AI BOMs are moving from concept to practice as standards bodies, open-source projects and vendors push for practical tooling and governance. According to OWASP, with its CycloneDX SBOM standard, and the Linux Foundation, with its SPDX standard, have both released AI-specific extensions; the OWASP AI SBOM Initiative has produced the OWASP AI BOM Generator to create AIBOMs from Hugging Face models in CycloneDX format, while SPDX 3.0 adds AI and dataset profiles for model training and data provenance.
OpenSSF’s AI/ML Working Group formalised a model-signing specification in 2025, with input from Google, HiddenLayer, and NVIDIA, and CISA’s AI SBOM Tiger Team published foundational guidance in 2025, though personnel cuts this year cast uncertainty over ongoing initiatives.
On the commercial front, Manifest Cyber released its AI supply chain security product in summer 2025, Cycode added AI & ML Inventory and AI BOM generation in October 2025, and JFrog unveiled a Universal MCP Registry in March 2026, with Apiiro and others pursuing similar integrations. Regulators are tightening the screws too, with the EU AI Act coming into full effect in August 2026 and DoD software vendors now required to account for AI components in SBOMs under the FY26 NDAA.
Insurance providers are following suit, conditioning coverage on AI governance documentation as cyber underwriters seek to quantify AI risk and governance.