AI-SBOM and Model Bill-of-Materials Tools: A 2026 Comparison

A software bill of materials answers the question “what is inside this application?” by enumerating every dependency and its provenance. An AI bill of materials — variously called AI-SBOM, AIBOM, or ML-BOM — answers the harder question for AI systems: what models am I shipping, where did their weights originate, which datasets trained them, and what licenses and risks do they carry? When a backdoored model can masquerade as a legitimate open-weight release on a public hub, that inventory stops being a compliance nicety and becomes a supply-chain control. This guide compares the best AI-SBOM and model bill-of-materials tools in 2026 — the standard underneath them, the open-source generators, and the commercial platforms that produce one as a byproduct of deeper scanning.

The Standard: OWASP CycloneDX ML-BOM

Most AIBOM tooling converges on one format, so it is worth understanding it first. CycloneDX ↗ is an OWASP project and a full-stack bill-of-materials standard. It introduced Machine Learning transparency (ML-BOM) in version 1.5, released in June 2023 ↗, giving the format a structured way to represent models, datasets, and their configurations alongside conventional software components.

An ML-BOM extends a standard SBOM with the things that actually shape a model’s behavior and risk: model architecture and provenance, training and inference configuration, the datasets involved, and the documentation (model card) that describes intended use and limitations. CycloneDX has since been ratified as an international standard — ECMA-424, with v1.6 as the 1st Edition (2024) and v1.7 as the 2nd Edition (2025) — which matters for procurement and audit, because “give us a CycloneDX AIBOM” is a far cleaner contractual ask than “give us a spreadsheet of your models.” SPDX, the other major SBOM standard, is also moving toward AI/ML representation, and several tools emit both.

Open-Source AIBOM Generators

These tools generate a bill of materials from models or repositories. They are the right starting point for teams that want transparency without a commercial contract.

OWASP AIBOM Generator is the standards-body option. Originally created by Helen Oakley and Dmitry Raidman and introduced at RSAC 2025, it was contributed to OWASP and now lives under the OWASP Gen AI Security Project. It generates an AIBOM for models hosted on Hugging Face — pulling metadata from the model and producing downloadable CycloneDX JSON, with visualization of model metadata and dependency information. A hosted demo runs on Hugging Face Spaces, and the work is governed openly under OWASP. Best for: teams that want a vendor-neutral, standards-aligned AIBOM for individual Hugging Face models.

Snyk AI-BOM comes at the problem from the codebase, not the model registry. An experimental tool from Snyk Labs, it scans code repositories for AI components — models, datasets, libraries, and even agent frameworks — detecting usage patterns such as Hugging Face transformers, OpenAI API calls, and training datasets. It runs as both a CLI and an API, and emits CycloneDX. Its differentiator is that it leans on Snyk’s DeepCode engine to detect embedded AI usage in code even when there is no clear manifest or package reference — the opaque API call that traditional software composition analysis tools miss entirely. Best for: engineering organizations that want to discover AI usage across many repos rather than document one model at a time.

The two approaches are complementary: a registry-side generator documents a model you have chosen, while a code-side scanner finds the models and providers your code actually touches — including the ones nobody told the security team about.

Commercial Platforms That Produce an AIBOM

For teams that want the bill of materials as one output of deeper security analysis — not as the whole product — two commercial platforms stand out. Both generate a model inventory while also inspecting the artifacts for tampering.

ReversingLabs Spectra Assure added ML-BOM to its Spectra Assure software-supply-chain platform as part of its CycloneDX Extended BOM (xBOM) support, which also spans CBOM and SaaSBOM. Its ML-BOM provides visibility into every ML model in an environment and can identify over 8,000 publicly available models ↗ from sources like Hugging Face — even without source-code access. The platform performs deep model inspection across TensorFlow, PyTorch, scikit-learn, Keras, and NumPy, extracts and enriches model-card metadata, and exports in CycloneDX and SPDX. The security weight here is in the analysis: unpacking ML model files out of complex software packages, binary-level inspection for hidden threats, and behavioral analysis to flag anomalous implants — the kind of inspection that surfaced BadSeek, a malicious model that masqueraded as the open-source Qwen2.5-Coder model after being backdoored. Best for: organizations that need supply-chain assurance on compiled commercial software and third-party models.

