The G7 Cybersecurity Working Group, chaired by Germany’s Federal Office for Information Security (BSI) and in coordination with France’s ANSSI, has just published “Software Bill of Materials (SBOM) for Artificial Intelligence – Minimum Elements.”
This document lays the foundations for tracing artificial intelligence systems with a goal: to shed light on the opacity of the algorithmic supply chain.
While CIOs are only just getting used to the standard SBOM, AI upends the rules. A large language model (LLM) or a retrieval-augmented generation (RAG) system does not behave like ordinary code. Here, risks are no longer purely logical; they lurk in the model’s weights, the biases of the training data, or sensitivity to prompt injections.
For a CISO, knowing that an application uses a specific version of Python or TensorFlow is necessary, but insufficient. If the underlying AI model was trained with poisoned data, if it is susceptible to exfiltration of sensitive information, or if its numerical weights were altered during transfer from a public platform like Hugging Face, a traditional SBOM remains blind.
With the SBOM for AI, the objective is no longer limited to inventorying lines of code. The aim now is to trace the entire lifecycle of an AI system (from training data to the deployed model) in order to secure the digital supply chain.
The 7 “technical clusters”: what an AI passport must contain
The framework structures the minimum requirements into seven broad information categories. For it to be fully usable by market’s automated mapping tools, all of these data must be generated in a machine-readable format.
> Metadata
It is the document’s identity: author of the SBOM, version, generation tools used, precise timestamp, and above all a digital signature. This signature guarantees the integrity of the nomenclature throughout its distribution.
> System-Level Properties
A modern AI is rarely a standalone model; it sits within an ecosystem of agents and vector databases. This cluster requires documenting the overall architecture, internal data flows, the intended application domain, and the interactions between the different modules.
> The Models
This is the core. The supplier must provide the model’s name, version, and architecture (e.g., Transformer). Importantly, the guide requires the presence of a cryptographic hash of the weights. Without this hash, a company cannot verify that the model deployed on its servers has not been subtly altered or corrupted.
> Dataset Properties
The framework demands strict transparency about the data used for training, fine-tuning, and validation. It documents data provenance, composition, any presence of personal data (PII), and the types of licenses attached, thus shielding the company from legal risks related to copyright.
> Infrastructure
This aspect lists the AI’s runtime environment (frameworks such as PyTorch, optimization libraries). Notably, the document bridges to the Hardware Bill of Materials (HBOM) by requiring specification of the hardware architectures needed (GPUs, TPUs), essential for auditing the security of the lower layers.
> Security Properties
The supplier must declare the cyber countermeasures built in: presence of input/output filters, data-at-rest encryption protocols, and protection mechanisms specifically against prompt injections.
> KPIs
Finally, the passport includes initial evaluation metrics (accuracy, robustness) as well as the planned protocols to monitor model drift in production.
What impact for CIOs and CISOs?
Although this guide is presented as a voluntary collection of recommendations, its adoption by G7 government agencies and ANSSI makes it the de facto market standard.
For IT leadership, the impact will be multifaceted. First, it will affect third-party risk governance. Just as with current compliance requirements, CIOs should quickly require a certified SBOM for AI in their procurement processes whenever a tool incorporates artificial intelligence.
The framework should also facilitate the automation of security audits. In the short term, the goal is to enable vulnerability scanners to ingest these files (notably via extensions of SPDX or CycloneDX formats) to generate automatic alerts when a flaw is detected in an AI model, similar to CVEs in the traditional software world.
Finally, this repository also serves as a regulatory foresight tool. It provides a technical reading grid to prepare companies for transparency obligations imposed by the European AI Act and by the Cyber Resilience Act.
The SBOM isn’t everything
While the CISOs’ community welcomes the publication of this framework as essential for asset inventory, several experts remind us of an inherent limitation of the exercise.
A SBOM lists what is present at a given moment (the components), but it does not by itself guarantee the dynamic resilience of a system against behavioral cyberattacks.
The mapping must therefore be coupled with active security audits and threat-contextualized frameworks, such as MITRE ATLAS or OWASP Top 10 for LLMs.
With this document, the G7 and ANSSI set the rules of the game: the era of the enterprise AI “black box” is coming to an end. Publishers and model suppliers will have to embrace transparency.
