"What is a Software Bill of Materials (SBOM), and what does it enumerate?" "A formal, machine-readable inventory of the components in a piece of software. At minimum (per NTIA): component name, version, supplier, unique identifier, dependency relationship, cryptographic hash. The SBOM's unit of analysis is the compiled/packaged artifact (container, binary, package). It enumerates SOFTWARE dependencies — it does NOT enumerate a model, a training corpus, or a tool server. US EO 14028 made SBOMs a procurement condition for software sold to the federal government." c2b::sdd-b07::recall "What is an AI Bill of Materials (AI BOM), and how does it extend the SBOM?" "The AI BOM extends the SBOM to enumerate the components of an AGENT: (1) MODEL components (base model, checkpoint hash, fine-tune adapters, quantization, inference runtime); (2) DATA components (training corpora, provenance, licensing, evaluation sets, retrieval-store contents); (3) TOOL & MCP components (every function-call tool, every MCP server); (4) HARNESS & orchestration components (framework, sandbox, orchestration code). The load-bearing insight: every component is a TRUST DEPENDENCY an attacker can REACH." c2b::sdd-b07::recall "State the load-bearing insight about AI BOM components and attack surface." "Every component in the AI BOM is a TRUST DEPENDENCY an attacker can REACH. The model is reachable via the prompt channel (SDD-B03). The tools are reachable via tool-call manipulation. The MCP servers are reachable via the agent's outbound connections AND via the servers' own attack surface (a compromised MCP server is an indirect-injection source). The training data is reachable retroactively via data-poisoning. A component NOT in the BOM is a surface NOT assessed — the agent equivalent of an unknown transitive dependency." c2b::sdd-b07::recall "What is CycloneDX, and how does it support AI BOMs?" "OWASP SBOM format (JSON/XML). Extended for AI/ML via the ML-BOM / AI-BOM profile, which adds component types: 'machine-learning-model' and 'data', plus relationships (trained-on, fine-tuned-from, depends-on). Also has a crypto-material extension (CDX 1.6) for the agent's keys and attestation materials. Key fields: bom-ref (dependency graph), components[].properties (architecture, param count, checkpoint hash, quantization), externalReferences (model card, data card, signing attestation). Common in build/pipeline tooling (Syft, cdxgen, build plugins)." c2b::sdd-b07::recall "What is SPDX, and how does it support AI BOMs?" "Linux Foundation SBOM format, ISO/IEC 5962:2021. Model is a document with packages/files/snippets, each with license, supplier, checksum, relationships. Extended for AI via the SPDX AI profile and the System Package Bill of Materials for AI (SAI), which adds AI 'package' fields: purpose, hyperparameters, training-data refs, evaluation metrics, energy-consumption profile. More common in governance/licensing/procurement (ISO standardization matters there). Largely interconvertible with CycloneDX through the common core." c2b::sdd-b07::recall "List the NTIA AI BOM minimum elements and why they matter." "The FLOOR element set (not ceiling): (1) MODEL IDENTITY (name, version, supplier, checksum/hash, model-card ref); (2) MODEL ARCHITECTURE & PARAMETERS (architecture, param count, input/output modalities); (3) TRAINING DATA (sources, provenance, licensing, data card; for fine-tunes the base-model ref + fine-tune dataset); (4) EVALUATION (sets, metrics, results); (5) SOFTWARE & RUNTIME (inference runtime, harness, orchestration code). A deployer who cannot meet these cannot answer the first regulator (EU AI Act docs), procurement, or red-team question." c2b::sdd-b07::recall "What was the log4j lesson, and why does it motivate the AI BOM?" "Log4j was a failure of INVENTORY, not patching — organizations that did not know they shipped log4j could not patch it because they did not know they had it. The AI BOM exists for the same reason: you cannot govern an MCP server you do not know your agent calls; you cannot assess a model checkpoint you do not know it loads; you cannot scope a red-team against a supply chain you have not enumerated. The undeclared component is the agent equivalent of the unknown