AI-BOM
Your AI, as a bill of materials.
Every model, dataset, agent, and AI SDK your software ships, in one CycloneDX AI-BOM per repository. The same format your auditors, customers, and SBOM tooling already read.
CycloneDX-Native
The AI-Native Companion to Your SBOM
A machine-readable CycloneDX ML-BOM, the AI-native companion to your dependency SBOM in CycloneDX 1.6, SPDX, and VEX. One scan, two bills of materials.
The standards-format AI bill of materials, machine-readable and ready to drop into the tooling you already use for software bills of materials.
Your dependency SBOM in CycloneDX 1.6, SPDX, and VEX, plus an AI-BOM for the models, datasets, and agents, from the same scan.
Generate the AI-BOM for every repository ZeroPath scans, so each codebase has a current record of the AI it ships.
What's Inside
Every AI component ZeroPath discovers, recorded with the provider, model type, usage, and the detection source that found it.
Models
The model files your software ships, each recorded with its provider, model type, and the usage tier that tells GenAI from classic ML.
Datasets
The datasets bundled with your code, captured as components in the BOM so the data behind your AI is documented alongside the models.
AI SDKs
The LLM and inference SDKs your application depends on, each carrying its provider and the usage that marks it as runtime or dev-time AI.
Agents
The agent frameworks your team builds on, recorded as components so the autonomous AI in your stack is part of the bill, not an afterthought.
MCP Servers
The MCP servers your agents connect to, listed as components so the tools your AI can reach are documented in the same standards-format BOM.
Provenance on Every Component
Each entry carries its provider, model type, usage, and detection source, so a reader can tell what the component is and how ZeroPath found it.
Why It Matters
Answer With a Document, Not a Spreadsheet
Regulators and customers increasingly ask what AI you ship. A standards-format CycloneDX AI-BOM answers that question in the same machine-readable form your SBOM tooling already consumes.
EU AI Act
As AI transparency obligations land, a current bill of materials gives you a documented record of the AI components in each repository.
NIST AI RMF
Inventory is the first step of managing AI risk. The AI-BOM provides that inventory in a standards-format artifact.
Customer & Audit Requests
When a customer or auditor asks what AI you ship, hand them a machine-readable CycloneDX document instead of assembling an answer by hand.
The Inventory Behind the BOM
From Discovery to Document
The AI-BOM is built straight from AI Inventory, which finds all 17 component kinds during the scans you already run.
- AI Inventory discovers and classifies every AI component
- The AI-BOM turns that inventory into a CycloneDX document
- Both come from the scans you already run
