To address the lack of transparency and traceability in AI system supply chains, this paper proposes the AI Bill of Materials (AI-BOM) framework—an extension of the Software Bill of Materials (SBOM) tailored for AI systems. It systematically documents algorithmic components, datasets, training methodologies, dependency libraries, licenses, and regulatory compliance requirements. The work introduces the first deep adaptation of the SPDX 3.0 standard to the AI domain, defining core AI-BOM elements, structured generation guidelines, and semantic identifiers (e.g., AI-URIs), while integrating license mapping and compliance tagging. Implemented via JSON/YAML serialization, the framework provides practical generation templates and guidelines compatible with mainstream frameworks (e.g., PyTorch, TensorFlow) and benchmark datasets (e.g., ImageNet, Hugging Face). By establishing standardized documentation for AI models and data provenance, AI-BOM bridges a critical gap in AI supply chain governance, significantly enhancing regulatory auditability and security assessment efficiency.

A Software Bill of Materials (SBOM) is becoming an increasingly important tool in regulatory and technical spaces to introduce more transparency and security into a project's software supply chain. Artificial intelligence (AI) projects face unique challenges beyond the security of their software, and thus require a more expansive approach to a bill of materials. In this report, we introduce the concept of an AI-BOM, expanding on the SBOM to include the documentation of algorithms, data collection methods, frameworks and libraries, licensing information, and standard compliance.