transitive dependency that made log4j damaging." c2b::sdd-b07::recall "What is the undeclared-component finding, and why is it the highest-value supply-chain finding?" "A tool, MCP server, model version, or data source the agent uses at RUNTIME but the AI BOM does NOT declare. It is the agent equivalent of the unknown transitive dependency. The component is there, it is reachable, and nobody assessed it because nobody knew it was there. Found by runtime config diff, network-observation diff, or behavioral inference (black-box). Severity scales with reachability: an undeclared MCP server contacted every turn is CRITICAL (an un-assessed indirect-injection source, SDD-B03)." c2b::sdd-b07::recall "What is model-version drift, and why does it matter?" "The AI BOM declares model version N (pinned, hashed); at runtime the agent calls version N+1 (provider rotated the checkpoint, floating alias resolved to newer version, deployer updated without regenerating BOM). The ASSESSED agent is NOT the DEPLOYED agent. Matters because model version is the single most important reproducibility field (B0, SDD-B06): a finding against N may not reproduce against N+1; N+1 may have new vulns N did not. CONTROL: pin the specific checkpoint (not a floating 'latest' alias); detect drift in validation; mismatch gates the deploy." c2b::sdd-b07::recall "Name the three methods for discovering an undeclared component." "(1) RUNTIME CONFIG DIFF — sandbox-start the agent, log every tool/MCP/model loaded, diff against the BOM. (2) NETWORK-OBSERVATION DIFF — observe outbound connections (MCP servers, model endpoints, tool backends), compare to declared external references. (3) BEHAVIORAL INFERENCE (black-box) — prompt the agent to enumerate its own tools (a SDD-B06 recon technique), observe which external services it calls, infer the model from outputs. Noisier but produces findings when the deployer's BOM and runtime diverge." c2b::sdd-b07::recall "List the four validation checks run against an AI BOM." "(1) COMPLETENESS — does the BOM declare every tool/MCP/model? Compare BOM vs runtime; the delta is undeclared components. (2) VERSION PINNING & DRIFT — is the model pinned to a specific checkpoint (not a floating alias)? Does the runtime match? (3) PROVENANCE & SIGNING — are components attested (SLSA build provenance, Sigstore, supplier checksum)? An un-attested checkpoint is the same class of risk as an un-signed binary. (4) VULNERABILITY & POLICY — known CVEs? Policy violations (un-approved supplier, disallowed data source)?" c2b::sdd-b07::recall "Why is a drifted AI BOM worse than no AI BOM at all?" "A BOM that has drifted from the runtime gives FALSE CONFIDENCE — it declares components and versions that no longer match the deployed agent. Governance governs the declared inventory (which is stale); the red-team scopes against the declared surfaces (which are incomplete); incident response uses the declared BOM as the blast-radius input (which is wrong). No BOM at least makes the gap visible. The control: validation is CONTINUOUS (CI regenerates the BOM; validation runs on every deploy; a finding gates deployment)." c2b::sdd-b07::analysis "How does the AI BOM serve as the bridge between B4 (Trust Surfaces) and B11 (Governance)?" "B4's trust-surface map is POPULATED by the AI BOM's components: each tool, MCP server, model, and data source is a node in the trust graph (tools → function-call surface SDD-B04; MCP → injection surface SDD-B03; model → refusal target SDD-B06; retrieval → data-leak surface). B11's governance inventory is the BOM PLUS ownership/policy metadata (who owns each component, what policy governs it, when last assessed). The AI BOM is the SHARED inventory that makes both modules operable." c2b::sdd-b07::analysis "A deployer cannot produce an AI BOM for their production agent. What is the first finding and the first deliverable?" "The ABSENCE of an AI BOM is itself the first finding: a deployer who cannot enumerate components cannot govern them (B11), cannot assess blast radius in an incident (B0), cannot answer procurement/regulatory questions. The first deliverable is to BUILD the AI BOM from the runtime configuration — reverse-engineering the inventory the deployer should