AI SBOM: The Security Guardian of AI Supply Chains, a Key Infrastructure for Building Trustworthy AI Systems

AI Software Bill of Materials (AI SBOM) is an important tool for managing AI supply chain security. It helps organizations track the origin of AI components, manage dependency risks, and ensure the transparency and trustworthiness of AI systems.

Artificial intelligence is transforming from a lab technology into a critical infrastructure. From medical diagnosis to financial risk control, from autonomous driving to content moderation, the decisions made by AI systems directly impact people's lives and property interests. However, as AI applications deepen, a long-neglected risk is gradually emerging—AI supply chain security.

Similar to traditional software, modern AI systems are complex structures built on layers of dependencies. Base models come from third parties, training data is collected from multiple sources, and fine-tuning relies on open-source community contributions. While this highly interconnected ecosystem brings efficiency, it also introduces new security risks. A contaminated pre-trained model, biased data, or a vulnerable dependency library can all become entry points for attackers.

Against this backdrop, the concept of AI Software Bill of Materials (AI SBOM) has emerged. It draws on the successful experience of traditional software supply chain management and provides a basic framework for transparency and traceability of AI systems.

The concept of Software Bill of Materials (SBOM) originated in manufacturing. Just like the ingredient list on food packaging tells consumers what raw materials are in the product, a software SBOM lists all components, libraries, and dependencies that make up the software.

AI SBOM is an extension and evolution of traditional SBOM in the field of artificial intelligence. It not only records code dependencies but also covers key elements unique to AI systems:

• Base model information: Model name, version, source, license agreement
• Model architecture: Neural network structure, parameter scale, input/output format
• Training configuration: Optimizer settings, learning rate strategy, number of training steps
• Checkpoint history: Fine-tuning path, adapter configuration, merge records

• Training dataset: Data source, scale, preprocessing process, license status
• Annotation information: Annotation strategy, annotators, quality control methods
• Data lineage: How data is collected, transformed, and augmented

• Runtime environment: CUDA version, Python dependencies, container images
• Hardware configuration: GPU model, video memory size, inference acceleration solutions
• Service dependencies: External API calls, vector databases, caching systems

In 2024, security researchers discovered that several popular open-source models on the HuggingFace platform had malicious code implanted. Attackers exploited deserialization vulnerabilities in model files to execute arbitrary code when users loaded the models. If enterprises deploy these contaminated models, the consequences would be unimaginable.

AI SBOM helps organizations identify and avoid such risks through mandatory component traceability. When new security vulnerabilities are disclosed, enterprises with a complete SBOM can quickly locate affected systems, assess risk levels, and develop repair plans.

AI regulatory frameworks are rapidly taking shape around the world. The EU AI Act requires high-risk AI systems to be traceable; the U.S. NIST AI Risk Management Framework emphasizes transparency; China's Interim Measures for the Management of Generative Artificial Intelligence Services require training data sources to be legal and compliant.

AI SBOM provides a technical implementation path for these compliance requirements. It records the source and license status of model training data, proving the organization's due diligence in data usage; it tracks the entire process of model development, providing an evidence chain for regulatory audits.