G7 Publish SBOM Minimum Standards for AI Systems

First G7 Guideline for AI SBOMs Is Available

On 12 May 2026, as part of the French G7 Presidency, the BSI published the document “Software Bill of Materials for AI – Minimum Elements”. It is the first consensus-based G7 guideline on the minimum elements of an SBOM for AI systems and complements the “Shared G7 Vision on SBOM for AI” published in June 2025. The paper was developed between August 2025 and February 2026 within the G7 Cybersecurity Working Group, co-led by Italy (ACN) and Germany (BSI).

The focus is on a practical, cross-sectoral minimum framework for greater transparency along the AI supply chain — from models and training data through infrastructure to security-relevant properties. According to the BSI document, the minimum elements are explicitly not mandatory and do not create new standards or laws, but are intended to support manufacturers and operators in their implementation.

Who is behind the paper

Jointly published by BSI (Germany), ACN (Italy), ANSSI (France), CSE (Canada), CISA (USA), NCSC (UK) and NCO (Japan) – in cooperation with the European Commission. The G7 Presidencies of Canada (2025) and France (2026) have supported the initiative.

The guideline emphasises an important principle: AI systems are also software systems. The minimum elements defined here come in addition to classic SBOM minimum standards (e.g. those of NTIA or CISA); they do not replace them.

Seven Clusters — The Skeleton of the AI SBOM

According to the G7 guideline, an AI SBOM is structured into seven thematic clusters. Apart from the Metadata cluster, which describes the SBOM itself, the remaining six clusters are of equal rank. This structure makes it possible to cleanly represent the additional properties of an AI system – in particular models and datasets – alongside classic software components.

Abstract representation of seven cluster elements arranged as connected data crystals around a central core object — Together, the seven clusters form the minimum scope of an AI SBOM (own illustration).

Cluster	Purpose	Number of elements
Metadata	Information about the SBOM itself (author, version, signature, tool)	10
System Level Properties (SLP)	AI system as a whole: components, data flows, application domain	9
Models	Identity, properties, training and licence of each model	13
Datasets Properties (DP)	Provenance, sensitivity, hashes and licence of training/test data	10
Infrastructure	Software and hardware dependencies (with HBOM reference)	2
Security Properties (SP)	Implemented security controls, compliance, vulnerability references	4
Key Performance Indicators (KPI)	Security and operations metrics	2

What is new compared to classic SBOMs

Classic SBOMs (NTIA/CISA) primarily capture software components and their dependencies. The G7 guideline explicitly adds models (with architecture, hyperparameters, hashes of the weights), datasets (with provenance, statistical properties, sensitivity class) as well as AI-specific security controls such as prompt-injection filters or adversarial robustness training.

Models and Datasets: What Specifically Needs to Be Documented

The heart of the AI SBOM lies in the Models and Datasets Properties clusters. They require unambiguous identifiability, cryptographic integrity and traceable origin — both of model weights and of training data.

Model identifier

At least one machine-readable identifier (CPE, PURL, OmniBOR, SWHID / ISO/IEC 18670:2025). Multiple identifiers are permitted and should be maintained together.

Model hash

Cryptographic hash of the weights or model file in ASCII, algorithm per IANA Hash Function Textual Names and with NIST-/ENISA-compliant methods.

Model properties

Architecture (Transformer, CNN, RNN, LSTM …), parametricity (parametric vs. non-parametric), model size, hyperparameters.

Model training properties

Training methods: pre-training, fine-tuning, RLHF, DPO, PPO, GRPO — including link to the Model Card.

Dataset provenance

Origin, collection method (web crawling, commercial agreements), pre-/post-processing, labelling steps; for synthetic data, the generation method.

Dataset sensitivity

Sensitivity class: PII, publicly accessible data, copyrighted, financially/medically sensitive, national security.

Particularly noteworthy: for hash algorithms the guideline refers to the IANA Hash Function Textual Names, for UUIDs to RFC 9562, for timestamps to RFC 9557and for digital signatures to ISO/IEC 14888-4:2024 and the ENISA Agreed Cryptographic Mechanisms. This gives AI SBOMs a very clear technical foundation.

ai-sbom.json (illustrative, non-normative)

