What you are actually buying when you buy AI

ABBY

This is Agent Mode AI. I'm Abby. Every Sunday we pick a claim from the Holding-up ledger and walk through it. Today we're checking two: AM-117 and AM-121. They sit on the same enterprise surface — what you're actually buying when you buy AI in 2026 — but read from two different procurement angles.

AVERY

I'm Avery. Frame the dual signal for me.

ABBY

Two surfaces that were not on a single CIO procurement checklist eighteen months ago. The first is the AI Bill of Materials — the supply-chain transparency artefact that the EU AI Act now requires for high-risk systems. The second is the auditability-versus-lock-in axis on platform-incumbent AI like ServiceNow Now Assist. The first answers what is in the model. The second answers what your five-year commitment trajectory looks like. Both are procurement questions. Most enterprises are answering neither.

AVERY

Start with AM-117. What does the AI Bill of Materials actually contain.

ABBY

A Software Bill of Materials lists every component in a piece of software. An AI Bill of Materials extends that to the data, model weights, training corpora, fine-tuning datasets, evaluation suites, and the chain of custody for each. The OWASP Foundation publishes CycloneDX ML-BOM as the canonical specification. The Linux Foundation publishes SPDX 3.0 AI extensions covering the same surface. Both are now production-grade.

AVERY

Why does this matter at procurement.

ABBY

Article 11 of EU AI Act Regulation 2024/1689 requires technical documentation for high-risk AI systems. The article enumerates what the documentation must cover: training data and methodology, intended purpose, system architecture, validation testing, post-market monitoring. The published CycloneDX ML-BOM and SPDX AI templates map almost one-to-one to that enumeration.

AVERY

So the BOM is the artefact that answers the regulator.

ABBY

It's the artefact your buyer-side counsel can reasonably ask for. If your vendor cannot produce a credible AI BOM at procurement, the implication is that they cannot produce the Article 11 technical documentation either when the regulator asks. Enforcement begins August 2026.

AVERY

What does that mean for the AI vendors who don't currently ship a BOM.

ABBY

Three things become visible at procurement in 2026 that were not visible in 2024. The first is whether the vendor can produce a CycloneDX ML-BOM or SPDX AI artefact on request. The second is whether the BOM names training-data provenance at component level or at vague aggregate. The third is whether the vendor commits to maintaining the BOM through model updates rather than as a one-time artefact at sale.

AVERY

The procurement teams who don't ask these questions.

ABBY

Are accepting whatever residual risk the absence of the BOM implies. Buyer-side counsel will increasingly ask. The Article 11 enforcement timeline closes the regulatory ambiguity gap; procurement language follows.

AVERY

Now switch to AM-121. The IT operations reality check.

ABBY

AM-121 is the deep-dive on AI in IT operations as of mid-2026. ServiceNow Now Assist is the largest single product line in the category. ServiceNow has 8,600 ITSM customers and approximately forty percent of the ITSM software market per the latest IDC data. RPO at the end of Q1 FY26 was 27.7 billion dollars, up 25 percent year over year, with 630 customers at 5 million dollars or more in annual contract value, up from 516 a year prior.

AVERY

The platform incumbent is winning. What's the procurement question.

ABBY

The procurement question is what you're committing to over five years when you go deeper on Now Assist. Nenshad Bardoliwalla, ServiceNow's group VP for AI products, said it on the record: "the outcome is measurable inside the same platform. Did the ticket resolve? Did the workflow complete? Did the approval get the right sign-off? ServiceNow closes the loop in a way that a standalone LLM sitting on top of a SharePoint folder simply cannot."

AVERY

That sounds like the strongest argument FOR the platform.

ABBY

It is. Read in one direction it's the cleanest articulation of why platform-incumbent AI has more credibility than overlay-on-SharePoint AI for audit-trail integrity. Read in the other direction it's the lock-in argument. The platform that owns the workflow data, the audit trail, and the AI agents on top of it is the platform that can extract the largest renewal price. Both readings are true at the same time.

AVERY

Forrester reads it the same way.

ABBY

Charles Betz at Forrester framed it in April 2026: "Salesforce is betting that engagement and AI-driven interaction become the primary organizing layer, and that deeper IT models can be reconstructed as needed. ServiceNow is betting that AI makes control planes more important, not less, because poorly governed autonomy is a real enterprise risk." That framing is editorially honest. It also tells you that the platform-incumbent thesis is currently winning the customer evidence.

AVERY

What's the procurement implication.

ABBY

Two specific items belong in the negotiation. First, the renewal trajectory. ServiceNow restructured Now Assist into a three-tier packaging model in April 2026 — Assistive AI, Task Automation, Full Role Automation. Each tier is the foundation for the next. Get the renewal terms, the price-protection windows, and the data-portability provisions on the table at year one, not year three. Second, the data-portability provision specifically. The platform's argument is that the workflow data, the audit trail, and the AI agents are all in one place. The procurement question is what happens to that data if you ever leave.

AVERY

Bring AM-117 and AM-121 together. Why is this the editorial point.

ABBY

Both claims describe procurement surfaces that didn't exist on any CIO checklist eighteen months ago. The AI Bill of Materials and the platform-incumbent lock-in axis are both questions about what you actually own when you buy AI. The first is about the model itself. The second is about the workflow data the model operates on. Procurement teams who answer neither are committing to multi-year terms against unknown surfaces.

AVERY

Verdicts.

ABBY

AM-117 is Holding. The CycloneDX ML-BOM and SPDX 3.0 AI specifications are production-grade, EU AI Act Article 11 enforcement begins August 2026, and the procurement language is following the regulatory timeline. Cadence on this claim is sixty days because the Article 11 enforcement preparation by major vendors will be the first observable signal.

AVERY

And AM-121.

ABBY

AM-121 is Holding. ServiceNow's market position is documented in the SEC filings, the Bardoliwalla framing is on the record, and the Forrester read is consistent. The auditability-and-lock-in tension is a structural feature of the category, not a temporary artefact. Cadence is sixty days because Now Assist packaging shifts on roughly the same rhythm.

AVERY

What would change either verdict.

ABBY

For AM-117: a material EU AI Act Article 11 enforcement deferral, or a vendor-side rejection of the CycloneDX or SPDX standards. Neither is currently in the regulatory or industry signal. For AM-121: a substantive change in ServiceNow's RPO trajectory, a material gain in customer count for the competing Salesforce Agentforce IT Service product (currently around 200 customers in six months), or a credible third-party platform-incumbent challenger.

AVERY

Final word.

ABBY

The full source list, the corrections log, and the next review date are at agentmodeai dot com slash holding. Sunday brief ships every week with what moved on the ledger.

AVERY

Holding-up. See you next Sunday.