Glossary

AgentBOM (Agent Bill of Materials)

The Software Bill of Materials (SBOM) became table-stakes after the SolarWinds breach and the US Executive Order on Improving the Nation's Cybersecurity. AgentBOM applies the same supply-chain discipline to AI: a regulator-readable, cryptographically signed list of exactly what was inside a given agent execution, so that incident response, certification, and procurement diligence are no longer speculative.

Back to glossary

Definition

An AgentBOM (Agent Bill of Materials) is a cryptographically verifiable manifest of every component used in an AI agent execution — model and weights, prompt template, system message, toolset, retrieval corpora, fine-tune lineage, and outbound dependencies. It is to agentic AI what an SBOM is to software supply chains.

Also referred to as: AI Bill of Materials · AIBOM · AI SBOM · agent manifest · AI supply-chain manifest

Quick facts

Cryptographic supply-chain manifest for one AI agent execution.
Maps directly to EU AI Act Art. 11 + 12 and US AI EO 14110.
Covers composition (what), runtime (where, on what silicon), and dependencies (what it called out to).
Reference issuer: AgentAnywhere gateway + soverai-gateway-plugin.
Status (May 2026): spec draft is in flight as roadmap item R-06.

What goes in an AgentBOM

A useful AgentBOM is dense but small. It captures `composition` (model family + version + weightsHash + license + provider, prompt-template hash, system-message hash, toolset, retrieval corpora hashes, fine-tune lineage), `runtime` (region, confidential-compute attestation, sandbox), and `dependencies` (every outbound API call hash). The shape is deliberately additive on top of an existing receipt schema so issuers can adopt incrementally.

Why now

EU AI Act Articles 11 and 12 oblige providers of high-risk AI systems to maintain technical documentation and record-keeping that map directly onto the AgentBOM shape. The US AI Executive Order 14110 likewise mandates supply-chain transparency for foundation models. India's MeitY AI rules and Singapore's MAS guidance push the same direction. Today no canonical machine-verifiable format exists — which is exactly the gap a clean specification can fill.

Reference implementation

AgentAnywhere's reference implementation is the Trust Receipt — an AgentBOM signed under the existing `soverai-receipt/v1` wire-tag (kept stable so deployed verifiers keep working). The issuer side runs in the AgentAnywhere gateway plugin (`pip install soverai-gateway-plugin`); the verifier side runs in `npx @soverai/verify --bom`. The spec is open; competing platforms can issue their own AgentBOMs and remain interoperable with the same verifiers.

Primary sources

Where the regulatory or technical authority for this term actually lives. We cite primary sources so this entry can be checked, not just trusted.

Related terms

Trust Receipt

A Trust Receipt is AgentAnywhere's signed implementation of the open AgentBOM format — a cryptographically signed, regulator-verifiable record of one AI execution (region, model, data sources, policy decisions, redactions, cost, carbon) signed with Ed25519. Anyone with the issuer's published public key can verify a receipt offline, without access to the platform that produced it.

Sovereign AI

Sovereign AI is the practice of running AI systems — models, data, and compute — within the legal and physical boundaries of a chosen jurisdiction, so that data sovereignty, regulatory accountability, and supply-chain control remain under that jurisdiction's authority.

Agentic AI

Agentic AI describes AI systems that pursue goals through multi-step reasoning, tool use, memory, and autonomous action — as opposed to single-shot prompt-response systems. An agent can plan, call APIs, modify state, and adapt mid-task without a human in every loop.

Last reviewed: 2026-05-23.

Need this in your RFP or board memo?

We maintain canonical definitions for sovereign AI, Trust Receipts, data residency, AgentBOM, and agentic AI so procurement, security, and legal teams can quote a primary source instead of paraphrasing one. Email enterprise@soverai.ai if you need an extended PDF reference for a specific regulator.

Email enterprise

AgentBOM (Agent Bill of Materials)

Back to glossary