Supply Chain and AIBOM
Sentinel supply-chain and AIBOM workflows inventory AI dependencies, model artifacts, provenance, manifests, runtime components, and known vulnerable packages.
Sentinel AIBOM is an AI bill of materials workflow. It records which models, datasets, prompts, dependencies, containers, tools, and provenance signals are part of an AI release so security teams can review risk before deployment.
What to inventory
An AI release is more than application code. The AIBOM should include model files, datasets or retrieval indexes, prompt templates, tools, containers, and dependency versions.
- Model file hash, source, license, and owner
- Prompt and eval suite version
- Container digest and runtime packages
- MCP tools, permissions, and transport type
Supply-chain risks
The highest-risk issues are executable artifacts, missing integrity records, vulnerable runtime packages, typosquatted dependencies, and mutable remote references.
- Known exploited CVEs block release
- Mutable tags and unpinned URLs require review
- Missing hash or provenance creates a promotion gap
Security handoff
AIBOM output should be useful to engineering and governance. Keep it short enough to review and detailed enough to support incident response.
- Attach JSON or Markdown AIBOM to release records
- Assign owners for every CRITICAL/HIGH dependency issue
- Keep old AIBOMs for diff review during upgrades
OWASP AIBOM and CycloneDX AI profile
The OWASP AIBOM project extends the CycloneDX Software Bill of Materials standard with AI-specific components. A CycloneDX AI profile AIBOM captures model metadata, training data references, evaluation results, and provenance in a machine-readable format that security and compliance tools can consume.
- OWASP AIBOM project (github.com/OWASP/www-project-aibom): standard schema for AI release material
- CycloneDX AI profile: extends SBOM with model file, training data, prompt, eval, and tool components
- datasig (Trail of Bits): cryptographic fingerprinting of training datasets — computes dataset signatures for provenance and AIBOM inclusion
- Sightline: community-maintained AI/ML supply chain vulnerability database with CVE and advisory data
- AIBOM diff: comparing AIBOMs between releases reveals unreviewed model, dependency, or prompt changes
Commands
sentinel supply-chain ./project/
sentinel aibom ./models/
sentinel scan ./project/ -f json -o sentinel-report.jsonExpected output
Output should carry rule ID, severity, surface, evidence, and release decision in a way other teams can understand.
aibom:
models: 3
manifests: 2
dependencies: 148
findings:
- CVE-VULNERABLE-RUNTIME HIGH transformers pinned to vulnerable range
- MANIFEST-MISSING-INTEGRITY MEDIUM model manifest has no hashFAQ
Is AIBOM the same as SBOM?
No. It complements SBOM by adding AI-specific release material such as models, prompts, evals, RAG indexes, and tool permissions.
What blocks a release?
Known exploited CVEs, executable artifacts without approval, missing integrity for production models, and secrets in release bundles should block release.
How do I produce a CycloneDX AI profile AIBOM?
Use the OWASP AIBOM project tooling or CycloneDX-compatible tools to export model metadata, dependency versions, and provenance into the standard JSON schema. Run Sentinel supply-chain checks and attach the output as an AIBOM component.
References
- OWASP LLM03:2025 Supply Chain
- MITRE CWE
- OWASP AIBOM Project
- CycloneDX AI/ML Extension
- Trail of Bits datasig
Eresus support
Turn the finding into an action your team can actually close.
If you need exploit evidence, prioritization, remediation direction, and retesting for Supply Chain and AIBOM, Eresus can help scope the work with your team.
Start Security Test