What It'll Take to Make AI BOMs Usable in a Modern Security Program

CYBER RISK CYBERSECURITY OPERATIONS CYBERSECURITY ANALYTICS HOW TO News, news analysis, and commentary on the latest trends in cybersecurity technology. What It'll Take to Make AI BOMs Usable in a Modern Security Program Five ways CISOs can prepare for consuming AI Bill of Materials and influence the direction of how they're generated. Ericka Chickowski, Contributing Writer May 19, 2026 9 Min Read SOURCE: NASTASSIA VIA ADOBE STOCK PHOTO The standards for AI bills of materials (AI BOMs) are maturing, and the tools are rapidly emerging. But industry watchers say that most vendors and software development teams can't yet deliver an AI BOM when asked. And most security teams wouldn't know what to do with it if they did get one.  Of course, the evidence is mostly anecdotal. AI BOMs are so nascent that there are no great numbers to show the state of AI BOM operationalization today. But Optero's 2026 Risk Intelligence Report found that while 85% of organizations have integrated AI into core operations, only 25% have comprehensive visibility into how AI is being used. Considering also that software bills of materials (SBOMs) are still only spottily operationalized after years of industry advocacy, it's easy to infer from this that there's a long road ahead before security leaders can reap actual benefits from AI BOMs. The good news for security leaders is that it's not going to take a wholesale reinvention of processes to dig into the work of generating and consuming AI BOMs. Ecosystem momentum is building  to make this practical at scale. And practitioners can iterate a lot from what they've learned from the AppSec and software supply chain work they've ideally done for a while, says Daniel Bardenstein, co-founder of Manifest Cyber, a supply chain security platform. Related:Is 2026 the Year AI Bills of Materials Get Real? "To be honest, I think the bar is a lot lower than it might seem," he says. "AI is a subset of software, at least that's what many of us believe, and 90% of AI security is traditional software security. So, if most organizations just apply what they already do for software security onto AI [then] they're already most of the way there." That last 10% is tricky, though, and AI BOMs specifically have a host of new considerations to address that are outside the bailiwick of even the most salty security veteran. Here's what experts say CISOs need to start thinking about and planning for, so that they start to turn AI BOMs into meaningful operational tools. The First Step Always Starts With Scoping Loading... Before you can document your AI systems, you need to know what AI systems you have. This sounds obvious, but as the Optero data suggests, many organizations aren't able to do this yet.  When most practitioners think shadow AI, they're primarily worried about unauthorized tools brought into environments without approval. But the elephant in the room is that many, many authorized pieces of software now have AI embedded in them with no visibility into what or how it's been deployed. Added to that, there's in-house development projects that may include approved models, but don't actually track how things change as they're tuned and trained for daily use.   Related:What Will Make AI BOMs Real? "If I'm taking that approved model and I'm passing it off to some people who are finetuning those models and customizing it with my own internal data sets, unless I'm capturing that somewhere, I've now just created shadow AI," Bardenstein says. "Someone in some business unit created a finetuned model and we don't know the story about who built it, how, and where it's actually deployed." So, CISOs need to start by asking and answering some important scoping questions. Doing this will help map every AI component that needs to be represented in a bill of materials: what you're building internally, what's embedded in software you're buying, and what data is being used to train or customize any of it. “The first step is to identify what your AI supply chains look like,” he says. “What are the things you need to represent as a bill of materials?” This means identifying where internal data is being used to customize models. And it means getting vendors to disclose what models are embedded in the software the organization is buying. Security Teams Need a Roadmap for Actionability Security teams that generate AI BOMs and file them away are missing the point. Same goes for teams that request them from vendors and never look at them again. The real payoff for AI BOMs will come from how the documentation plugs into security and governance workflows. Take incident response, for instance. CISOs should be building processes and integrated systems that can help them quickly move when a vulnerability is disclosed in a specific model version, figuring out each system that uses it. For this to work, security teams need to integrate AI BOM data into their existing asset management and incident response workflows. The platforms that handle security incident and event management (SIEM), asset management, and governance, risk, and compliance (GRC) need to speak AI BOM natively.  Emerging AI Security Posture Management (AI-SPM) tools and DevSecOps platforms with MLOps integrations are likely to become the primary management layer for AI BOMs, but the traditional security platforms for incident response and compliance will still need to ingest this data and interact with it on the regular to truly gain the ability to act on it. Bardenstein describes what an action-based implementation would look like around a component governance process. One of Manifest's customers was facing eight-week approval cycles when business units wanted to use new models from Hugging Face. Every request required legal, compliance, and AI review boards to manually evaluate whether a model was safe and trusted enough to use. They had to wade through qualitative documentation like model cards and data cards to answer that question. "We got them down to a few clicks and a few minutes," he says, explaining that the difference-maker was in the structured data provided by the AI BOM. Whereas model cards are PDFs that someone has to read and interpret, AI BOMs are machine-readable data that governance tools can ingest automatically to flag issues like licensing risks or known vulnerabilities.   