Implementing AI Bill of Materials (AI BOM) with SPDX 3.0: A Comprehensive Guide to Creating AI and Dataset Bill of Materials

A Software Bill of Materials (SBOM) is becoming an increasingly important tool in regulatory and technical spaces to introduce more transparency and security into a project’s software supply chain. Artificial intelligence (AI) projects face unique challenges beyond the security of their software, and thus require a more expansive approach to a bill of materials. In this report, we introduce the concept of an AI-BOM, expanding on the SBOM to include the documentation of algorithms, data collection methods, frameworks and libraries, licensing information, and standard compliance.

💡 Research Summary

The paper introduces the concept of an AI Bill of Materials (AI BOM) as an extension of the traditional Software Bill of Materials (SBOM) to address the unique transparency, security, and regulatory challenges of artificial‑intelligence projects. Leveraging the SPDX 3.0 standard, the authors propose two distinct SPDX profiles: an AI Profile that captures algorithmic and model‑related metadata, and a Dataset Profile that records data‑centric information. Both profiles reuse core SPDX fields (such as spdxId, name, version, downloadLocation) and add AI‑specific mandatory and optional fields, including autonomyType, domain, energyConsumption, hyperparameters, safetyRiskAssessment, standardCompliance, dataCollectionProcess, dataPreprocessing, datasetSize, sensitivity flags, and update mechanisms.

The motivation for separating AI and dataset metadata is explained in depth. AI models and the datasets that train them have different licensing, privacy, and compliance implications; by keeping their metadata distinct, organizations can more precisely track provenance, manage risk, and satisfy regulatory requirements. The paper maps AI BOM fields to major regulations such as the EU AI Act, FDA medical‑device guidance, IEC 62304, and IEEE ethical technology standards, demonstrating how the BOM can serve as a compliance artifact.

A multi‑disciplinary working group—comprising AI researchers, software engineers, product managers, legal counsel, and licensing experts—was formed in 2021. Their methodology involved (1) identifying essential fields, (2) benchmarking existing documentation formats (model cards, datasheets, fact sheets), (3) extending SPDX profiles, (4) piloting the schema with tooling (SPDX‑Tools, CI/CD integration), and (5) iterating based on stakeholder feedback. The authors provide a detailed comparison table showing that AI BOM offers a more comprehensive, machine‑readable, and automatable representation than traditional model cards or datasheets.

Key sections of the paper include:

• An overview of SPDX 3.0 and why its extensibility is crucial for AI.
• A thorough enumeration of mandatory and optional fields for both profiles, with data types, allowed values, and relationship definitions (e.g., hasDeclaredLicense, hasContainedPackage).
• Compliance guidance linking each field to specific regulatory clauses.
• A discussion of the governance process, including the composition of the working group, meeting cadence, and decision‑making criteria.
• Comparative analysis with existing documentation standards, highlighting AI BOM’s ability to capture energy consumption, bias mitigation, and legal provenance.
• Future directions such as automated BOM generation, community‑driven extensions, integration with supply‑chain risk management tools, and the potential for AI BOM to become a certification artifact.

In conclusion, the paper delivers a concrete, standards‑based blueprint for creating, maintaining, and using AI BOMs. By extending SPDX 3.0 with AI‑ and dataset‑specific metadata, the authors provide a practical mechanism for enhancing transparency, traceability, and regulatory compliance across the AI lifecycle, positioning AI BOM as a foundational element of responsible AI governance.