AIBOM CycloneDX 1.6 template — EU AI Act Article 11 supplement
Updated
CycloneDX 1.6 AIBOM example with full machine-learning-model component including modelCard + datasets + performanceMetrics + ethicalConsiderations. Drop into your release pipeline; emit on every build alongside the standard SBOM.
How to use
Generate on every release via crates/sbom; sign via DSSE; serve at /api/auditor/bundle/[commit].
Template (yaml)
copy-paste, replace {{PLACEHOLDERS}}bomFormat: CycloneDX
specVersion: "1.6"
serialNumber: "urn:uuid:{{UUID}}"
version: 1
metadata:
timestamp: "{{ISO8601_TIMESTAMP}}"
tools:
components:
- type: application
name: securie-aibom-emitter
version: "0.0.1"
component:
type: application
bom-ref: "{{COMPONENT_REF}}"
name: "{{PRODUCT_NAME}}"
version: "{{PRODUCT_VERSION}}"
licenses:
- license:
id: "Apache-2.0"
authors:
- name: "{{COMPANY}}"
email: "{{CONTACT_EMAIL}}"
components:
- type: machine-learning-model
bom-ref: "model-{{MODEL_NAME}}"
name: "{{MODEL_NAME}}"
version: "{{MODEL_VERSION}}"
licenses:
- license:
id: "{{MODEL_LICENSE}}" # MIT, Apache-2.0, CC-BY-NC-4.0, etc.
description: "{{MODEL_DESCRIPTION}}"
modelCard:
modelParameters:
approach:
type: "supervised"
task: "{{TASK}}" # e.g. "Binary classification — credit approval"
architectureFamily: "{{ARCHITECTURE_FAMILY}}" # transformer, cnn, rnn, etc.
modelArchitecture: "{{MODEL_ARCHITECTURE}}" # BERT-base, ResNet50, etc.
datasets:
- type: "training"
name: "{{TRAINING_DATASET_NAME}}"
contents:
attachment:
content: "{{DATASET_CARD_URL}}"
governance:
owners:
- contact:
name: "{{DATA_OWNER_NAME}}"
email: "{{DATA_OWNER_EMAIL}}"
custodians:
- contact:
name: "{{DATA_CUSTODIAN_NAME}}"
email: "{{DATA_CUSTODIAN_EMAIL}}"
- type: "evaluation"
name: "{{EVAL_DATASET_NAME}}"
governance:
owners:
- contact:
name: "{{EVAL_OWNER_NAME}}"
email: "{{EVAL_OWNER_EMAIL}}"
inputs:
- format: "{{INPUT_FORMAT}}" # text, image, audio, etc.
outputs:
- format: "{{OUTPUT_FORMAT}}"
quantitativeAnalysis:
performanceMetrics:
- type: "accuracy"
value: "{{ACCURACY}}"
slice: "overall"
- type: "demographic-parity"
value: "{{FAIRNESS_METRIC}}"
slice: "by protected attribute"
- type: "robustness"
value: "{{ROBUSTNESS_METRIC}}"
ethicalConsiderations:
- description: "{{ETHICAL_NOTE_1}}"
- description: "EU AI Act self-classification: {{IN_OR_OUT}} of Annex III. Conformity assessment route: {{ANNEX_VI_OR_VII}}. Effective date: 2026-08-02."
considerations:
users:
- "{{INTENDED_USER_DESCRIPTION}}"
useCases:
- "{{INTENDED_USE_CASE}}"
technicalLimitations:
- "{{LIMITATION_1}}"
- "{{LIMITATION_2}}"
performanceTradeoffs:
- "{{TRADEOFF_1}}"
ethicalConsiderations:
- "{{ETHICAL_CONSIDERATION_1}}"
environmentalConsiderations:
- "Training compute: {{TRAINING_COMPUTE_HOURS}} GPU-hours on {{GPU_TYPE}}"
- "Estimated CO2-eq: {{CO2_KG}} kg"
properties:
- name: "eu-ai-act:annex-iii-class"
value: "{{ANNEX_III_CATEGORY}}" # employment, credit, education, etc., or "out-of-scope"
- name: "eu-ai-act:conformity-assessment-route"
value: "{{ANNEX_VI_OR_ANNEX_VII}}"
- name: "eu-ai-act:ce-marking-affixed"
value: "{{TRUE_OR_FALSE}}"
- type: data
bom-ref: "dataset-{{TRAINING_DATASET_NAME}}"
name: "{{TRAINING_DATASET_NAME}}"
description: "{{DATASET_DESCRIPTION}}"
properties:
- name: "row-count"
value: "{{ROW_COUNT}}"
- name: "feature-count"
value: "{{FEATURE_COUNT}}"
- name: "data-collection-period"
value: "{{START_DATE}} to {{END_DATE}}"