HiddenLayer generates an AIBOM automatically for every model its Model Scanner inspects, providing an auditable inventory of model components, datasets, and dependencies, exportable in an industry-standard format for supply-chain audits and licensing enforcement. The scanner supports 35-plus formats and pairs the AIBOM with Model Genealogy, which analyzes a model’s computational graph to reveal architecture, origin, and intended function. We cover HiddenLayer’s broader posture role in our AI security posture management tools guide. Best for: teams that want the bill of materials tied to deep model-layer threat detection rather than as a standalone artifact.

Why the AIBOM Matters: Model Serialization Attacks

The reason an AIBOM is a security control and not just paperwork comes down to how models are distributed. Many model formats are derived from Python’s pickle module, and a model serialization attack embeds malicious code into a model file during saving, so it executes the moment the file is loaded — a modern Trojan horse. This is the threat that maps to the supply-chain risks in the OWASP Top 10 for LLM Applications ↗.

The standard open-source defense is ModelScan from Protect AI (Apache-2.0 licensed; Protect AI was acquired by Palo Alto Networks in 2025). ModelScan reads a model file’s contents looking for unsafe code signatures, supports pickle-derived formats (PyTorch, scikit-learn, XGBoost), TensorFlow SavedModel, and HDF5/Keras, and ranks findings as critical, high, medium, or low. It outputs to console or JSON, and its exit codes make it straightforward to gate a CI pipeline on a clean scan. An AIBOM tells you which models you have; a scanner like ModelScan tells you whether any of them are unsafe to load. Run both. (The safer long-term fix is the safetensors format, designed by Hugging Face so that it is structurally impossible to embed executable code in a model file.)

How to Build an AIBOM Practice

For a team starting from zero:

• Pick the format first. Standardize on CycloneDX ML-BOM. It is an OWASP standard, ECMA-ratified, and supported by every tool above, which keeps your inventory portable.
• Generate at two layers. Use a code-side scanner (Snyk AI-BOM) to discover AI usage across repositories, and a registry-side generator (OWASP AIBOM Generator) to document each external model you adopt.
• Pair inventory with inspection. Gate model ingestion on a ModelScan pass in CI so a backdoored or serialization-attacked model never reaches your registry.
• Escalate to a platform when scale demands it. When you are ingesting models continuously or need assurance on third-party compiled software, a commercial platform (ReversingLabs, HiddenLayer) adds binary-level inspection and behavioral analysis the lightweight generators do not attempt.

The AIBOM is becoming a procurement requirement the same way the SBOM did before it — auditors and downstream customers will increasingly ask “what is in your AI?” The teams that can answer with a signed, standards-formatted bill of materials, backed by a scan that proves the artifacts are clean, will move through those conversations far faster than the ones reconstructing the answer after the fact. For the broader visibility discipline these tools feed into, see our AI security posture management tools guide; for catching tampering before deployment, our top LLM vulnerability scanners review.

---

Sources

• Machine Learning Bill of Materials (AI/ML-BOM) — CycloneDX ↗ — The OWASP CycloneDX ML-BOM capability page describing how the standard represents models, datasets, and configurations.
• Introducing OWASP CycloneDX v1.5 — CycloneDX ↗ — Release announcement confirming ML-BOM support landed in CycloneDX v1.5 in June 2023.
• OWASP AIBOM Generator — OWASP Gen AI Security Project ↗ — Project page for the open-source generator that produces CycloneDX AIBOMs for Hugging Face models.
• Secure Your AI Supply Chain with the ML-BOM — ReversingLabs ↗ — Vendor analysis of Spectra Assure’s ML-BOM, model coverage, and the BadSeek backdoored-model incident.
• ModelScan: Protection Against Model Serialization Attacks — Protect AI (GitHub) ↗ — Source repository for the Apache-2.0 open-source scanner that detects serialization attacks across model formats.
• OWASP Top 10 for Large Language Model Applications ↗ — Risk taxonomy that frames model supply-chain and serialization risks an AIBOM practice mitigates.