Overview

• Meeting: Owasp AIBOM Call #4
• Date: Oct 23, 2025
• Trajectory: ~1 month in; momentum building (8+ contributing companies, incl. F100/F500 interest). Initial launch post (~late Aug/early Sep) hit ~4,400 impressions/126 likes; last week’s update ~2,700/54 likes. Two banks (NZ & AU) interested via Steve Wilson (GenAI project).
• Focus: Roadmap realism (volunteer bandwidth), cross-foundation collaboration (CycloneDX/SPDX/CISA/OpenSSF), workstream cadence, early policy & industry engagement (not “build then socialize”).
• Ops/Comms: Anmol to coordinate meetings/recordings/YouTube uploads; seasonal logo set demoed; waiting-room friction noticed.

Action Items

• Metrics & Comms
  • Plot growth trend (end-Oct → mid-Nov) for impressions, followers, contributors. (Owner: Anmol + Content WS)
  • Create brand/asset templates (cover, header/footer, slide/post styles) for consistent look & feel. (Owner: Content WS)
• Collaboration & Standards
  • Invite CycloneDX (e.g., Steve Springett) to review prereq findings & field mapping; line up SPDX liaison. (Owner: Prereq/Formats leads)
  • Daniel to share/compile CycloneDX 1.7 vs SPDX 3.0+ AIBOM field comparison; act as conduit to CycloneDX guidance effort. (Owner: Daniel)
  • Victor to surface SPDX 3.1 developments; share resources in Slack. (Owner: Victor)
• Workstreams & Cadence
  • Start workstream spotlight (5–7 min each week; rotate). (Owner: PMO/Lead)
  • Foundational Best Practices: move to weekly/bi-weekly sprint cadence; organize end-Nov pre-release review crew. (Owner: FBP lead)
  • Stand up Alliances & Collaborations WS (scope, leads, outreach list). (Owner: Lead + volunteers)
• Policy & Outreach
  • Create private policy channel; seed with regulation list where AIBOM fits; add regional leads (US/EU/ME/Aus/NZ/India). (Owner: Policy WS)
  • Begin regulator outreach (CISA, NIST/NISA, EU bodies, CERT-In, etc.) during build, not after. (Owner: Policy + Alliances)
• Quality, Attestation, Inventory
  • Abhinav to sync 1:1 with lead on validation/quality/inventory & legal-sharing model (NDA, Pub/Sub, access). (Owner: Abhinav + Lead)
  • Explore AIAVSS coordination with Ken; identify/seed AI vuln/risk database inputs. (Owner: Quality/Attestation WS)
• Tooling & Website
  • Recruit website/hosting lead (WordPress or equivalent) and translation lead (multi-language site). (Owner: Content/Community)
  • Tooling to define MVP plugin/reference once formats stabilize. (Owner: Tooling WS)
• Sponsorship
  • Keep vendor intros flowing; $50k EOY goal on track; finalize legal with 4 vendors in pipe. (Owner: Sponsorship WS)
• Logistics
  • Fix/disable waiting room to reduce join friction. (Owner: Meeting host)

Workstream Updates

Prerequisites 

• Status: Active; anchoring the rest.
• Key findings: Gaps cluster across Architecture, Data (biggest), and Security/Governance (RIP).
• Standards mapping: Analyzing CycloneDX (v1.7 ML/Data components) and SPDX 3.0 AI Model/Data profiles; need canonical gap/field-map table.
• Collab: Bring CycloneDX (Steve S.) to review; Daniel contributing comparative guidance and CISA experience; Victor to share SPDX 3.1 updates.

Formats 

• Status: On hold pending prereq outputs.
• Direction: Will incorporate CycloneDX 1.7+ ML/Data and SPDX 3.x AI profiles; reconcile differences; propose AIBOM extensions only where gaps remain.

Tooling 

• Status: Waiting on Formats.
• Plan: Provide reference/MVP plugin and good-practice consumption guide rather than reinvent full tools.

Quality, Attestation & Inventory/Legal Sharing

• Status: Spinning up (owner identified).
• Scope: Validation tooling, attestations, inventory publishing/access model (NDA/legal controls), breach handling.
• Next: Abhinav + lead sync; define validation criteria; coordinate with AIAVSS for scoring; explore/common AI vuln DB inputs.

Policy

• Status: Re-activated (Anmol interim).
• Progress: Draft database of regs/policies/frameworks relevant to AIBOM; include industry guidances (e.g., model-risk in finance; healthcare guidances).
• Next: Gap analysis, regulator mapping by region, set up private Slack, co-work with Daniel and regional contributors; outreach during build.

Content & Community 

• Status: Active; seasonal logo set created; site structure outlined.
• Plan: 3–4 short explainers/month (YouTube), webinar/LinkedIn Live cadence starting ~1 month out; document templates/brand kit to be produced; translations to be organized.
• Ops: Anmol handling recordings and YouTube uploads.

Foundational Best Practices (FBP)

• Status: Strong progress.
• Completed: Roles & Responsibilities, Threat Landscape & Taxonomy.
• Next: AIBOM Lifecycle (tie-ins to CycloneDX/SBOM lifecycle), incorporate package deps & vulns.
• Milestone: Pre-release by end-Nov (stretch but targeted). Needs reviewers late Nov.

Sponsorship

• Status: Deck finalized; 4 vendors reviewing; more intros requested.
• Target: $50k by EOY (likely to surpass).

Alliances & Collaborations (NEW)

• Status: Proposed & accepted.
• Scope: Industry partnerships (banks, insurance, healthcare, etc.), universities, cross-foundation (OpenSSF, CISA, SPDX, CycloneDX).
• Approach: Agile engagement now, not post-publish.
• Signals: Steve Wilson connecting two banks (NZ/AU) to contribute.