Overview

• Meeting: OWASP AIBOM early working call (second planning session) 
• Focus: Workstream scoping, sponsorship plan, owners, cadence, and early collaboration mechanics 
• Participation: Core leads and contributors (including Anmol, Derek, Sai, Ankit, UV, Dharmesh) 
• Cadence: Weekly on Tuesdays at 11:00 a.m. ET; evaluate biweekly later 
• Recording: Calls to be recorded and published to YouTube; shared Drive/Doc for minutes and artifacts 

Key Highlights

• Community and reach: ~40–42 people active on Slack; one sponsor confirmed; several large enterprises engaged or interested. 
• Sponsorship strategy: Two tiers (Silver 10k, Gold 20k). Target is 50k by year-end to fund web, PR, travel, and outreach (OWASP provides infra/Slack/GitHub only). 
• Workstream model: Eight workstreams with clear interdependencies; cross-collaboration encouraged to avoid silos. 
• External alignment: IBM Research (Derek) offered schema requirement artifacts and alignment to avoid duplicate formats; emphasis on prioritizing deliverables. 
• Logistics: Some participants did not receive calendar invites; fix and standardize invitations. 

Action Items

• Meeting logistics 
  • Fix calendar invite delivery and ensure all participants receive a proper recurring invite. Owner: Aruneesh. 
  • Enable automatic recording and organize YouTube tagging/metadata. Owner: Anmol. 
• Sponsorship 
  • Circulate the Gamma deck; begin targeted outreach; maintain a running pipeline; secure 50k by year-end. Owner: Aruneesh. 
• Workstream charters 
  • Each workstream to finalize vision, goals, outcomes, roadmap, dependencies in the shared document. Owners: All WS leads. 
• Prerequisites 
  • Produce an SBOM→AIBOM gap analysis (focus on model, data, security/governance fields). Owners: Manoj and Anmol. 
• Formats 
  • Draft an interoperable AIBOM schema outline aligned with SPDX 3.x and CycloneDX 1.7+; maintain a field-mapping matrix. Owners: Dharmesh with Derek, UV, and Sai. 
• Foundational best practices 
  • Publish v0.1 of the Foundations & Best Practices guide (lifecycle, threat taxonomy, producer/consumer guidance, quick-start). Owner: UV (with Sai, Dharmesh). Target: late Oct–Nov; v1.0 by Q1. 
• Tooling 
  • Survey existing tools; define initial MVPs (e.g., CLI to generate AIBOM from a Hugging Face repo), and usage guidance; keep interoperability front-and-center. Owners: Ankit, Sai, Dharmesh. 
• Integrity, quality, and inventory/legal sharing 
  • Define validation and attestation flow, signer roles, trust/quality model, and sharing under NDA/access control. Owner: To be confirmed (Abhinav prospective) with support from Policy and Formats. 
• Policy 
  • Build the regulation/standards map (EU AI Act, NIST AI RMF, CERT-In, finance model-risk letters, healthcare guidances), identify where AIBOM fits, and start regulator outreach during build. Owners: Tiffany and Anmol; collaborate with Derek. 
• Content and outreach 
  • Create brand/asset templates (cover, header/footer, slide/post styles) and a 30-day video plan. Owners: Dharmesh and Anmol. 
  • Plan a LinkedIn Live or webinar to introduce AIBOM and the workstreams; Anmol to moderate; schedule after late-October holidays. 

Workstream Updates

Prerequisites

• Status: Active. Establishes what exists in SBOMs and where AIBOM must extend (architecture/model metadata, data provenance/integrity, governance/security). 
• Next: Deliver gap analysis and a recommended minimum field set to the Formats workstream. 

Formats / Standardization

• Status: Starts after initial prerequisites output. 
• Direction: Interoperability with SPDX 3.x AI profiles and CycloneDX 1.7+ ML/Data components; draft a canonical field map and identify where extensions are truly required. 
• Target: AIBOM Schema 1.0 around February (subject to volunteer bandwidth). 

Tooling

• Status: Preparing; depends on Formats. 
• Plan: Phase 1 survey of open-source and commercial tools; Phase 2 prototype reference tooling (CLI/SDK) and “adapter” concepts to help tools ingest/emit AIBOM; explore later marketplace-style integrations. Emphasis on education and adoption. 

Foundational Best Practices

• Status: Strong progress. 
• Deliverables: Foundations & Best Practices Guide v0.1 (executive-ready, adoption-focused), covering lifecycle, threat taxonomy, producer/consumer guidance, and quick-starts; later an Authoritative Guide v1.0. 
• Timeline: v0.1 by late Oct–Nov, v1.0 in Q1. 

Integrity, Quality, Attestation, and Inventory/Sharing

• Status: Spinning up. 
• Scope: Define validation criteria, digital attestation, roles and responsibilities for sign-off, trust/quality scoring, and controlled sharing (NDA/legal models; pub/sub patterns). 
• Coordination: With Policy (legal controls) and Formats (what gets signed). 

Policy and Regulation

• Status: Restarted; channel to be set up privately for early drafts. 
• Deliverables: Regulation map and AIBOM fit analysis; regional liaisons (US/EU/India/Middle East/Australia–New Zealand). 
• Approach: Engage policymakers during development, not post-publication. 

Content and Community

• Status: Active. 
• Outputs: YouTube explainers (three to four per month), LinkedIn presence, brand templates, and eventual translations. 
• Upcoming: LinkedIn Live/webinar to present project vision and workstreams; Anmol to moderate. 

Sponsorship

• Status: Deck ready; one sponsor secured; four vendors in discussion. 
• Goal: Exceed 50k by year-end; continue vendor introductions. 

Alliances and Collaborations (new)

• Status: Forming. 
• Scope: Industry partnerships (banks, insurance, healthcare), universities, cross-foundation work (OpenSSF, CISA, SPDX, CycloneDX). 
• Approach: Agile engagement now to shape requirements and accelerate adoption. 

Strategic Guidance Captured

• Minimize duplication across workstreams; share artifacts promptly to prevent silos. 
• Prioritize early deliverables: Foundations & Best Practices guide and a first coherent schema outline. 
• Accept and integrate external artifacts where feasible (IBM requirements spreadsheet/JSON after internal clearance). 

Next Steps

• Fix calendar invites and standardize a recurring series. 
• Workstream charters due before the next call; first spotlight will be Prerequisites. 
• Schedule the LinkedIn Live/webinar after late October holidays; draft talking points and flow. 
• Circulate the sponsorship deck and begin coordinated outreach. 
• Decide on a meeting summarization service and, if approved, enable it for future calls.