AI SBOM JSON Schema
Published JSON Schema for AI Software Bill of Materials documents. Use these URLs directly from validators, CI workflows, and AI supply chain security automation.
This schema provides a machine-readable format for describing the components, relationships, datasets, models, infrastructure, security properties, and operational indicators that make up an AI system. It is intended to help teams inventory AI systems in a consistent way so downstream tools can validate, compare, scan, and reason about AI supply chain information without relying on ad hoc spreadsheets or prose documents.
What This Is
An AI SBOM extends the familiar Software Bill of Materials idea to the AI system context. In addition to software components and dependencies, an AI SBOM can document AI models, model identifiers, model provenance, training and evaluation datasets, data flows, infrastructure dependencies, security controls, vulnerability references, and performance indicators. This repository publishes a JSON Schema so AI SBOM producers and consumers have a stable contract for automation.
Source Basis
The schema is based on the minimum element clusters described in SBOM-for-AI_minimum-elements.pdf, a document created by the G7 Cybersecurity Working Group. Those minimum elements are organized around metadata, system-level properties, models, dataset properties, infrastructure, security properties, and key performance indicators.
For additional context, see CISA's Software Bill of Materials for AI Minimum Elements resource and the Canadian Centre for Cyber Security's Top 10 artificial intelligence security actions primer.
Why It Exists
AI systems often combine conventional software, third-party services, model artifacts,
datasets, specialized infrastructure, and policy or security controls. A standard schema
makes that information easier to exchange and validate. It also gives security teams a
simple discriminator field, metadata.bomFormat, with the fixed value
AI-SBOM, so tools can quickly identify AI SBOM documents.
Author Signatures
The optional metadata.sbomAuthorSignature field uses the JSON Signature
Format (JSF) signaturecore structure. JSF is already used by CycloneDX for
enveloped JSON signatures, so this schema follows an existing signing model rather than
inventing a new one. That improves interoperability with BOM-oriented tooling and gives
implementers a clearer path for signature generation and verification.
This schema currently supports only simple JSF signaturecore. It does not
yet support JSF multisignature signers or signature-chain chain
objects. A signature can include an algorithm, signature value, key identifier, embedded
public key, and certificate path. Embedded public keys make cryptographic verification
easier, while certificate paths and key identifiers can support stronger identity and trust
decisions when paired with a verifier's trust policy.
For simple signatures, the signed payload is the entire AI SBOM JSON document after JSON
Canonicalization Scheme processing, with only
metadata.sbomAuthorSignature.value removed before canonicalization. Other
signature fields, including algorithm, keyId,
publicKey, and certificatePath, remain part of the signed
payload.
Common Uses
- Validating AI SBOM documents in CI before release.
- Publishing AI system inventory data for customers, auditors, or internal governance teams.
- Tracking model, dataset, dependency, and infrastructure relationships for AI supply chain security.
- Building ingestion pipelines that normalize AI SBOM data for vulnerability management or risk analysis.
Technical Whitepaper
Read the intro whitepaper on trustworthy AI supply chain metadata, the AI-BOM schema proof of concept, and SecureSBOM signing and verification.
Building Trustworthy AI Supply Chain Metadata with AI-SBOMs
Schema URLs
https://shiftleftcyber.io/ai-bom/schemas/ai-sbom-1.0.0.schema.json
https://shiftleftcyber.io/ai-bom/schemas/ai-sbom.schema.json
Repository
Source, examples, releases, and issue tracking are available at github.com/shiftleftcyber/ai-bom.