✦SBOM · FOR · AI→

What's actually inside your AI?

SBOM for AI — the new G7 baseline. The EU AI Act countdown is running.

From 2 August 2026 the EU AI Act enters full enforcement. In March 2026 the G7 Cybersecurity Working Group published the first joint guidance for AI-SBOM: 50 minimum elements across 7 clusters. Without a structured inventory of your AI supply chain, compliance becomes a gamble — and risk a black box.

30-min strategy call

2 AUGUST 2026 · 00:00 CET

Until EU AI Act full enforcement2 AUGUST 2026 · 00:00 CET

Days

Hours

Minutes

Seconds

G7 · BSI · CISA · ANSSI · NCSC · ACN · CSE · NCO · EU Commission

minimum elements

clusters

G7 consensus baseline

35 M €

max. AI Act fine

✦ 01 · THE SILENT CATASTROPHE

One model. Six weeks. USD 847M.

February 2025 — a top-10 US bank. A state-of-the-art fraud-detection model from a renowned vendor. 94 % detection rate in testing. In production: a poisoned open-source base from Hugging Face. 100 % of trigger transactions were waved through.

$ 847 M

fraudulent transfers

Detected after6 weeksof undetected production

Vector1× HF modelpoisoned open-source base

Source: CyberSecFeed (2025) — emblematic of the 2024–2026 wave of AI supply-chain incidents.

✦ 02 · THE UNCOMFORTABLE TRUTH

No one would eat yoghurt without an ingredient list. Yet almost every organisation deploys AI without knowing what's inside.

VISIBLE

What you see

The finished model

Model name & version
API endpoint
Marketing claims
A few benchmarks

INVISIBLE

What's actually inside

The invisible supply chain

Base model + distillation ancestors
Training data · provenance unclear
LoRA adapters & fine-tuning stages
Pickle files · code-execution risk
Third-party APIs & MCP tools

✦ 03 · REAL INCIDENTS · 2024 – 2026

The AI supply chain is no longer a textbook problem.

The pattern: trust is pushed upstream — and no one controls it.

2024

JFrog × Hugging Face

≈ 100 malicious models found — reverse shells that execute code on load.

Q1 2025

Model poisoning in production

Banks & hospitals report backdoored models from "reputable" sources. 23 % of top-1,000 models compromised.

03/2026

LiteLLM hijacked on PyPI

≈ 500,000 credentials potentially exfiltrated — including API keys from Meta, OpenAI, Anthropic.

04/2026

Bitwarden CLI & PyTorch Lightning

Compromised for 90 / 42 minutes. Payload targets Claude Code, Cursor, Codex CLI ("Mini Shai-Hulud").

✦ 04 · THE G7 ANSWER

What is an SBOM for AI?

A machine-readable ingredient list for AI systems — structured evidence of every component, dependency and supply-chain relationship that flows into an AI system.

Transparency

Which models, datasets, frameworks, GPUs and third-party APIs are in the system? Inventory, not assumption.

Compliance

Evidence for EU AI Act, NIS2, CRA, BSI TR-03183 — machine-processable, signable, audit-ready.

Responsiveness

When a zero-day hits, know in hours not weeks: are we affected? Which models? Which endpoints?

✦ 05 · THE G7 FRAMEWORK · MARCH 2026

Seven clusters. Fifty minimum elements. One shared baseline.

BSI · ACN · ANSSI · CSE · CISA · NCSC · NCO · EU Commission jointly published the first set of minimum elements in March 2026. Seven clusters cover the entire AI lifecycle — from provenance to performance.

Metadata

the SBOM itself

System Level Properties

the system as a whole

Models

the AI brain

Datasets

the AI fuel

Infrastructure

the AI substrate

Security Properties

the defences

Key Performance Indicators

the measurement

CISO highlight: Models + Datasets + Security Properties — this is where it diverges from a classical SBOM.

✦ 06 · CLUSTER · DEEP-DIVE

Three clusters where risk is decided.

MODELS · 13 ELEMENTS

Who built the brain?

Identity, lineage, weights, hash, training method, license and external references for every model in the system.

