Shadow IT has given way to shadow AI. Enter AI-BOMs
Traditional software bills of materials (SBOMs) are no longer sufficient for securing enterprise environments with AI components. AI-BOMs provide visibility into AI models, datasets, frameworks, and how they interact within workflows. With the rise of 'shadow AI,' organizations need tools like AI-BOMs and model provenance trackers to identify and secure unsanctioned AI tools.
- ▪AI-BOMs extend traditional SBOMs by including AI-specific components such as models, datasets, prompts, and agents.
- ▪Shadow AI refers to unsanctioned AI tools used by employees, which pose security risks when sensitive data is entered into external chatbots.
- ▪Cisco has open-sourced both the AI-BOM and the Model Provenance Kit to help organizations track AI assets and model origins.
- ▪Ian Swanson of Palo Alto Networks compared using AI without visibility to eating a cake without knowing its ingredients or baker.
- ▪Amy Chang of Cisco emphasized that AI-BOMs are a starting point for understanding what AI assets exist in an organization.
Opening excerpt (first ~120 words) tap to expand
Security 1 Shadow IT has given way to shadow AI. Enter AI-BOMs 1 'If you don't have visibility, you can't understand what to protect' Jessica Lyons Mon 4 May 2026 // 15:04 UTC When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs. While a traditional SBOM includes all of the software packages and dependencies in the organization, an AI-BOM aims to cover the gaps introduced by AI assets by providing visibility across all of the models, datasets, SDK libraries, MCP servers, ML frameworks, agents, agentic skills, prompts, and other AI tools - plus how these AI components interact with each other and connect to…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
