Agent SBOM & Supply Chain Assessment

SDD-B07 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · An agent is a dependency graph with a model at the center. Every tool, every MCP server, every checkpoint is a trust dependency.

The SBOM was built to enumerate a compiled binary. The AI BOM extends it to enumerate an agent — and the agent's supply chain is its attack surface.

Deep-Dive · SDD-B07

The SBOM-to-AI-BOM extension

Software SBOM enumerates a compiled binary: libraries, frameworks, the build toolchain. The solved problem (Syft, CycloneDX, SPDX, EO 14028).
AI BOM adds: the model (checkpoint hash, fine-tune adapters, quantization), the training data (provenance, licensing), the tools, the MCP servers, the harness.
The load-bearing insight: every component in the AI BOM is a trust dependency an attacker can reach. A component not in the BOM is a surface not assessed — the agent equivalent of an unknown transitive dependency.

log4j was a failure of inventory

Organizations that did not know they shipped log4j could not patch it — because they did not know they had it.

The AI BOM exists for the same reason:

  • You cannot govern an MCP server you do not know your agent calls.
  • You cannot assess a model checkpoint you do not know it loads.
  • You cannot scope a red-team against a supply chain you have not enumerated.
The undeclared component — a tool or server the agent uses at runtime but the BOM does not declare — is the agent equivalent of the unknown transitive dependency that made log4j damaging.

B07.1 — What the AI BOM adds

Four component classes beyond the software SBOM

The four AI-BOM component classes

ClassEnumeratesWhy it is a trust dependency
ModelBase model, checkpoint hash, fine-tune adapters, quantization, inference runtimeReachable via the prompt channel (SDD-B03); silent version updates
DataTraining corpora, provenance, licensing, evaluation sets, retrieval storeShapes behavior; data-poisoning is a supply-chain finding (B1)
Tools & MCPEvery function-call tool, every MCP server (identity, transport, supplier)Reachable via tool-call manipulation; MCP = indirect-injection source
HarnessAgent framework, sandbox, orchestration codeThe governance layer (B0, SDD-B04/05) — version is security-critical

B07.2 — Standards & validation

CycloneDX, SPDX, NTIA minimum elements, the pipeline

The standards landscape

CycloneDX (OWASP) — JSON/XML; ML-BOM/AI-BOM profile adds machine-learning-model and data component types; crypto-material extension (CDX 1.6) for keys & attestation. Common in build pipelines.
SPDX (ISO/IEC 5962) — the other dominant format; AI profile + System Package BOM for AI (SAI). Common in governance/licensing/procurement. Largely interconvertible with CycloneDX.
NTIA AI BOM minimum elements — the floor: model identity, architecture/parameters, training data, evaluation, software/runtime. A deployer who cannot meet these cannot answer the first regulator or red-team question.

Generation & validation pipeline

AGENT CONFIG-AS-CODE (model id, tool list, MCP registry)
        │
        ├──▶ SBOM TOOLING (Syft, cdxgen) ──┐
        └──▶ AI-COMPONENT EXTRACTOR ───────┤
                                          ▼
                                   THE AI BOM (CycloneDX JSON)
                                          │
                          validate against RUNTIME SNAPSHOT
                                          │
            ┌──────────────┬──────────────┼──────────────┬──────────────┐
            ▼              ▼              ▼              ▼              ▼
       COMPLETENESS   VERSION DRIFT   PROVENANCE    VULN/POLICY    DEPLOY GATE
       undeclared?    pinned=resolved? attested?    CVEs? policy?   finding→block
Validation is continuous, not one-time. A drifted BOM is worse than no BOM — it gives false confidence. Regenerate in CI; validate on every deploy.

B07.3 — Assessment in an engagement

The scope input, the undeclared-component finding, the bridge

The undeclared-component finding

The highest-value supply-chain finding: a tool, MCP server, model version, or data source the agent uses at runtime but the AI BOM does not declare.

Three discovery methods:

  • Runtime config diff — sandbox-start, log every tool/MCP/model, diff against the BOM.
  • Network observation diff — observe outbound connections; compare to declared external refs.
  • Behavioral inference (black-box) — prompt agent to enumerate tools; infer model from outputs.
Severity scales with reachability. An undeclared MCP server contacted every turn is critical — an un-assessed injection source (SDD-B03).

Model-version drift

BOM declares model version N (pinned, hashed). Runtime calls version N+1 — the provider rotated the checkpoint, or the deployer's alias resolved to a newer version.

The consequence: the assessed agent is not the deployed agent.

  • A finding against version N may not reproduce against N+1.
  • N+1 may have new vulnerabilities N did not.
  • The model version is the single most important reproducibility field (B0, SDD-B06).
Control: pin the specific checkpoint (not a floating latest alias); detect drift in validation; a mismatch gates the deploy.

The AI BOM is the bridge: B4 → B11

The first question a red-team or regulator asks: "what is in your agent?" The answer is the AI BOM. No BOM = the first finding.
ConsumerWhat the AI BOM provides
B4 — Trust surfacesEach BOM component = a trust node. Tools → function-call surface; MCP → injection surface; model → refusal target.
B11 — GovernanceBOM + ownership + policy metadata. Who owns each component, what governs it, when last assessed.
B0 — Incident responseThe blast-radius input: "what was in the affected agent?" Cannot scope/report/correlate without it.

Lab & what's next

Lab (07): generate an AI BOM (CycloneDX JSON) from an agent config, validate it against a runtime snapshot (detecting undeclared tools/MCP and model-version drift), produce an undeclared-component finding report, and map components to B4's trust surfaces. Python 3.10+, no GPU.

Next — SDD-B08: NeMo Guardrails. The production guardrail framework behind NemoClaw (Course 1 DD-09). The rails are themselves evaluated by models — so they are subject to the same injection risks. The guardrail is a model, and models are injectable.