Model name, identifier, version, timestamp
Producer — pre-trained / fine-tuned / distilled
Hash + algorithm (integrity check)
Architecture, parameters, hyperparameters
Training properties: RLHF · DPO · PPO · GRPO
License: open weight / architecture / data
Lineage: parent & derived models
External refs: Model Card · paper · JSON schema

Why this detailed? So after a zero-day in a base model you see within minutes which fine-tuned variants are affected.

DATASETS · 10 ELEMENTS

What did it learn from?

Provenance, content, statistical properties, sensitivity and license of every dataset across the AI lifecycle.

Name & description · pre-train / fine-tune / eval
Content & format · finance · medical · JSON · image · audio
Identifier & hash · URL + cryptographic fingerprint
Provenance · crawling · purchase · labeling steps
Statistical properties · bias-relevant metrics
Sensitivity · PII · copyright · medical · national security
Dependency relations · which tools shaped it
License · link to the license document

This is often where your GDPR, copyright and AI-Act exposure is decided — long before the model is even deployed.

SECURITY · INFRASTRUCTURE · KPI · 8 ELEMENTS

Substrate, defences & measurement

What runs the system? How is it defended? How do we measure robustness and performance?

Security Properties

Encryption · RBAC · I/O filters · adversarial robustness · prompt-injection defence · ISO/IEC 27001 · 42001 · SOC 2 · security.txt link

Infrastructure

Frameworks (PyTorch · TF · vLLM · Ollama · Triton) · package managers · third-party libs · runtimes · HBOM link for AI silicon

Key Performance Indicators

Adversarial robustness · manipulation resilience · uptime · latency · throughput · load balancing · incident resolution time

✦ 07 · THE COUNTDOWN

2 August 2026 — the EU AI Act goes full force.

Art. 50 transparency duties. Annex III high-risk systems. Technical documentation, risk management, data governance, cybersecurity evidence. Logging — all evidenced and machine-processable.

€ 35 M

7 % group revenue

for prohibited practices

€ 15 M

3 % group revenue

for transparency & high-risk breaches (incl. missing SBOM content)

Annex III

HIGH-RISK

HR · credit · education · CI · justice · biometrics

✦ 08 · THE READINESS GAP

While the clock ticks, most are not ready.

26.2 %

have started concrete AI-Act compliance activities at all

19.4 %

self-classify as "poorly prepared"

> 50 %

do not even have a full AI-system inventory

Deloitte AI-Act Survey 2026 · TrueScreen Compliance Tracker 2026

✦ 09 · WHAT CISOs DO NOW

Five steps to SBOM-for-AI readiness.

Inventory

Complete list of every AI model, agent and API in use — including shadow AI in business units.

Classify

Determine risk tier under the EU AI Act. Prioritise high-risk systems per Annex III.

Choose tooling

CycloneDX 1.7 / SPDX, AIBOM generators (Cybeats, Manifest, OWASP CycloneDX AI working group).

Automate

Hook SBOM generation into CI/CD, the model registry and your MLOps pipeline. Enforce hash signatures.

Integrate

Wire to vuln scanning, VEX and the ISMS risk register. Adjust procurement contracts.

✦ 10 · VAMISEC · FROM OBLIGATION TO ARCHITECTURE

How VamiSec makes you SBOM-for-AI-ready.

AI-system inventory

Capture every productive AI system, model, agent and MCP tool — including shadow AI.

AIBOM implementation

From pilot to full rollout: CycloneDX 1.7, pipeline integration, model signing.

EU AI Act gap analysis

Map your systems to Art. 50, Annex III and the technical documentation duties.

AI security & governance

Adversarial-robustness tests, prompt-injection defence, AI risk register.

vCISO / AI Officer

Managed service for AI governance, ISMS and compliance — on demand.

Continuous monitoring

SBOM-diff watching, VEX workflow, AI vulnerability pipeline.

✦ ACT NOW

Let's talk — before 2 August arrives.

30 minutes free strategy call on your SBOM-for-AI and EU-AI-Act roadmap. We align the G7 baseline, BSI TR-03183 and your concrete ML pipeline.

Book a 30-min Teams demo

Direct slot · 30 minutes · Microsoft Teams · no obligation