have had. This is the agent equivalent of running Syft against a container the vendor shipped without an SBOM." c2b::sdd-b07::analysis "Why is 'we have a BOM; it was generated at build time' an anti-pattern, and what is the cure?" "A BOM generated only at build time drifts from the runtime as the agent updates its model, adds a tool, or connects to a new MCP server. The drifted BOM gives false confidence and is worse than no BOM. CURE: regenerate the BOM in CI from config-as-code (the source of truth); validate on EVERY deploy against a runtime snapshot; a drift or undeclared component GATES the deployment. This is the agent-specific realization of SLSA's continuous-verification principle — the assessed agent must equal the deployed agent." c2b::sdd-b07::analysis "Why must the AI BOM declare every MCP server, not just 'internal' tools?" "Every MCP server is a TRUST DEPENDENCY and an INDIRECT-INJECTION SOURCE (SDD-B03). The agent trusts the server's responses; a compromised or attacker-influenced server returns content the agent treats as legitimate context. An undeclared MCP server is an un-assessed node in the trust graph — governance does not know about it, the red-team did not scope it. The AI BOM must declare every server the agent connects to, with identity, transport, supplier, and the tools it exposes. Omitting 'internal' MCP servers is the same class of error as omitting internal npm dependencies." c2b::sdd-b07::analysis "The agent uses the provider's 'latest' model alias. Why is this a problem, and what is the control?" "A floating alias resolves to DIFFERENT checkpoints over time (providers rotate silently). The 'latest' alias means the deployed model changes without any deployer action, so the AI BOM (if it records 'latest') does not pin a specific artifact — model-version drift is guaranteed. CONTROL: pin the specific checkpoint (a dated version id or a hash); record the pinned version in the AI BOM; the validation step compares the pinned version against the runtime-resolved version and a mismatch gates the deploy. Model-version drift means the assessed agent is not the deployed agent." c2b::sdd-b07::analysis "Design the AI BOM validation step that runs in CI. What are its inputs, checks, and the gate?" "INPUTS: the regenerated AI BOM (CycloneDX JSON from config-as-code) and a runtime snapshot (resolved model version, registered tools, connected MCP servers). CHECKS: (1) completeness — diff BOM vs runtime, flag undeclared; (2) version drift — pinned vs resolved; (3) provenance — SLSA attestation / signatures present; (4) vuln/policy — CVEs, un-approved suppliers. GATE: any finding blocks the deploy. The assessed agent must equal the deployed agent. Validation is continuous (on every deploy), not one-time." c2b::sdd-b07::analysis "Why is provenance (SLSA attestation, signatures) necessary on AI BOM components, not just on the software?" "Trust is not a supply-chain control; provenance is. The model checkpoint from 'a reputable provider' could be substituted at the distribution channel — a compromised model-distribution channel is a SCALING attack (every agent loading the poisoned checkpoint inherits the compromise). Un-attested tool backends and MCP servers carry the same risk as un-signed binaries. The AI BOM should carry SLSA build provenance for the harness, the supplier's published checksum for the model, and signing for the tool backends. Without attestation, the BOM declares what SHOULD be there but cannot verify what IS there." c2b::sdd-b07::analysis "In an incident, the deployer is asked 'what components were in the affected agent?' They have no AI BOM. What are the consequences?" "Without a validated AI BOM they CANNOT: (1) scope the incident (which components were in the blast radius?); (2) report it accurately to regulators (EU AI Act docs, US EO/OMB incident-reporting duties per B0); (3) correlate to determine which OTHER agents share the vulnerable component (the supply-chain propagation question). The AI BOM is the blast-radius input. A deployer without one is flying blind in exactly the moment they need full visibility. This is why the AI BOM is an INCIDENT-RESPONSE artifact, not just a documentation artifact." c2b::sdd-b07::analysis