GoKawiilAI bills of materials (AI BOMs) are designed to answer a pretty straightforward question: what's in this AI technology? Like software bills of materials (SBOMs), they document all of the ingredients that went into building a system. This includes the models, the datasets, the frameworks, and the dependencies the AI is built on. Knowing these is crucial for tracking supply chain risk and responding quickly when a component is compromised.
But AI agents are different because tracking their risk adds a new dimension beyond components. Agentic-ready AI BOMs will need to not only document the components but also the attributes that describe autonomous action.
"With delegated agency, the most security-relevant dependencies are not model plus data — instead they become action pathways," says Kriti Tallam, VP of AI at Kamiwaza AI and contributor to NIST's AI Risk Management Framework. "What you're talking about is behavioral artifacts: tool skills, prompts, policies, and workflow definitions."
Related:Is 2026 the Year AI Bills of Materials Get Real?
In this way, the AI BOM documentation needs to help answer a much harder set of questions: where are agents operating, what are they doing, and should they be?
The Artifact vs. Authority Problem
Current standards like CycloneDX and SPDX are artifact-lineage tools. They tell the story of all the inputs that went into building an AI system. That's valuable for traditional software, but it leaves critical gaps as agentic AI adds the element of execution. [Read more about what regulators and standards bodies are doing in What Will Make AI BOMs Real?]
As Tallam points out, this means that the supply chain expands beyond models and data into runtime behavior. Helen Oakley, one of the leaders of the OWASP AIBOM Generator, says this means that documentation now covers two main areas, artifact lineage and authority lineage. The first asks what components are present, where they originated, and whether they contain known vulnerabilities. These attributes are what are already covered by the earliest standards for AI BOMs. The second asks how decision rights move through a system once it's running. These are the ones that agentic AI BOMs will need to start tackling.
"In autonomous systems, the supply chain evolves to include a dynamic runtime dimension," she recently wrote. "As AI systems generate and compose decisions at runtime, the supply chain must also account for how authority is delegated, propagated, and bounded during execution."
Without additional fields and runtime instrumentation, AI BOMs can't currently document how decision-making authority is propagated across a multi-agent chain. Without this kind of visibility, it is nigh impossible to figure out which agent called which tool and with what delegated permissions, and whether that chain stayed within its originally intended boundaries. As Oakley puts it: "Artifact integrity does not automatically imply bounded authority propagation."
... continue reading