{
  "metadata": {
    "sbom_author": "Example AG",
    "sbom_version": "1.0.0",
    "sbom_data_format_name": "SPDX",
    "sbom_data_format_version": "3.0",
    "sbom_tool_name": "ExampleScanner",
    "sbom_generation_context": "after-build",
    "sbom_timestamp": "2026-05-13T09:00:00Z"
  },
  "models": [{
    "model_name": "vision-classifier",
    "model_identifier": "pkg:huggingface/example/vision-classifier@1.4.2",
    "model_hash_algorithm": "sha-256",
    "model_hash_value": "9f86d081884c7d659a2feaa0c55ad015...",
    "model_properties": { "architecture": "transformer-encoder", "parameters": 1300000000 },
    "model_training_properties": { "type": "supervised + RLHF" },
    "model_license": "Apache-2.0"
  }],
  "datasets": [{
    "dataset_name": "internal-images-2026",
    "dataset_provenance": "internal capture + licensed partner data",
    "dataset_sensitivity": "PII redacted",
    "dataset_license": "proprietary"
  }]
}

Security, Infrastructure and KPIs — Often Overlooked

Three often underestimated clusters round off the AI SBOM. They link the pure inventory view with the cybersecurity reality in operations:

Security Properties: AI-specific controls required

In addition to general security controls (encryption, access controls, API authentication), the guideline explicitly names AI-specific measures: adversarial robustness training, prompt-injection controls for LLMs/LLM agents, input/output filters as well as data-level controls for the curation of training data. A manufacturer's security.txtis also recommended, as are links to vulnerability databases.

Workflow for production-ready AI SBOM creation

1Define metadata: author, format (SPDX/CycloneDX), tool, signature.
2Capture System Level Properties: components, data flows, intended application area.
3Document models: identifier (CPE/PURL/OmniBOR/SWHID), hash, architecture, training methods, licence.
4Describe datasets: provenance, sensitivity, statistical properties, licence.
5Capture infrastructure: frameworks, runtimes, and if applicable an HBOM link for hardware.
6Record Security Properties and KPIs: controls, compliance, robustness metrics, uptime.
7Sign the SBOM and couple it to vulnerability management (advisories, scanners, bulletins).

The KPI cluster is intentionally kept lean: Security Metrics (e.g. robustness against third-party manipulation) as well as Operational Performance KPIs (uptime, incident resolution time, latency, throughput). This data is the bridge between the SBOM inventory and SOC/monitoring reality.

What the Guideline Means for Manufacturers and Operators

Abstract network of globally connected nodes representing cooperation between cybersecurity authorities from several countries — Seven states plus the European Commission have agreed on the minimum framework.

The G7 guideline does not create direct legal obligations. In some jurisdictions, however, individual elements are already being addressed through existing or upcoming standards — for example via the EU AI Act, the Cyber Resilience Act (CRA) or sector-specific requirements. Anyone shipping or deploying AI components in products should treat the seven clusters as a target architecture.

What to watch out for now

Manufacturers with AI components in regulated products are under double pressure: classic SBOM requirements (e.g. under CRA Annex I) and the additional AI-SBOM minimum elements. Without a clean provenance track of training data, without hashes of the weights and without documentation of AI-specific controls, compliance will no longer be demonstrable from 2027 onwards.

Start the inventory now

Which models and datasets are in use, which identifiers exist, who is the producer? Close gaps early.

Choose a format

SPDX 3.0 or CycloneDX 1.6 with AI/ML extension — both formats can already represent the clusters.

Enforce provenance

Automate dataset provenance and model lineage in CI/CD pipelines rather than reconstructing them after the fact.

Couple the SBOM with VEX

An AI SBOM without vulnerability management remains theoretical. Integrate advisories, scanners and VEX statements.

Blackfort Assessment

With this guideline, the G7 states have for the first time presented a consensus-based minimum framework for AI SBOMs. Its strength lies in the sober alignment with established SBOM concepts: no new standards landscape, but a focused extension to cover AI-specific aspects. In its announcement, the BSI states together with the partner agencies that the minimum elements remain open to further development — particularly with regard to agentic AI and the degrees of autonomy of AI systems, which are explicitly named as a future element.

This is relevant for German industry because manufacturers are already being obliged to provide component transparency through the CRA and AI Act. Anyone who builds a clean AI-SBOM practice now avoids duplicate work and can simultaneously professionalise vulnerability management and supplier governance. Blackfort recommends treating the seven clusters as a design specification today — and not only once the regulator or customer asks.

Sources

According to the BSI publication “Software Bill of Materials for AI – Minimum Elements” (G7 Cybersecurity Working Group, 12 May 2026) as well as the preceding “Shared G7 Vision on SBOM for AI” (June 2025, ACN). References include CPE, PURL (ECMA-427), OmniBOR, SWHID (ISO/IEC 18670:2025), RFC 9562, RFC 9557, ISO/IEC 14888-4:2024 as well as the NCSC Guidelines for Secure AI System Development.