Full Report
'If you don't have visibility, you can't understand what to protect' When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs.…
Analysis Summary
# Best Practices: AI-BOM (Artificial Intelligence Bill of Materials)
## Overview
Traditional Software Bills of Materials (SBOMs) are insufficient for the modern AI-integrated enterprise. AI-BOMs provide a comprehensive inventory and visibility into the "AI supply chain," addressing "Shadow AI" by tracking models, datasets, agents, prompts, and their interactions to manage regulatory, security, and provenance risks.
## Key Recommendations
### Immediate Actions
1. **Inventory Shadow AI:** Use scanning tools to identify unsanctioned AI usage, "vibe coding" platforms, and external chatbots used by employees on corporate hardware.
2. **Establish Model Provenance:** Identify the "baker" of your models. Verify if your AI tools are built upon base models (e.g., Llama, Qwen, Kimi) that may carry specific regulatory or compliance risks.
3. **Scan for Known Malicious Packages:** Query environment for libraries targeted in recent AI-specific supply chain attacks (e.g., "Hugging Face" related credential stealers) even if they lack a formal CVE.
### Short-term Improvements (1-3 months)
1. **Deploy AI-BOM Scanners:** Integrate automated tools to scan codebases, container images, and cloud environments to generate a living AI-BOM.
2. **Baseline "Agentic Skills":** Document the capabilities of AI agents. If an agent’s "skill" is weather forecasting, ensure it does not have unauthorized capabilities like data exfiltration.
3. **Monitor State Changes:** Implement tracking for system prompts and model configurations to detect unauthorized "state changes" between the original ingredient list and the production runtime.
### Long-term Strategy (3+ months)
1. **DNA Fingerprinting:** Implement weight-level signal scanning (Model Provenance) to ensure the model deployed in production is the exact model authorized, preventing "model swapping" or tampering.
2. **Integrate with IDP:** Connect AI workloads and agents to specific corporate identities (Identity Providers) to monitor access permissions and data ingestion.
3. **Continuous Runtime Monitoring:** Move beyond static BOMs to monitor all communications between AI agents and workflows in real-time.
## Implementation Guidance
### For Small Organizations
- Focus on visibility. Use open-source scanners to identify what "Shadow AI" tools employees are using.
- Maintain a simple registry of all "System Prompts" used in business workflows to prevent prompt injection or drift.
### For Medium Organizations
- Implement automated AI-BOM generation within the CI/CD pipeline.
- Audit developer workstations (IDEs) to ensure AI coding assistants aren't introducing non-compliant code from high-risk offshore models.
### For Large Enterprises
- Deploy "DNA testing" for AI models using weight-based signifiers to meet strict regulatory requirements (e.g., EU AI Act).
- Establish a central "Fingerprint Database" of all sanctioned base models and fine-tuned versions.
## Configuration Examples
- **Model Comparison:** Using the Model Provenance Kit to compare `Model_A` vs `Model_B` to generate a similarity score based on metadata, tokenizer structure, and weight-level signals.
- **Scanning Mode:** Configuring scanners to match single models against databases (like the Cisco fingerprint database) to determine lineage candidates (e.g., confirming a tool is derived from Meta Llama 4).
## Compliance Alignment
- **EU AI Act:** AI-BOMs satisfy mandates for documenting training data characteristics, methodology, and risk assessments for "high-risk systems."
- **NIST AI Risk Management Framework (AI RMF):** Provides the technical visibility required to map and measure AI system risks.
- **Supply Chain Standards:** Extends traditional SBOM standards to include AI-specific artifacts.
## Common Pitfalls to Avoid
- **The "Final Artifact" Fallacy:** Only tracking what is in the final code. AI-BOMs must include the tools and agents used *to build* the application.
- **Ignoring Model Lineage:** Using an open-source model without knowing its origin (e.g., Kimi 2.5) which may lead to unforeseen regulatory or geopolitical compliance violations.
- **Static Thinking:** Treating a BOM as a one-time document rather than a dynamic record of state changes and versioning.
## Resources
- **Cisco AI-BOM Tool:** `hxxps://github[.]com/cisco-ai-defense/aibom`
- **Model Provenance Kit:** `hxxps://github[.]com/cisco-ai-defense/model-provenance-kit`
- **Model Fingerprint Database:** `hxxps://huggingface[.]co/datasets/cisco-ai/model-provenance-kit`
- **Wiz / Palo Alto Networks AI Security Suites:** Commercial platforms for enterprise-wide AI visibility.