The Essential Guide to AI Bills of Materials (AIBOMs)

James Govenor says the You Only Live Once (YOLO) approach behind OpenAI’s ChatGPT tool “is not going to provide end users with the confidence they need to adopt AI models in strategic initiatives.” 

Translation: if you want your AI-based tool to be trustworthy, back it with an AI bill of materials (AIBOM).  

AI and machine learning (ML) serve many practical use cases today — like voice assistants, coding assistants,  customer support chatbots, writing tools, etc. — all designed to simplify everyday life. However, this widespread adoption comes largely without guardrails. The need for improved security, transparency, and traceability in AI is precisely why AIBOMs are crucial to develop.  

In this guide, you’ll learn what an AIBOM is along with the benefits of having an AIBOM in place. Plus, you'll get eight actionable tips to build an AIBOM to protect your model during future regulatory changes.

What is an AIBOM?

An AIBOM is a comprehensive bill of materials detailing the ingredients comprising an AI system's data pipelines, models, training procedures, and operational performance to enable governance and responsible AI adoption.

AIBOMs enhance transparency, accountability, and governance for AI systems by creating a detailed inventory of their components and development.

Think about an AIBOM as a map or schema that takes stock of all of the individual components that make up your AI system. These components might include: 

• The architecture surrounding your model’s training data

• The types of inputs and outputs allowed

• Intended uses for the model and potential areas of risk or misuse

• Environmental or ethical implications of the model

• The model’s name, version, type, and creator

In addition, an AIBOM will require a note of authenticity from the model’s creator. 

AIBOMs vs SBOMs

You'd be correct if you’re scratching your head thinking an AIBOM sounds a lot like a software bill of materials (SBOM). 

Both follow the same concept, but SBOMs are specific to software, while AIBOMs are specific to AI models. So, while SBOMs speak to the overall reasons and principles behind the software, an SBOM schema is similar to an AIBOM schema. In some cases, an SBOM schema may be used to inform the creation of an AIBOM. 

AIBOM benefits

At its core, an AIBOM allows the broader public to make informed decisions about AI systems.

• Transparency. AIBOMs clarify an AI system's data sources, tools, logistical methods, hardware, and any other ingredients that allow the system to function correctly.  

• Reproducibility. Like any other kind of bill of materials, an AIBOM should offer enough information for others to recreate the AI system and see similar results. 

• Accountability. An AIBOM offers transparency, meaning others can learn about your AI system’s origins and metrics.

Responsible AI. The information provided in an AIBOM also addresses potential ethical concerns, including information on training data that can responsibly assess biases and limitations.

AIBOM for security and trust

An AIBOM is critical to protect user data and helps regulated industries with legal compliance in areas like cybersecurity, data privacy, and copyright. 

In its early stages, generative AI technology was viewed by the broader public as a novelty and is still being used by and large without regulation. As a result, regulatory groups are scrambling to address privacy and security concerns adequately.

Global governments are similarly beginning to realize AI isn’t going anywhere, and regulations must keep up with growing demand. In October 2023, U.S. President Joe Biden issued a sweeping Executive Order (EO) to make frontier AI-based models more accountable. 

In his EO, President Biden mandates that U.S. government agencies build specific areas of regulation in the next year. While not legally enforceable, the Order will shape the priorities for regulators and will serve to inform future laws concerning AI. 

The AIBOM spectrum

Considering the vastness of AI algorithms and how rapidly these algorithms change, there are a few challenges you need to weigh before building an AIBOM:

• Expansiveness: Depending on your AI model's complexity, consider your inventory's needs — opting to share a basic inventory or more comprehensive documentation.  

• Privacy and security needs: Consider the ethical implications of your AI model and weigh the need to be transparent against protecting your intellectual property. 

• Licensing: Weigh the need for your AI model to leverage open source against proprietary licensing to make it easy to optimize your model and document changes.

Standardization: When building any bill of materials, the goal is to provide an easy-to-follow schema. An AIBOM is a newer concept, so your work now may help inform the standardization of future AIBOM models.    

Eight actionable tips to build an AIBOM

A proper AIBOM is key to mitigating risk, staying compliant, and being transparent about your AI application’s composition. If you’re ready to begin building your own AIBOM, here are eight tips to help you hit the ground running: 

1. Start with an inventory. The first step to any bill of materials is to create a basic inventory that includes the critical components in your AI systems. These components may include: 

   1. Training data

   2. Data sources

   3. Models

   4. Software frameworks like PyTorch or TensorFlow

   5. Hardware

   6. Dependencies

   7. Package managers like LangChain

2. Identify risks and limitations. Transparency is the name of the game. That’s why it's crucial to document known issues, biases, ethical considerations, or any other limiting factors related to your AI systems' data or design.

3. Formalize model lineage. As your model evolves, you must maintain clear records. This ensures others can trace the origins and evolution of your AI models and make note of versions, retraining, and any modifications.

4. Evaluate frameworks. AIBOMs are a reasonably new frontier. When possible, consider reviewing existing AIBOMs before starting your own. This will help you to determine if any existing AIBOM frameworks suit your needs. Once you build your own, you also contribute to developing standards for others.

5. Automate collection. Incorporate AIBOM generation into your model building and deployment pipelines for efficiency.

6. Adopt selectively. Identify any high-priority or high-risk models to focus initial AIBOM efforts on to make the most significant impact for your AI-powered tool.

7. Align with regulations. At its core, an AIBOM is designed to support compliance. Rules, laws, and regulations concerning AI are constantly changing. You must do your due diligence and understand regulatory requirements for AI systems in your domain. You should also consider the geolocation of each part of the AI system to ensure compliance with all the relevant regulations for each region, including where training data is sourced, where infrastructure is based, and where the model is available for use.

8. Enhance reproducibility. Provide the scripts, model weights, and configuration details others may need to reconstruct your models and see similar results.

How is Snyk helping with BOMs

Considering the ethical, environmental, and societal implications is crucial with any technological advancement, including AI. Proper AIBOMs will allow for more informed AI adoption.

Snyk has consistently supported the principles of SBOMs, which are similar to those of AIBOMs — transparency, improved compliance, and security. To generate an SBOM with Snyk, begin from the Snyk Open Source command line or use our API. Snyk can scan your entire application, providing SBOMs in CycloneDX and SPDX formats for easier data consumption.

At Snyk, we understand the importance of security, governance, and trust. Start a free Snyk account and take the first step to build security protocols directly into your software development. Or, book a live demo to learn how you can tailor Snyk to your needs.