You know what code you ship. Do you know what models?
An AI Bill of Materials inventories every AI model, dataset, and ML dependency your software uses — including fine-tuned weights, third-party model APIs, and embedded inference engines. Required for EU AI Act compliance.
Every AI model in your stack. Classified and inventoried.
Discovers every AI model — local inference, embedded engines, third-party APIs — and classifies each under EU AI Act risk tiers.
Know what data trained every model. And who fine-tuned it.
Records datasets used to train or fine-tune each model — version, source, data governance declarations, and the full provenance chain from base model to fine-tuned weights.
Transparency obligations. Automatically documented.
Generates structured compliance evidence for EU AI Act requirements — transparency obligations, human oversight documentation, and risk system classification for every high-risk model.
External model calls are dependencies. Treat them like one.
Maps every outbound call to external model APIs and records them as declared dependencies with SLA, data residency, and version pinning information.
What is an AI Bill of Materials (AIBOM)?
An AIBOM is a list of every AI part your software relies on: the models it loads or calls, the datasets those models were trained on, the fine-tuned weights you produced, and the ML libraries in your dependency tree. If you have shipped an SBOM before, the idea is the same — write down what is actually in the system so you can answer questions about it later.
The reason it gets its own name is that AI components do not behave like normal packages. A model can be a file on disk, a weight checkpoint in a bucket, or an HTTP call to someone else’s API. A plain dependency scanner walks past all three. An AIBOM is the artifact that records them in one place.
AIBOM vs SBOM: what is the difference?
An SBOM covers your software packages — the npm, PyPI, and Maven dependencies, their versions, and their licenses. It does not know that a function quietly calls openai.chat.completions, or that a 4 GB file in your repo is a fine-tuned Llama checkpoint.
An AIBOM fills that gap. It captures the model layer an SBOM cannot see: which models, from which providers, trained on what, used where. Most teams keep both — the SBOM for the code supply chain, the AIBOM for the AI supply chain — and O3 produces them from the same scan.
Does the EU AI Act require an AIBOM?
The Act does not use the word “AIBOM,” but it asks for exactly what one contains. Providers of high-risk systems have to keep technical documentation describing the models, the training data, performance, and risk measures. An AIBOM is the structured version of that paperwork — and it is far easier to keep current than a document someone edits by hand. See how it maps to the EU AI Act and the broader BOM compliance requirements.
How do you generate an AIBOM?
O3 reads your codebase the way a reviewer would. It picks up AI library imports, model config and environment variables, weight files, and the outbound API calls your code makes at runtime. Each one becomes a recorded entry with its provider, version, and where in the app it is used.
It runs in CI — GitHub Actions, GitLab, Jenkins, or the CLI — so the AIBOM regenerates on every build instead of going stale the moment someone adds a new model. You get the inventory, the provenance chain for anything you fine-tuned, and a risk tier per system, without a separate documentation project.
Explore the full O3 BOM Suite
One platform for every bill of materials — software, cryptographic, AI, hardware and quantum — unified for supply-chain visibility and compliance.
- CBOM — Cryptographic Bill of MaterialsInventory every algorithm, key, and certificate to find quantum-vulnerable crypto before CNSA 2.0 deadlines.
- SBOM — Software Bill of MaterialsGenerate and continuously verify SPDX/CycloneDX SBOMs across your build pipeline for CRA and EO 14028.
- HBOM — Hardware Bill of MaterialsMap firmware and hardware components to surface supply-chain risk down to the silicon.
- QBOM — Quantum Bill of MaterialsCatalog post-quantum readiness across your cryptographic estate as you migrate to PQC.
- BOM ComplianceSee how SBOM, CBOM, AIBOM and HBOM map to CRA, CERT-In, SEBI, FedRAMP and other frameworks.