This is the direction that CISOs planning on consuming AI BOMs should be taking their roadmaps. Meantime, CISOs working on generating AI BOMs should also keep this in mind so they can better support their customers with the kind of structured, machine-readable documentation that security and governance platforms can actually ingest. Data Provenance: The New Perimeter One of the thorniest problems in AI supply chain security is that the threats don't always look like traditional attacks. A model can be compromised long before it ever reaches an organization's environment, through poisoned training data that shapes its behavior in ways that are nearly impossible to detect after the fact. Research published in October 2025 by Anthropic, the UK AI Security Institute, and the Alan Turing Institute found that just 250 poisoned documents can backdoor a large language model (LLM) of any size. The traditional network perimeter can't intercept an attack that arrives encoded in training data months before the model is deployed. This is why provenance documentation matters so much. An AI BOM that lists model architecture and training framework — but can't prove where the training data came from — isn't going to help security teams understand whether they can trust the model's behavior. And an AI BOM that documents all of this but can't itself be verified is just a self-reported claim.  As researchers from a new project called AIBoMGen recently noted in a paper this January, "Without mechanisms to ensure the integrity and authenticity of the documented information, AI BOMs cannot effectively support compliance and security." This creates what amounts to a zero-trust problem for content, says Krti Tallam, senior member of technical staff at Kamiwaza AI and contributor to NIST's AI Risk Management Framework. "The question is no longer 'Is this input crossing my boundary from a trusted or untrusted source?'" she says. "It is 'Can I verify the chain of custody of every artifact, data, model, prompt, tool, embedding, that has shaped this system's behavior?'" The practical answer to that question is beefing up cryptographic signing and attestation for components in AI BOMs and for the BOMs themselves. For security leaders consuming AI BOMs, this starts with looking for cryptographic hashes of datasets and verified model signing. Unverifiable provenance should be treated as a risk signal. For those generating AI BOMs internally, the model registry can serve as the access control layer, where models without verified provenance don't get deployed to production. Fortunately, the industry scaffolding for this is starting to firm up. The NSA and seven allied agencies issued joint guidance on AI supply chain security in March 2026, explicitly recommending integrity and provenance methods such as checksums, hashes, digital signatures, and lineage tracking for all training data. The OpenSSF Model Signing specification provides the technical infrastructure for making this happen. Additionally, the AIBoMGen project has demonstrated some new methods to generate cryptographically signed AI BOMs during model training using in-toto attestation. [Read more about what regulators and standards bodies are doing in What Will Make AI BOMs Real?] Automate AI BOM Generation or Fall Behind AI BOMs that require manual authoring won't work at scale. Models get updated, finetuned, registered, and deployed continuously. If a human has to author or update documentation at each stage, the process will fall behind almost immediately. For CISOs, this means rethinking who owns AI BOM generation. If it's automated, this should ideally be built into the development and deployment pipeline as an automatic step. DevOps and MLOps teams should be automatically generating AI BOMs at different checkpoints in the processes like training, finetuning, model registration, and deployment. CI/CD integrations that trigger AI BOM updates on model changes should be the endgame. Security's role is to set the policy and validate the output, not author the documents. Peer-reviewed research is starting to quantify the benefits of this kind of automation. A January 2026 paper found that automated AI BOM generation with cryptographic validation cut the manual work required for oversight across containerized workflows by nearly two-thirds, and the resulting documentation was accurate enough to recreate the original model environment almost perfectly. This is the kind of reliability that will make scaling AI BOM programs realistic. The OWASP AI BOM Generator can be a valuable tool for security and engineering teams to get started. It automatically extracts AI model metadata and generates a standards-aligned AI BOM in CycloneDX format for models on Hugging Face. The tooling is still early, but the direction is clear. CISOs should also be insisting their vendors ensure they're at least starting to work on implementing automated, native AI BOM generation. The AIBoMGen researchers noted that the major ML commercial platforms like AWS SageMaker or Google's Kaggle Notebooks "do not include native support for provenance tracking or supply chain integrity.”    This will take pressure from customers to get vendors to start closing the gap.  No Time Like The Present to Get Started with AI BOM The gap between AI deployment and AI governance is widening fast. Security leaders who wait for perfect standards and mature tooling will increasingly find themselves flat-footed as AI-related risks start piling up. The organizations that start now, even with imperfect processes and incomplete data, will be the ones positioned to actually use AI BOMs when the pressures start to multiply. Whether it's addressing the consequences of AI security incidents, responding to enterprise customers' requests for AI transparency, or satisfying regulators' demands for documentation, taking these steps to effectively create and consume AI BOMs will be essential for the future of AI resilience. [Read Is 2026 the Year AI Bill of Materials Get Real? to see how security leaders are addressing the current visibility challenges.]   Read more about: CISO Corner About the Author Ericka Chickowski, Contributing Writer Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Latest Articles in DR Technology CYBER RISK Is 2026 the Year AI Bills of Materials Get Real? MAY 18, 2026 CYBER RISK SecurityScorecard Snags Driftnet to Level Up Threat Intelligence MAY 14, 2026 VULNERABILITIES & THREATS Why Security Leadership Makes or Breaks a Pen Test MAY 5, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security APR 30, 2026 Read More DR Technology Loading...