The US Cybersecurity and Infrastructure Security Agency (CISA) and seven G7 partners have released a joint framework designed to bring transparency to artificial intelligence systems and their supply chains. While the guidance is voluntary, it signals how AI governance is shifting from abstract principles to concrete, practical requirements that companies will need to implement.

On June 17, CISA, along with partners from Canada, France, Germany, Italy, Japan, the United Kingdom, and the European Union, published "Software Bill of Materials for AI: Minimum Elements." Think of it as an "ingredients list" for AI systems, similar to how food labels tell you what's inside a product. The guidance helps organizations document what components make up their AI systems, from the models and datasets used to the infrastructure that runs them.

Why Should Companies Care About an AI Bill of Materials?

The guidance arrives at a critical moment. While the framework itself is voluntary and creates no new legal requirements, it overlaps significantly with mandatory obligations under the EU AI Act, which will become binding once in effect. This means companies selling or deploying AI systems in Europe, or to European partners, may soon face formal demands to provide this exact information.

The framework organizes AI system information into seven distinct clusters. The first cluster, called Metadata, describes the bill of materials document itself, including who created it and when. The remaining six clusters cover system-level properties, models, dataset properties, infrastructure, security properties, and key performance indicators. Each cluster contains specific data elements that developers and deployers should document.

Some of these elements are familiar from traditional software supply chain practices, such as component identifiers and license information. But the guidance adds AI-specific elements that go much deeper, including model lineage and training properties, dataset provenance and sensitivity, and security controls designed to protect against adversarial attacks and prompt-injection risks.

How to Prepare Your Organization for AI Supply Chain Transparency

• Audit existing SBOM processes: Organizations should not treat AI inventory practices as separate from general software supply chain governance. Instead, AI documentation should build on existing software bill of materials processes while adding AI-specific information about models and datasets.
• Map model and dataset provenance: Dataset and model documentation are likely to become focal points during vendor audits and procurement reviews. Teams should identify where models come from, what datasets were used to train them, what the model's limitations are, and how performance has changed over the system's lifecycle.
• Prepare for contractual demands: While the G7 guidance is voluntary, CISA and G7 recommendations often become procurement requirements and vendor risk management expectations. Companies should expect AI SBOM requests to become standard in enterprise and government-facing contracts.
• Document security controls: Organizations need to document cybersecurity measures addressing adversarial robustness and other AI-specific risks, not just traditional software vulnerabilities.
• Establish governance workflows: Create processes to maintain and update AI SBOMs as systems evolve, similar to how organizations manage traditional software supply chain documentation.

The working group that developed the guidance deliberately chose not to include a standalone element capturing an AI system's level of autonomy or decision-making capability. This reflects the reality that different jurisdictions define and regulate autonomy differently, a point worth monitoring as more advanced AI agents are deployed in real-world settings.

What Does This Mean for Global AI Governance?

The AI SBOM guidance sits within a broader landscape of evolving US federal and international AI policy. Over the past several years, the US government has incorporated software bills of materials into cybersecurity policy, sector-specific regulation, and national security supply chain controls. The legal force of these references varies considerably, ranging from binding statutory mandates to voluntary baselines.

The framework traces back to Executive Order 14028, issued in May 2021, which directed the National Telecommunications and Information Administration (NTIA) to publish foundational minimum elements for software bills of materials. Since then, the Office of Management and Budget (OMB) has issued memoranda requiring federal agencies to obtain supplier attestations and SBOM artifacts. In January 2026, OMB issued memorandum M-26-05, continuing to strengthen these requirements.

Meanwhile, other jurisdictions are taking different approaches. Canada released its national AI strategy on June 4, 2026, titled "AI for All," which signals a lighter regulatory touch than the EU but closer alignment with the US model of relying on industry standards and targeted measures in higher-risk areas. Unlike the EU's comprehensive risk-based framework, Canada is not introducing comprehensive AI legislation at this time, though the government has signaled that targeted regulatory initiatives will address specific risks in areas like privacy, online harms, and misinformation.

The UK has taken yet another approach, focusing on child safety and online harms. On June 18, the UK government announced plans to ban social media platforms from offering services to children under 16, alongside restrictions on certain AI functionalities. The government intends to bring the first regulations to Parliament before the end of the year, with protections expected to come into force in spring 2027. Notably, the regulations will address "romantic companion" AI chatbots, which are designed to simulate sexual relationships, by requiring a minimum user age of 18.

These divergent approaches highlight a fundamental challenge in AI governance: while transparency frameworks like the G7 SBOM guidance can be harmonized across borders, safety regulations and age restrictions remain deeply tied to each nation's values and legal traditions. Companies operating globally will need to navigate this patchwork of requirements, making the G7 guidance a useful common reference point even as specific regulatory obligations vary by jurisdiction.

For organizations that have been waiting for regulatory clarity before investing in AI governance, the message is clear: the time to act is now. The G7 guidance provides a practical roadmap, and companies that begin documenting their AI systems according to these principles will be better positioned to comply with formal regulations as they emerge across different markets.