G 7 countries this week published joint AI SBOM guidance aimed at helping organisations create a software bill of materials for AI, with the document titled Software Bill of Materials for AI – Minimum Elements and seven clusters designed to boost transparency in AI systems and supply chains. Agencies in the United States, Canada, Japan, Germany, France, Italy, the United Kingdom, and the European Union published the guidance, which notes that the minimum elements are not mandatory and may be refined over time.
The guidance outlines seven clusters that should be present in an AI SBOM: metadata, models, key performance indicators (KPI), infrastructure, security properties (SP), system level properties (SLP), and dataset properties (DP).
The metadata cluster covers author, version, data format, author signature, tool name and version, generation context, timestamp and dependency relationships, while the SLP cluster includes information on name, producer, version, components, timestamp, data flow and usage, and intended application area.
Nigel Douglas, head of developer relations at Cloudsmith, commented that the framework raises the right requirements but notes that retrospective documentation can’t reconstruct origin, and that continuous automated SBOM generation is a baseline for software supply chain security, a view echoed in the guidance.