side, vendors are adding AI BOM capabilities to their platforms. Manifest Cyber released its AI supply chain security product in summer 2025, developed in partnership with major IT, defense, and automotive companies, and has been running an AIBOM generator for over 18 months. Cycode launched AI & ML Inventory and AI BOM generation in October 2025 as part of its application security posture management platform. JFrog is extending its platform to manage AI models with the same rigor as software artifacts, unveiling a Universal MCP Registry in March 2026. Apiiro and others are building similar integrations. Academic work is progressing too — a January 2026 paper introduced AIBoMGen, a proof-of-concept platform for generating cryptographically signed AIBOMs during model training.
Regulatory pressure is also adding a sense of urgency. The EU AI Act comes into full effect in August 2026, with documentation requirements that align directly with AI BOM content. Organizations deploying high-risk AI systems must have conformity assessments completed, technical documentation finalized, and EU database registration in place by that date. The act specifically requires logging capabilities that cover situations where the system might present a risk, data for post-market monitoring, and operational monitoring by deployers, all of which align with the provenance and telemetry documentation that AI BOMs are designed to capture.
US regulators are moving too. New language in the FY26 National Defense Authorization Act requires vendors selling software to the DoD to account for AI components in their SBOMs — effectively mandating AI BOMs for defense contractors. Additionally, the SEC has identified AI governance as an examination priority for 2026, and examiners are asking pointed questions about AI policies and governance even without new dedicated rules.
Plus, cyber insurers are following the same playbook they used after ransomware reshaped underwriting in 2021. Carriers are beginning to condition coverage on AI governance documentation, treating the absence of a model inventory as a risk signal rather than an oversight. CyberCube's April 2026 Global Threat Briefing recommends that underwriters evaluate "the governance of AI agents, including permissions, API scope control, logging, and segregation of duties." These are the kinds of controls that agentic-ready AI BOMs could help organizations document and demonstrate.
AI BOM adoption remains largely aspirational as the industry races to define standards and build practical tooling before regulatory deadlines hit. Read Is 2026 the Year AI Bill of Materials Get Real? to see how security leaders are addressing the current visibility challenges.
About the Author
Ericka Chickowski, Contributing Writer
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
AI-Powered Credential Security: Intelligence Without Exposure
AI-Powered Cybersecurity for Resource-Constrained Organizations
How Security Teams should apply Threat Intelligence into their Defenses
Your Guide to Securing AI Adoption in Your Organization
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
More Webinars
You May Also Like
CYBERSECURITY ANALYTICS
In Cybersecurity, Claude Leaves Other LLMs in the Dust
by Nate Nelson, Contributing Writer
DEC 17, 2025
CYBERSECURITY ANALYTICS
How Agentic AI Can Boost Cyber Defense
by Jeffrey Schwartz
DEC 04, 2025
CYBERSECURITY ANALYTICS
Mideast, African Hackers Target Gov'ts, Banks, Small Retailers
by Nate Nelson, Contributing Writer
OCT 23, 2025
CYBERSECURITY ANALYTICS
Commentary Section Launches New, More Opinionated Era
by Becky Bracken
OCT 10, 2025
Edge Picks
APPLICATION SECURITY
AI Agents in Browsers Light on Cybersecurity, Bypass Controls
CYBER RISK
Browser Extensions Pose Heightened, but Manageable, Security Risks
CYBERSECURITY OPERATIONS
Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds
ENDPOINT SECURITY
Extension Poisoning Campaign Highlights Gaps in Browser Security
Latest Articles in The Edge
CYBER RISK
Checkbox Assessments Aren't Fit to Measure Risk
MAY 13, 2026
CYBER RISK
Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations
MAY 5, 2026
CYBERSECURITY OPERATIONS
Anthropic's Mythos Has Landed: Here's What Comes Next for Cyber
APR 30, 2026
CYBERSECURITY OPERATIONS
Helping Romance Scam Victims Requires a Proactive, Empathic Approach
APR 24, 2026
Read More The Edge
Want more Dark Reading stories in your Google search results?
Loading...
BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE
Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.
GET YOUR PASS