As AI applications have become ingrained in enterprise software systems, CIOs are trying to get a better sense of how tools generate their outputs. AI bills of materials can provide a helpful starting point.
Like software bills of materials, AIBOMs are essentially an inventory of all components involved in deploying AI systems. However, creating one is not so straightforward because of the complexity of AI, how pervasively tools are embedded into enterprise software, and how often they are updated.
Although AIBOMs are a relatively novel concept, they are “not optional, unless you don’t like to sleep at night,” said Mark Smith, partner, chief software and AI analyst at ISG.
Ideally, an AIBOM will contain a comprehensive inventory of AI systems, including model version, datasets used to train the model, dependencies and licensing information about the model. AIBOMs should also be continuously updated, as AI models typically are.
Researchers from the University of Salerno, Italy, found that AIBOMs “improve quality, traceability, management and compliance of AI-enabled systems by documenting models, datasets, and their relationships.”
However, they also found limitations to the current state of AIBOMs and that “several challenges remain to be addressed, including immature generation and consumption tools, data source availability, poor interoperability with existing infrastructures, and limited stakeholder awareness.”
IT leaders are on board with having a tool to help them gain clarity on AI system outputs.
“Conceptually, people like the idea of them,” said Janet Worthington, senior analyst at Forrester.
However, accurate AIBOMs are not easy to obtain from providers, especially if enterprises are adding AI on top of other software they already subscribe to. “It’s kind of like a ‘chicken and the egg’ situation,” she said, because an AI system is typically needed to generate its own AIBOM.
Why AIBOMs are worth pursuing
Having an AIBOM means that a CIO would be able to, in an ideal situation, “fully audit and reproduce the outcomes of an AI system,” said Kjell Carlsson, VP analyst at Gartner. That way, IT teams would be able to diagnose a problem if it’s spotted and fix it.
Access to detailed information could be especially key when dealing with regulators, because if something does go wrong, organizations would have an accounting of what they have in terms of AI — and what actions they took to address a problem.
Carlsson also believes that AIBOMs will build off of SBOMs because they provide a good framework “that we could extend to the AI side,” he said. But AIBOMs will also need to be more dynamic, as AI is constantly changing.
“It’s not helped by the fact that our models are changing right now and our business use cases are changing rapidly,” Carlsson said.
Most CIOs "don't have their arms around how AI is being used,” Smith said, which creates dangerous gaps in visibility.
How to start building AIBOMs
Enterprises are typically building AIBOMs internally so they can track vulnerabilities or dependencies, and see what they are missing, Worthington said. That’s almost out of necessity, as AIBOMs are not as widely accessible as SBOMs.
But CIOs should still ask their vendors for them, especially if that vendor is incorporating AI into applications a CIO is buying. “Don’t be surprised if they can’t provide you one at this point,” Worthington said. “But it’s a good starting point to just have a discussion.”
The discussions could become more urgent as AI regulations increase.
Companies that work in the EU are closely watching this space given the rollout of the EU AI Act, which stratifies AI by risk profile, requiring risk management, data governance and technical documentation per tier.
