TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBER RISK CYBERSECURITY ANALYTICS CYBERSECURITY OPERATIONS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. How CISOs Should Prep for Agentic-Ready AI BOMs Finding ways to document both component and execution attributes for AI bill of materials (AI BOM). Ericka Chickowski, Contributing Writer May 21, 2026 6 Min Read SOURCE: KITTIPONG JIRASUKHANON VIA ALAMY STOCK PHOTO AI bills of materials (AI BOMs) are designed to answer a pretty straightforward question: what's in this AI technology? Like software bills of materials (SBOMs), they document all of the ingredients that went into building a system. This includes the models, the datasets, the frameworks, and the dependencies the AI is built on. Knowing these is crucial for tracking supply chain risk and responding quickly when a component is compromised. But AI agents are different because tracking their risk adds a new dimension beyond components. Agentic-ready AI BOMs will need to not only document the components but also the attributes that describe autonomous action. "With delegated agency, the most security-relevant dependencies are not model plus data — instead they become action pathways," says Kriti Tallam, VP of AI at Kamiwaza AI and contributor to NIST's AI Risk Management Framework. "What you're talking about is behavioral artifacts: tool skills, prompts, policies, and workflow definitions." Related:Is 2026 the Year AI Bills of Materials Get Real? In this way, the AI BOM documentation needs to help answer a much harder set of questions: where are agents operating, what are they doing, and should they be? The Artifact vs. Authority Problem Current standards like CycloneDX and SPDX are artifact-lineage tools. They tell the story of all the inputs that went into building an AI system. That's valuable for traditional software, but it leaves critical gaps as agentic AI adds the element of execution. [Read more about what regulators and standards bodies are doing in What Will Make AI BOMs Real?] LOADING... As Tallam points out, this means that the supply chain expands beyond models and data into runtime behavior. Helen Oakley, one of the leaders of the OWASP AIBOM Generator, says this means that documentation now covers two main areas, artifact lineage and authority lineage. The first asks what components are present, where they originated, and whether they contain known vulnerabilities. These attributes are what are already covered by the earliest standards for AI BOMs. The second asks how decision rights move through a system once it's running. These are the ones that agentic AI BOMs will need to start tackling. "In autonomous systems, the supply chain evolves to include a dynamic runtime dimension," she recently wrote. "As AI systems generate and compose decisions at runtime, the supply chain must also account for how authority is delegated, propagated, and bounded during execution." Without additional fields and runtime instrumentation, AI BOMs can't currently document how decision-making authority is propagated across a multi-agent chain. Without this kind of visibility, it is nigh impossible to figure out which agent called which tool and with what delegated permissions, and whether that chain stayed within its originally intended boundaries. As Oakley puts it: "Artifact integrity does not automatically imply bounded authority propagation." Related:What It'll Take to Make AI BOMs Usable in a Modern Security Program Agentic deployments need documentation that captures authorization so organizations can better manage the risks that lead to unchecked agents making very costly mistakes. A glaring example of those risks in play just happened at PocketOS, where an AI coding agent deleted an entire production database and all volume-level backups in a single API call to its infrastructure. This is the kind of failure that couldn't have been foreseen by better artifact documentation or flaw remediation. "The agent had a legitimate Railway API key, hit what it read as a credential mismatch, decided to clean up unused resources, and bypassed soft delete entirely. No confirmation step, no environment check, nothing," wrote security advisor Andrew Storms in a recent piece on agentic security boundaries. "The authorization model failed." What Agentic-Ready AI BOM Needs to Include Getting to the heart of agentic risk management will have to start with tracking not only what the agent is authorized to do, but also the identity it operates under and the constraints that govern its decisions. The research and practitioner communities are still zeroing in on what an agentic AI BOM needs to capture in order to make this a reality. Related:What Will Make AI BOMs Real? A March 2026 paper by researchers at Oxford and Cisco offers a practical starting point for integrating the right elements into agentic AI BOMs. They proposed schema extensions to CycloneDX and SPDX designed to capture execution context and agentic decisioning in a way that's lined up with existing bills of materials standards and that can be folded into existing tooling. Not only is that a win for agentic observability, but their evaluation found that adding runtime evidence to static dependency data improved both reproducibility and vulnerability assessment accuracy. However, their schema captures what an agent did, but not necessarily what it was permitted to do, or how to tell when those two things diverge. Storms says that an agentic security boundary should be the union of five things: identity scope, tool permissions, network egress policy, action-level authorization, and auditing. While he wasn't specifically talking AI BOMs, his breakdown could actually provide a good sketch for the additional areas that their documentation needs to extend into. Ultimately, the goal should be helping the AI/ML, infrastructure, and security teams to all work from the same page so that they can start threat modeling systems and building controlled environments that appropriately document and control autonomous action. "A useful litmus test for any leader running this: ask your team, 'if our most used internal agent decided tomorrow to do the most damaging thing it's technically capable of, what would happen?'" Storms says. "The answer should be a specific, short list of systems it could reach and actions it could take. Short because someone scoped them deliberately.” What CISOs Can Do Now Today's AI BOM standards don't have fields for capability scope, action-level authorization, or behavioral baselines. But CISOs don't have to wait for perfect frameworks to start building the documentation practices that will underpin agentic-ready AI BOMs. Tallam recommends starting with the basics, namely by treating AI systems like products rather than experiments. [Read What It'll Take to Make AI BOMs Useable in a Modern Security Program for five things CISOs need to do and Is 2026 the Year AI Bill of Materials Get Real? to see how security leaders are addressing the current visibility challenges.] "When you make a simple register, where's the model used, what data connects, what tool calls, who owns them, that in itself is a policy," she says. Beyond permissions and telemetry, organizations need to document approved behavioral baselines for deployed AI systems and define what drift looks like. You can't predict every output from a non-deterministic system, but you can define the expected range of behavior and flag when an agent deviates from it. The good news, Tallam says, is that non-determinism doesn't have to mean ungovernable. "Non-deterministic reasoning is fine if the action space is deterministic and constrained," she says. "Don't try to predict every token. Make every action predictable, permissioned, attributable, and auditable." Ultimately, the work CISOs do now to document behavioral baselines, establish agent identity controls, and capture authorization boundaries will put them ahead when agentic-ready standards arrive. As Oakley wrote: "What we choose to observe defines what we are able to govern." Read more about: CISO Corner About the Author Ericka Chickowski, Contributing Writer Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Po