Federal Agencies Turn to AI Bills of Materials to Track and Govern AI Systems
Federal agencies are adopting AI bills of materials, or AI-BOMs, to inventory artificial intelligence systems running across their environments and reduce the risk of unmonitored tools operating outside IT oversight.
As generative AI, AI-enabled software and coding assistants spread through cloud platforms and SaaS applications, many agencies lack visibility into what AI systems they operate, what data those systems can access or how they interact with broader IT infrastructure. An AI-BOM addresses that gap by cataloging AI models, data sets, APIs and services across an organization - similar to how a software bill of materials inventories traditional software components.
Shadow AI Creates Blind Spots in Development Environments
One of the largest governance challenges federal agencies face is "shadow AI" - AI tools and services operating outside formal IT oversight. Development environments present a particular blind spot, where developers independently install coding assistants like GitHub Copilot, Claude Code and OpenAI Codex without centralized controls.
The problem extends beyond standalone tools. AI capabilities are increasingly embedded into collaboration platforms, SaaS applications and cloud services, meaning agencies may use AI features without understanding their security implications. Without visibility into those tools, agencies cannot determine what sensitive data AI services can access, whether they connect to external providers or whether they bypass existing security controls.
Extending Software Inventory Practices to AI Systems
Federal agencies already manage software inventories through supply chain security efforts and SBOM requirements. But adapting those practices for AI systems introduces complexity that traditional tools may not handle.
Legacy cloud security tools often fail to identify containers, virtual machines and serverless functions. With multicloud and hybrid systems, agencies need platforms that can identify not only AI models but also APIs, agents and other AI services operating across different environments.
The transition from SBOM to AI-BOM is not about replacement. Agencies need ways to continuously identify AI components, understand their dependencies and evaluate associated risks as those systems evolve.
AI-BOMs Support Zero-Trust Security and Supply Chain Oversight
AI-BOMs provide the continuous visibility that zero-trust architectures require. Security teams gain a clear, ongoing list of every AI component in their environment, how it is configured and what it can access.
AI-BOMs also capture relationships between AI components, allowing teams to see how AI systems operate in production and build a foundation for traceability and risk assessment. This visibility becomes especially important when agencies rely on third-party AI providers.
The Office of Management and Budget's M-26-05 memorandum reflects the federal government's focus on software and AI supply chain transparency. Agencies can require third-party AI providers to furnish SBOMs or AI-BOMs of their runtime production environments, allowing faster exposure assessment when vulnerabilities or supply chain risks emerge.
Automation Solves Resource Constraints
Limited staffing and resources often prevent agencies from building AI inventories. Manual approaches - such as maintaining spreadsheets of AI use cases - become impractical as AI becomes embedded across digital infrastructure.
Agencies should prioritize automation and continuous visibility rather than manual processes. Establishing identity and access controls for AI systems themselves is also critical, including agentic identities for individual AI entities that limit entitlements and data access.
As agencies mature their AI governance practices, those controls can integrate into broader security posture management and application protection platforms.
The goal of an AI-BOM is to provide the visibility agencies need to support AI risk management, strengthen zero-trust security strategies and govern AI systems responsibly as adoption expands. Learn more about AI for Government and explore how IT leaders can implement these practices through an AI Learning Path for CIOs.
Your membership also unlocks:
