AI Bill of Materials (AI-BOM) is moving from optional security artefact to enforceable procurement requirement in 2026, driven by EU AI Act Article 11 + Annex IV technical-documentation requirements (effective 2 August 2026) and the CycloneDX ML-BOM and SPDX 3.0 specifications. Enterprise SBOM programs need three specific extensions (generation path for AI components, AI-specific risk correlation feeds, procurement-side language for AI-BOM delivery).

Cross-domain: SBOM software-supply-chain discipline intersected with EU AI Act Article 11 high-risk AI documentation. CycloneDX ML-BOM published by OWASP-adjacent CycloneDX project; SPDX 3.0 added AI components. Tooling ecosystem 12-18 months less mature than SBOM.

Published

29 Apr 2026

Last reviewed

29 Apr 2026

Next review

+59d· 30 Jun 2026

Source piece

AI Bill of Materials in 2026: when AI-BOM becomes a procurement requirementRead piece →

Permalink/holding/AM-117/

Embed this claimiframe + oEmbed

HTML iframe

<iframe src="https://agentmodeai.com/embed/claim/AM-117/" width="600" height="280" frameborder="0" scrolling="no" loading="lazy" referrerpolicy="strict-origin-when-cross-origin" title="AM-117: Holding — Agent Mode AI" style="border:0;max-width:100%;"></iframe>

Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.