MULTIPLE government cyber agencies have a new resource defining the minimum elements for software bills of materials (SBOMs) for AI to strengthen the AI-supply chain. The paper, Software Bill of Materials (SBOM) for Artificial Intelligence - Minimum Elements, was published on 12 May and was written by the G7 Cybersecurity Working Group, building on the shared vision of SBOMs for AI published in June 2025.
The core of the approach is seven “clusters” of potential elements that can be used by both producers and users of AI systems, namely Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure and Security Properties. The document notes that, apart from the Metadata cluster, all clusters are equally important and that the clusters are not mandatory and are open to further refinement.
Allan Friedman, who led CISA’s SBOM efforts between August 2021 and July 2025, said he “liked a lot” of them but noted that many clusters are “hard to measure or even hard to define in a specific, cross-organisation fashion.” The guidance was published jointly by Germany’s BSI, Italy’s ACN, France’s ANSSI, Canada’s CSE, the US CISA, the UK NCSC and Japan’s NCO, in collaboration with the EU Commission.