An AI System Bill of Materials (AI-SBOM) is a machine-readable, comprehensive record that captures the multi-faceted components and dependencies of an artificial intelligence system. It extends beyond traditional software to include the core intellectual assets of AI:   AI  models, training data, production data, prompts, and AI agents.

The AI  profiles are  best understood not as a flat list, but as a connected knowledge graph, where each component (a node) is linked to others via rich, semantic relationships. This graph structure reveals the complex supply chain and operational fabric of the AI system.

Core Components Captured in the Graph:

• Software Dependencies: Frameworks, libraries, and runtime environments.
• AI Models: Model architectures, versions, weights, and fine-tuning datasets.
• Data Assets: Represented by Dataset Profiles, documenting provenance, lineage, and characteristics.
• Prompt Templates & Strategies: Versioned prompts, their intended use, safety filters, and associated output validation rules.
• AI Agents: The definition, tools/APIs they can call, their governing prompts, and the underlying models that power them.
• Licenses & Compliance: Licensing information for all software, models, and data, and their associated compliance obligations.
• Ethical & Security Attributes: Documented known biases, safety assessments, and vulnerability reports for any component.

• AI Developers/Data Scientists: Use the graph to understand model dependencies, trace error sources to specific data slices or prompt versions, and design new agents with approved components.
• System Administrators & MLOps Engineers: Manage the deployment and scaling of the entire AI system. They use the AI-SBOM to identify conflicting library versions across agents, manage resource allocation, and ensure runtime compatibility.
• Security Officers & Red Teams: Focus on securing the AI supply chain. They assess the graph for vulnerabilities in libraries, test for prompt injection risks in prompt templates, and audit the tools and APIs accessible to AI agents to prevent unauthorized actions.
• AI Ethicists & Fairness Auditors: Leverage the graph to trace model outcomes back to training data sources, identify potential bias propagation from data through to agent behavior, and ensure prompts are designed to mitigate harmful outputs.
• Compliance Officers & Auditors: Ensure adherence to regulations (like the EU AI Act) and licensing terms by mapping compliance requirements directly to the specific models, data, and software components within the graph.
• Prompt Engineers: A new persona responsible for curating, versioning, and managing the library of prompt templates within the SBOM, ensuring their safety, effectiveness, and proper usage by agents.
• Legal Counsel & Procurement Officers: Review licenses for models, data, and software, and manage contracts with suppliers of AI components and API-based services used by agents.
• Privacy Officers: Ensure that data flowing through AI agents and referenced in prompts complies with data privacy policies and regulations.

Creating an AI-SBOM as a knowledge graph offers transformative benefits:

• Security: Extends vulnerability management beyond software to include model, data, and prompt-level risks.
• Transparency & Trust: The graph provides a navigable, understandable map of the entire AI system, demystifying its components and their interactions for all stakeholders.
• Proactive Risk Mitigation: Enables the identification of ethical and security risks in prompt strategies and agent permissions before system deployment.
• Operational Resilience: Dramatically speeds up root cause analysis and incident response by revealing the connections between failing components.
• Informed Governance: Empowers organizations to manage their AI supply chain with the same rigor as their software supply chain, ensuring compliance and mitigating legal, ethical, and operational risks.

• Model card
• Factsheet