Agent SBOM & Supply Chain Assessment
SDD-B07 · Course 2B — Securing & Attacking Harnesses and LLMs
45 minutes · An agent is a dependency graph with a model at the center. Every tool, every MCP server, every checkpoint is a trust dependency.
The SBOM was built to enumerate a compiled binary. The AI BOM extends it to enumerate an agent — and the agent's supply chain is its attack surface.
Deep-Dive · SDD-B07
The SBOM-to-AI-BOM extension
Software SBOM enumerates a compiled binary: libraries, frameworks, the build toolchain. The solved problem (Syft, CycloneDX, SPDX, EO 14028).
AI BOM adds: the model (checkpoint hash, fine-tune adapters, quantization), the training data (provenance, licensing), the tools, the MCP servers, the harness.
The load-bearing insight: every component in the AI BOM is a trust dependency an attacker can reach. A component not in the BOM is a surface not assessed — the agent equivalent of an unknown transitive dependency.
log4j was a failure of inventory
Organizations that did not know they shipped log4j could not patch it — because they did not know they had it.
The AI BOM exists for the same reason:
- You cannot govern an MCP server you do not know your agent calls.
- You cannot assess a model checkpoint you do not know it loads.
- You cannot scope a red-team against a supply chain you have not enumerated.
The undeclared component — a tool or server the agent uses at runtime but the BOM does not declare — is the agent equivalent of the unknown transitive dependency that made log4j damaging.
B07.1 — What the AI BOM adds
Four component classes beyond the software SBOM
The four AI-BOM component classes
| Class | Enumerates | Why it is a trust dependency |
| Model | Base model, checkpoint hash, fine-tune adapters, quantization, inference runtime | Reachable via the prompt channel (SDD-B03); silent version updates |
| Data | Training corpora, provenance, licensing, evaluation sets, retrieval store | Shapes behavior; data-poisoning is a supply-chain finding (B1) |
| Tools & MCP | Every function-call tool, every MCP server (identity, transport, supplier) | Reachable via tool-call manipulation; MCP = indirect-injection source |
| Harness | Agent framework, sandbox, orchestration code | The governance layer (B0, SDD-B04/05) — version is security-critical |
B07.2 — Standards & validation
CycloneDX, SPDX, NTIA minimum elements, the pipeline
The standards landscape
CycloneDX (OWASP) — JSON/XML; ML-BOM/AI-BOM profile adds machine-learning-model and data component types; crypto-material extension (CDX 1.6) for keys & attestation. Common in build pipelines.
SPDX (ISO/IEC 5962) — the other dominant format; AI profile + System Package BOM for AI (SAI). Common in governance/licensing/procurement. Largely interconvertible with CycloneDX.
NTIA AI BOM minimum elements — the floor: model identity, architecture/parameters, training data, evaluation, software/runtime. A deployer who cannot meet these cannot answer the first regulator or red-team question.
Generation & validation pipeline
AGENT CONFIG-AS-CODE (model id, tool list, MCP registry)
│
├──▶ SBOM TOOLING (Syft, cdxgen) ──┐
└──▶ AI-COMPONENT EXTRACTOR ───────┤
▼
THE AI BOM (CycloneDX JSON)
│
validate against RUNTIME SNAPSHOT
│
┌──────────────┬──────────────┼──────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
COMPLETENESS VERSION DRIFT PROVENANCE VULN/POLICY DEPLOY GATE
undeclared? pinned=resolved? attested? CVEs? policy? finding→block
Validation is continuous, not one-time. A drifted BOM is worse than no BOM — it gives false confidence. Regenerate in CI; validate on every deploy.
B07.3 — Assessment in an engagement
The scope input, the undeclared-component finding, the bridge
The undeclared-component finding
The highest-value supply-chain finding: a tool, MCP server, model version, or data source the agent uses at runtime but the AI BOM does not declare.
Three discovery methods:
- Runtime config diff — sandbox-start, log every tool/MCP/model, diff against the BOM.
- Network observation diff — observe outbound connections; compare to declared external refs.
- Behavioral inference (black-box) — prompt agent to enumerate tools; infer model from outputs.
Severity scales with reachability. An undeclared MCP server contacted every turn is critical — an un-assessed injection source (SDD-B03).
Model-version drift
BOM declares model version N (pinned, hashed). Runtime calls version N+1 — the provider rotated the checkpoint, or the deployer's alias resolved to a newer version.
The consequence: the assessed agent is not the deployed agent.
- A finding against version N may not reproduce against N+1.
- N+1 may have new vulnerabilities N did not.
- The model version is the single most important reproducibility field (B0, SDD-B06).
Control: pin the specific checkpoint (not a floating latest alias); detect drift in validation; a mismatch gates the deploy.
The AI BOM is the bridge: B4 → B11
The first question a red-team or regulator asks: "what is in your agent?" The answer is the AI BOM. No BOM = the first finding.
| Consumer | What the AI BOM provides |
| B4 — Trust surfaces | Each BOM component = a trust node. Tools → function-call surface; MCP → injection surface; model → refusal target. |
| B11 — Governance | BOM + ownership + policy metadata. Who owns each component, what governs it, when last assessed. |
| B0 — Incident response | The blast-radius input: "what was in the affected agent?" Cannot scope/report/correlate without it. |
Lab & what's next
Lab (07): generate an AI BOM (CycloneDX JSON) from an agent config, validate it against a runtime snapshot (detecting undeclared tools/MCP and model-version drift), produce an undeclared-component finding report, and map components to B4's trust surfaces. Python 3.10+, no GPU.
Next — SDD-B08: NeMo Guardrails. The production guardrail framework behind NemoClaw (Course 1 DD-09). The rails are themselves evaluated by models — so they are subject to the same injection risks. The guardrail is a model, and models are injectable.