What happened
The G7 Cybersecurity Working Group published 'Software Bill of Materials (SBOM) for Artificial Intelligence - Minimum Elements' on May 12, 2026, developed jointly by CISA (US), BSI (Germany), ANSSI (France), ACN (Italy), CSE (Canada), NCSC (UK), NCO (Japan), and the EU Commission. The guidance defines seven clusters of AI supply-chain metadata: Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure, and Security Properties.
Why it matters
This is the first coordinated multi-government baseline for AI-specific supply-chain transparency. While non-mandatory, it represents international convergence on which AI system properties must be documented and shared. Organizations should expect procurement teams to adopt these clusters as baseline requirements for AI system acquisition and deployment governance, similar to conventional software SBOMs. Aligns with emerging EU AI Act transparency obligations and provides a concrete framework for risk-informed AI procurement decisions.
Action needed
Extend AI SBOM inventory controls to procurement, model deployment, and third-party AI intake workflows. Add AI-specific SBOM fields (Model properties, Dataset provenance, Infrastructure requirements, Security controls) to contract templates and intake questionnaires. Review whether existing SBOM tools can emit AI-relevant metadata clusters.