Module SDD-B07 — Agent SBOM and Supply Chain Assessment

Agent SBOM and Supply Chain Assessment

The AI Bill of Materials as a supply-chain security tool. An agent is a dependency graph with a model at the center, and every tool, every MCP server, every checkpoint, and every training corpus is a trust dependency an attacker can reach. Covers the SBOM-to-AI-BOM extension (software bill of materials to AI bill of materials including the model, training data, tools/MCP servers, dependencies), the assessment tools and methodologies (CycloneDX ML/AI and crypto-material extensions, SPDX AI/SAI profiles, NTIA minimum elements), how an agent's supply chain is its attack surface (every trust dependency is a vector for the injection/exfiltration/governance-bypass attacks of B1-B5 and SDD-B04-B06), and the generation and validation practice. Expands B4's supply-chain material and B11's governance material into concrete supply-chain assessment.

45
minutes
8
artifacts
3
sub-sections
The AI Bill of Materials as a supply-chain security tool. An agent is a dependency graph with a model at the center, and every tool, every MCP server, every checkpoint, and every training corpus is a trust dependency an attacker can reach. Covers the SBOM-to-AI-BOM extension (software bill of materials to AI bill of materials including the model, training data, tools/MCP servers, dependencies), the assessment tools and methodologies (CycloneDX ML/AI and crypto-material extensions, SPDX AI/SAI profiles, NTIA minimum elements), how an agent's supply chain is its attack surface (every trust dependency is a vector for the injection/exfiltration/governance-bypass attacks of B1-B5 and SDD-B04-B06), and the generation and validation practice. Expands B4's supply-chain material and B11's governance material into concrete supply-chain assessment.
Key Claims
Load-Bearing Claims

Every component in the AI BOM is a trust dependency an attacker can reach. The model is reachable via the prompt channel; the tools via tool-call manipulation; the MCP servers via the agent's outbound connections; the training data retroactively via poisoning. A component not in the BOM is a surface not assessed.

The AI BOM is the SBOM extended to the model, data, and tool supply chain. It enumerates the model, the training data sources, every tool, every MCP server, the fine-tune adapters, the quantization, and the runtime. A BOM that declares the model name but omits the tools and MCP components has missed the parts of the supply chain that ARE the attack surface.

An AI BOM that does not match the runtime is worse than no BOM. Undeclared components are unassessed surfaces; a BOM that drifts from the deployed system gives false assurance. The BOM must be machine-generated from the running system and re-validated on every deployment.

After This Module
01
Explain the SBOM-to-AI-BOM extension: an SBOM enumerates the components in a compiled binary; an AI BOM additionally enumerates the model, the training data sources, the tools and MCP servers, and the harness dependencies — because each is a trust dependency an attacker can reach.
02
Map an agent's supply chain to its attack surface: every tool, every MCP server, every model dependency, and every training-data source is a node in a trust graph, and each node is a vector for the injection, exfiltration, and governance-bypass attacks of B1-B5 and SDD-B04-B06.
03
Apply the supply-chain assessment tools and methodologies: CycloneDX (with its ML/AI and crypto-material extensions), SPDX (with its AI/SAI profiles), and the generation and validation workflows that produce and check an AI BOM.
04
Generate an AI BOM for a representative agent: enumerate the model components, the data components, the tool/MCP components, and the software dependencies.
05
Validate an AI BOM against a runtime snapshot: detect undeclared tools, unregistered MCP servers, model-version drift, and the missing entries that represent un-assessed attack surface — and tie each finding to B4's trust-surface map.
06
Articulate where AI BOMs intersect B11's governance material: an AI BOM is the machine-checkable inventory that governance, procurement, and incident response all depend on.
Artifacts