What goes in an SBOM for a federal AI deployment?

A software bill of materials lists the components, versions, suppliers, and dependency relationships of the deployed system, typically in SPDX or CycloneDX, so consumers can track vulnerabilities and provenance. For an AI deployment the practice extends…

register 09 · Compliance pins· SBOM
01 ·

Answer.

Supply-chain / provenance standard · SBOM.

A software bill of materials lists the components, versions, suppliers, and dependency relationships of the deployed system, typically in SPDX or CycloneDX, so consumers can track vulnerabilities and provenance. For an AI deployment the practice extends toward model and data lineage (sometimes called an AI-BOM), though that is still maturing. Planisphere does not generate your SBOM; it pins the audited model and probe set by hash so the thing measured is unambiguously identified alongside whatever SBOM you maintain.

02 ·

The mark behind the answer.

SBOM is a provenance standard: it cares about where an artifact came from and whether the chain is unbroken. Planisphere…

software bill of materials · NTIA + CISA.

→ Full reference for SBOM

Prepare evidence for SBOM review.

First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.