What is AIBOM (AI Bill of Materials)?

Updated

A machine-readable inventory of an AI system's components — models, training data, datasets, dependencies, accuracy metrics. Available as CycloneDX 1.6 or SPDX 3 SBOM with AI extensions.

Full explanation

AIBOM extends the SBOM concept to AI systems. CycloneDX 1.6 (released 2024) added the `machine-learning-model` component type with sub-fields for modelCard, datasets, performance metrics, ethical considerations. OWASP launched the AIBOM project in 2025 with an open-source generator + validator.

Example

bomFormat: CycloneDX specVersion: "1.6" components: - type: machine-learning-model name: my-model modelCard: modelParameters: task: "classification" architectureFamily: "transformer" quantitativeAnalysis: performanceMetrics: - { type: "accuracy", value: "0.892" }

Related

FAQ

Should I use CycloneDX or SPDX for AIBOM?

CycloneDX 1.6 has the most mature AI extensions today (machine-learning-model component type with full modelCard support). SPDX 3 has equivalent AI extensions but tooling adoption lags. For new AIBOM generation, CycloneDX is the safer choice.

How does AIBOM differ from a model card?

Model cards are human-readable documents (markdown) describing one model. AIBOM is machine-readable (JSON / XML / YAML) describing every component of an AI SYSTEM — multiple models, datasets, runtime dependencies, training pipeline. AIBOM embeds model cards as a sub-field.