Key Takeaways
- The G7 Cybersecurity Working Group, led by CISA and partners from Germany, Canada, France, Italy, Japan, the U.K., and the EU, has issued joint guidance titled “Software Bill of Materials for AI – Minimum Elements.”
- The guidance defines a voluntary, consensus‑based set of minimum elements for an AI‑focused Software Bill of Materials (SBOM) to improve transparency and cybersecurity across AI supply chains.
- An AI SBOM structures information into seven core clusters: Metadata, Models, Dataset Properties (DP), System Level Properties (SLP), Key Performance Indicators (KPI), Security Properties (SP), and Infrastructure.
- Each cluster captures specific details—such as SBOM authorship, model provenance, dataset lineage, system data flows, security controls, performance metrics, and underlying hardware/software—enabling traceability and risk management.
- The document emphasizes that an SBOM alone is insufficient; it must be linked to cybersecurity tools like vulnerability scanners, security advisories, and adaptive tooling to deliver substantive supply‑chain protection.
- Future‑looking considerations (e.g., measuring AI system autonomy or decision‑making level) are noted but not yet formalized as separate elements, leaving room for evolution as AI technologies advance.
- Implementation of the guidance supports broader AI governance goals by providing a shared understanding of what information fosters transparency and reduces cybersecurity risk in AI ecosystems.
Introduction and Purpose of the G7 AI SBOM Guidance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), together with the Group of Seven (G7) cybersecurity agencies, has released joint guidance aimed at strengthening transparency and cybersecurity across artificial intelligence (AI) supply chains. Titled “Software Bill of Materials for AI – Minimum Elements,” the document outlines a baseline set of information that AI developers and deployers should include in an AI‑focused Software Bill of Materials (SBOM). By establishing these minimum elements, the guidance seeks to improve visibility into the components, dependencies, and risks embedded within AI systems, thereby contributing to stronger AI governance and supply‑chain resilience.
Background and Collaborating Agencies
The guidance was developed by the G7 Cybersecurity Working Group and jointly published by the national cybersecurity authorities of Germany (BSI), Italy (ACN), France (ANSSI), Canada (CSE), the United States (CISA), the United Kingdom (NCSC), Japan (NCO), and the European Commission. It builds on the G7’s June 2025 shared vision for AI SBOMs and reflects a consensus among cybersecurity experts from these jurisdictions. While the recommendations are voluntary and not intended to be exhaustive, they represent a collaborative effort to address the growing complexity of AI systems and the associated supply‑chain risks.
Framework Overview: The Seven Clusters
The core of the guidance is the “SBOM for AI clusters” framework, which organizes the minimum elements into seven equally important clusters: Metadata, Models, Dataset Properties (DP), System Level Properties (SLP), Key Performance Indicators (KPI), Security Properties (SP), and Infrastructure. Each cluster groups related information elements that capture distinctive features of AI system components. The framework treats all clusters as essential for achieving end‑to‑end transparency, enabling organizations to trace AI assets from data provenance through model training, deployment, and operational performance.
Metadata Cluster Details
The Metadata cluster captures information about the SBOM for AI itself, rather than the individual AI components. Required elements include the SBOM author, SBOM version, data format name and version, author signature, tool name and tool version, generation context, timestamp, and dependency relationships. By documenting these administrative details, the Metadata cluster ensures that the SBOM can be reliably interpreted, version‑controlled, and integrated with downstream security and compliance tools.
System Level Properties (SLP) Cluster
The SLP cluster describes the AI system as a whole, encompassing system‑level information and the internal workings of environments that may contain multiple AI elements such as classifiers, large language models (LLMs), or AI agents. Elements in this cluster include the system name, system components, system producer, system version, system timestamp, system data flow, system data usage, system input and output properties, and the intended application area. Software dependencies and frameworks used within the AI system are also recorded here, while infrastructure‑specific details are reserved for the Infrastructure cluster.
Models Cluster
The Models cluster focuses on identifying and characterizing each AI model within the system. It includes the model name, model identifier, model version, model timestamp, model producer, model description, model hash value and algorithm, model properties, model input and output properties, model training properties, model license, and external references. These elements enable stakeholders to understand how model weights were produced, assess model lineage, and evaluate potential limitations or biases that could affect security or performance.
Dataset Properties (DP) Cluster
Dataset Properties (DP) capture the provenance and characteristics of data used throughout the model lifecycle. The cluster records the dataset name, description, content, identifier, hash value, provenance, statistical properties, sensitivity, dependency relationships, and license. By documenting dataset lineage and sensitivity, organizations can trace data origins, assess data quality, and manage risks related to data poisoning, privacy breaches, or regulatory non‑compliance.
Infrastructure and Security Properties Clusters
The Infrastructure cluster details the physical and virtual resources required to operate and support the AI system, including infrastructure software and hardware. Where applicable, it provides a link to a Hardware Bill of Materials (HBOM) to account for specialized AI accelerators. The Security Properties (SP) cluster, meanwhile, captures cybersecurity measures associated with AI models and systems, such as security controls, compliance status, policy information, and vulnerability references. Together, these clusters help organizations evaluate the robustness of the deployment environment and the effectiveness of mitigations against threats.
Key Performance Indicators (KPI) Cluster and Future Considerations
The KPI cluster contains elements related to the AI system’s performance metrics and those of its components, covering both security‑focused and operational performance indicators across lifecycle phases. This enables ongoing monitoring of model effectiveness, detection of drift, and assessment of whether security objectives are being met. The guidance also notes that future enhancements could include measuring the level of decision‑making or autonomy of an AI system—particularly relevant for emerging agentic AI—but such an element was not formalized as a separate cluster, leaving room for jurisdictional approaches (e.g., safety requirements) to address it.
Implementation Recommendations and Conclusion
Although the SBOM for AI provides a structured inventory, the authors stress that it must be coupled with cybersecurity tools—such as vulnerability scanners, security advisories, bulletins, and adaptive, evolutionary tooling—to yield substantive supply‑chain protection. By integrating the SBOM with these tools, organizations can detect weaknesses, prioritize remediation, and maintain resilience against evolving threats. The guidance concludes that this joint effort represents a first step toward increasing AI supply‑chain transparency and security, with the expectation that the framework will evolve alongside AI advancements to continue delivering value to stakeholders across the AI ecosystem.