AI Bill of Materials
The AI Bill of Materials (AI-BOM) is your auditable inventory of every AI component detected across the fleet. It’s built for EU AI Act Article 16, GPAI transparency and SOC 2 CC1.4 evidence — one page you can review, annotate and hand to an auditor.
Open it at /ai-compliance/bom or via Compliance → AI Bill of Materials.
What you see
Section titled “What you see”The header shows the compliance framings the BOM is designed against (EU AI Act Art. 16, GPAI transparency, SOC 2 CC1.4) and when the BOM was last generated.
The page then groups entries by category:
- Models — LLMs and other model artifacts found on disk or called via inference APIs.
- Providers — third-party AI vendors your fleet talks to (OpenAI, Anthropic, Google, Mistral, Groq, …).
- Frameworks — Python packages and runtimes indicating AI use.
- Infrastructure — CUDA toolkits, drivers and compute libraries.
Each row shows the component name, version, publisher, license, purpose, first-seen date and — most importantly — a risk classification badge.
What you can do
Section titled “What you can do”- Edit an entry — expand any row to fill in fields the automatic detection can’t infer: purpose, data inputs (comma-separated), license, publisher, and the EU AI Act risk classification (minimal, limited, high, unacceptable).
- Export CycloneDX JSON — machine-readable SBOM format, downloadable from the header. Suitable for feeding into an existing SBOM pipeline or a compliance vault.
- Export PDF — a formatted report with your organisation name in the header, ready to attach to an audit response.
Every edit records the reviewing user and timestamp, so the BOM doubles as its own review log.
How it works
Section titled “How it works”The BOM is auto-synced from the Shadow-AI detections that the HostAtlas agent reports. Opening the page triggers a sync so the inventory is always current — new detections appear as new BOM entries, deduplicated by identity so you don’t re-review the same model on ten servers.
Manual edits (risk class, purpose, license, publisher, data inputs) survive re-sync. Only the fields that can’t be manually reviewed are refreshed from detections.
Every export is recorded — format, scope, entry count, generating user — so you can prove exactly what evidence was handed over and when.
Export formats
Section titled “Export formats”| Format | Best for |
|---|---|
| CycloneDX JSON | Feeding into an SBOM/AI-BOM pipeline, compliance vaults, or an existing CycloneDX 1.5 tool. |
| Attaching to an audit questionnaire, DPIA or vendor assessment. |
Risk classifications
Section titled “Risk classifications”The four risk tiers map to the EU AI Act:
- Minimal — no user impact, e.g. a code-completion helper.
- Limited — user-visible AI features that require transparency.
- High — systems affecting fundamental rights or safety-critical decisions.
- Unacceptable — prohibited use cases; if you set this, the entry is flagged for removal.
Related
Section titled “Related”- AI Compliance Hub — the landing page that feeds the BOM.
- AI Spend Tracker — the cost side of the same AI usage picture.