AI Bill of Materials

CycloneDX 1.6 AI BOM — the supply-chain artifact a CISO, an auditor, and an insurer all need to see before they say yes.

What an Agentics AI BOM contains

CycloneDX 1.6 (capabilities → AI/ML) JSON or XML. Each component declares supplier, version, hash, license, and provenance attestations.

Foundation models

Provider, model family, version pinning, training-data summary citation, system-card link, RSP/RAI-policy URL.

Fine-tunes, adapters, datasets

Dataset cards, license tags, opt-out provenance, PII redaction policy, evaluation suites.

Prompts, tools, MCP servers

Each prompt template, tool, and MCP capability is a versioned component. Linked back to receipts.

Code dependencies

SBOM rolled in (npm, PyPI, Cargo, Go modules) — the AI BOM extends a normal SBOM rather than replacing it.

Sample BOM

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2026-05-19T01:21:00Z",
    "tools": [{ "name": "agentics-bom", "version": "1.0.0" }]
  },
  "components": [
    {
      "type": "machine-learning-model",
      "name": "claude-opus-4-6",
      "supplier": { "name": "Anthropic" },
      "version": "claude-opus-4-6",
      "modelCard": {
        "modelParameters": { "datasets": [], "inputs": [], "outputs": [] },
        "considerations": { "useCases": ["general-purpose-llm"] }
      }
    },
    {
      "type": "data",
      "name": "customer-redacted-conversations",
      "hashes": [{ "alg": "SHA-256", "content": "e3b0c4..." }]
    }
  ],
  "declarations": {
    "affirmations": ["EU_AI_ACT_ART9-17", "NIST_AI_RMF", "ISO_42001"]
  }
}

Export

Pull the BOM for any registered system. The export anchors a SHA-256 hash of the BOM to the public Solana ledger.

Download JSON Download XML Bundle into evidence pack API spec