Watch the GenAI Security Project’s – Agentic AI Security Summit, Europe from London

|

WATCH THE RECORDING !

Evolving AI Transparency: The Journey of the AIBOM Generator and Its New Home at OWASP

Earlier this year, during RSAC 2025, we introduced something the industry had never seen before: an open-source tool capable of generating an AI Software Bill of Materials (AIBOM) for models on Hugging Face. That launch ignited a wave of interest across the security, AI, and software supply chain communities. It confirmed what many of us had already sensed — AI transparency was lagging behind AI adoption, and practitioners were eager for practical tools to close that gap.

Since then, the AIBOM Generator has grown far beyond an initial release. Now also listed in the CycloneDX Tool Center, it became a living reference for what AI supply chain visibility can look like, demonstrating not only what metadata matters, but how it can be extracted, structured, and assessed at scale. Today, we’re entering the next chapter of that journey.

 

Turning Theory into Practical Implementation

When we created the tool, the goal was simple: offer the community a way to automatically extract essential AI model metadata and produce a standards-aligned AIBOM in CycloneDX format. The generator helped teams understand:

  • What’s inside a model
  • Where it came from
  • What data, configurations, and parameters shaped it
  • How complete and trustworthy the available documentation is

This work emerged alongside early industry discussions on AIBOMs, including the published use cases from the CISA SBOM working groups’ AI SBOM Tiger Team. While those efforts described what organizations needed from AI supply chain transparency, the AIBOM Generator focused on translating those ideas into something practical and usable.

Before standards stabilized, the tool offered a tangible starting point — a way to test assumptions, explore implementation paths, and gather feedback from practitioners. And that feedback made one thing clear: the community wanted this work to live in a place where it could grow openly and collaboratively.

 

Why We Contributed the Tool to OWASP

As the AIBOM Generator evolved, it became clear that its evolution should be shaped by the broader AI and security community. OWASP — with its global reach, open governance, and established role in stewarding security standards — became the natural home for the next phase.

We officially contributed the AIBOM Generator to the OWASP GenAI Security Project, where it now exists as the OWASP AIBOM Generator (owasp-genai-aibom.org), aligned with initiatives such as the OWASP Top 10 for LLMs and the OWASP Agentic Application Security.

This move unlocks:

  • Open community governance
  • Transparent evolution of AIBOM field mappings and checks
  • Standards-aligned development with CycloneDX and SPDX ecosystems
  • A shared space for researchers, engineers, and security teams to collaborate

The mission remains the same — but the scale and impact can now grow.

 

Continuing the Work: AIBOM as an OWASP GenAI Security Project Initiative

The AIBOM Generator is now a core initiative within the OWASP GenAI Security Project, advancing practical AI supply chain transparency. Building on earlier community efforts, including the CISA SBOM AI use cases, the project focuses on improving AI-relevant field checks, strengthening completeness scoring, and enhancing automated extraction to support consistent, scalable AIBOM generation for models on Hugging Face.

Alongside this work, the team is developing the OWASP AIBOM Generation Handbook, documenting the tool, field mappings, standards alignment, and recommended practices for applying AIBOMs across governance, compliance, and incident response workflows. Together, these efforts move AIBOM from theory into repeatable, community-maintained implementation — aligned with broader OWASP GenAI outputs.

 

Why This Matters for AI Security Right Now

AI systems are advancing faster than traditional transparency and assurance mechanisms. AIBOMs bring structure to that accelerating landscape.

They help organizations understand the models they rely on, the risks that accompany them, and the obligations — technical or regulatory — they must meet. Whether for safety and general usage evaluations, third-party risk assessments, or post-incident investigations, AIBOMs offer a standardized way to document AI systems across diverse components and dependency chains.

Now, with the AIBOM Generator under OWASP, the path toward consistent, interoperable AI supply chain visibility is clearer than ever.

 

Join Us in Shaping the Future of AI Transparency

The OWASP AIBOM Generator is an on-going work with a roadmap of improvements and integration endpoints. It is a community tool, built for continuous iteration as AI evolves and new supply chain needs emerge.

We welcome contributors across:

  • AI and ML engineering
  • Software engineering
  • Security and risk management
  • Standards development
  • Policy and compliance
  • Research and academia

Your insights shape where AIBOM goes next.

 

👉 Explore the project & get involved:
 OWASP GenAI Security Project – AIBOM Generator Initiative (URL – tbd)
 Try the tool: owasp-genai-aibom.org

Related Blogs

OWASP and the OWASP logo are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without

warranty of service or accuracy. For more information, please refer to our General Disclaimer.  – Copyright © 2025 OWASP Foundation, Inc.

Scroll to Top