CISA’s AI SBOM guidance pushes software supply-chain oversight into new territory

CISA and G7 cyber agencies released guidance on minimum elements for AI software bills of materials (SBOMs, documents listing all components and dependencies in software), helping security leaders assess AI system risks before deployment. Unlike traditional SBOMs that only track code, AI SBOMs must document models, training data, prompts, infrastructure, and other AI-specific elements because AI systems' behavior depends on data and models as much as code. The guidance gives organizations a framework to ask vendors for transparency during procurement, though it shows what vendors claim exists rather than proving the systems are trustworthy.