MOM Call 8: Dec 9, 2025

Overview

The OWASP AIBOM Weekly Call on December 9, 2025 (Call #8) focused on housekeeping, project roadmap, the new website and content infrastructure, and workstream updates with an emphasis on the AI BOM definition, tooling, policy, and threat intelligence workstreams. The call confirmed that the next plenary meeting will be on January 6, 2026 (no call on December 23 due to holidays). A key theme was accelerating consensus on the AI BOM definition and taxonomy, improving cross-workstream collaboration (including time zone considerations), and ensuring alignment with other OWASP AI initiatives and external standards. The content workstream showcased the current website, documentation structure, and feedback mechanisms, while threat intel and policy workstreams outlined their early roadmaps. The group also discussed new collaborations emerging from Black Hat MEA and future alignment with agentic AI work and FOSDEM/open-source communities.

Action Items

• Meeting cadence & logistics
  
  
  • Move the next main AIBOM call to January 6, 2026 (no plenary call on December 23).
    
    
  • Continue workstream-level calls and Slack coordination through December and early January.
    
    
• AI BOM Definition & Taxonomy
  
  
  • Prerequisites workstream to:
    
    
    • Maintain the current AI BOM definition draft as the main collaboration artifact.
      
      
    • Keep it open for review and comments until December 19, 2025.
      
      
      
  • All contributors to review the AI BOM definition document and add comments directly in the Google Doc by the deadline.
    
    
  • Set up / continue a dedicated Slack space for definitions & taxonomy under prerequisites and ensure invitations for:
    
    
    • Victor, Lovely, Behnaz, and other interested contributors.
      
      
  • Use both in-doc comments and the Google suggestions form for feedback until scale demands a more streamlined process.
    
    
• Website, Content & Feedback
  
  
  • Content workstream (Anmol, others) to:
    
    
    • Post all relevant links (Google Drive structure, definition doc, policy sheet, Google feedback form) to the community Slack.
      
      
    • Ensure minutes and recordings continue to be updated on the website within 12–24 hours after each call.
      
      
    • Update the roadmap section on the website once workstream leads finalize revised timelines.
      
      
    • Add links from the website to the shared working folders for easier onboarding.
      
      
  • Community members to:
    
    
    • Use the Google feedback form for website and content suggestions (ongoing).
      
      
    • Subscribe to and share the YouTube channel; expect future shorts once materials mature.
      
      
• Workstream Operations & Time Zones
  
  
  • Prerequisites workstream to:
    
    
    • Continue weekly meetings (currently Wednesdays 11:00 a.m. EST) but:
      
      
    • Explore alternate or rotating times and/or a structured handover/notebook for contributors in other time zones (e.g., US West Coast).
      
      
  • Aruneesh to follow up 1:1 with Nisha to understand constraints and propose improvements (e.g., summary posts, async tasks).
    
    
• Tooling & Threat Intelligence
  
  
  • Tooling workstream (Yuvraj and team) to:
    
    
    • Continue building the consolidated list of AI BOM-related tools, including entries suggested by Victor and others.
      
      
  • Threat Intel workstream (Bakul and team) to:
    
    
    • Continue analysis of open-source AI security frameworks and perform coverage/gap analysis.
      
      
    • Start consolidating open-source tooling for AI threat intelligence and vulnerability monitoring.
      
      
    • Coordinate with Tooling to avoid duplication and share a unified view of tools.
      
      
    • After prerequisites/foundational docs stabilize, begin mapping taxonomy to threat intel feeds (vulnerabilities, exploitability, exposure).
      
      
• Policy & Regulations
  
  
  • Policy workstream (Anmol) to:
    
    
    • Continue building the regulation list (target 50, currently ~25–26 entries).
      
      
    • Expand coverage and refine the tracking sheet, then share with the community.
      
      
    • Starting early 2026, engage experts from regulatory bodies and academia for feedback and outreach.
      
      
  • Add Behnaz to relevant policy/regulation workstream activities so she can contribute ideas.
    
    
• Collaboration & Cross-Project Alignment
  
  
  • Aruneesh to:
    
    
    • Pursue collaborations initiated at Black Hat MEA with:
      
      
      • Universities in the Middle East and Egypt.
        
        
      • Additional industry practitioners and vendors focused on AI security.
        
        
    • Share AI Exchange project information and links with G (and others interested) for discussions around agentic AI.
      
      
    • Work toward a “scrum of scrums” or regular coordination between OWASP AI projects (AIBOM, AI Exchange, GenAI, AIVSS, etc.) to:
      
      
      • Harmonize definitions.
        
        
      • Minimize redundancy (e.g., red teaming vs threat intel).
        
        
      • Clarify inter-project mapping.
        
        
  • Karen to:
    
    
    • Post information on FOSDEM / FOS AI-related opportunities* in the AIBOM Slack so the group can consider a submission.
      
      
• Sponsorship & Future Localization
  
  
  • Aruneesh to:
    
    
    • Continue nurturing the sponsor pipeline while ensuring alignment with the project’s scope, definitions, and roadmap.
      
      
  • Medium-term:
    
    
    • Identify volunteers for language translation in early 2026 once key guidance and foundational content are ready.
      
      

Outline

1. Welcome, Housekeeping, and Scheduling

• Host: Yuvraj opens Call #8 (December 9, 2025), notes:
  
  
  • The call is recorded and prior meetings are available on YouTube.
    
    
  • Slack is the primary communication channel with a public community workspace and separate workstream channels.
    
    
• Meeting cadence:
  
  
  • Regular calls are every two weeks, but due to the holiday period, there will be:
    
    
    • No call on December 23, 2025.
      
      
    • The next call on January 6, 2026, by which time workstreams are expected to have progressed content.
      
      

2. Introductions of New and Returning Members

• Behnaz – Senior Cybersecurity Analyst at Accenture, co-lead of OWASP AI Exchange; extensive experience across AI governance, AI red teaming, and AI + cybersecurity; eager to support AIBOM.
  
  
• Bakul (LinkedIn) – Product Security Engineer at LinkedIn (India), originally SRE; exploring the intersection of AI and cybersecurity and keen to contribute.
  
  
• Karen – AI expert with ISO and IEEE; previously introduced but re-confirms her standards background.
  
  
• Existing members (e.g., Lovely, others) briefly acknowledge prior introductions.
  
  

3. Project Roadmap & Growth

• Roadmap:
  
  
  • The previously published 2025/2026 roadmap is being revised based on feedback from workstreams.
    
    
  • Updated timelines will be confirmed with workstream leads and then published as a concrete roadmap on the website.
    
    
• Growth indicators:
  
  
  • Slack community and LinkedIn follower counts continue to grow.
    
    
  • YouTube channel subscribers are now around 55–60 and trending upward.
    
    

4. Website, Content & Documentation Infrastructure (Content Workstream Spotlight)

• Website (oaspib.org):
  
  
  • Live for about four weeks with ongoing minor improvements and feature updates.
    
    
  • Sections:
    
    
    • Home / About: includes Join & Contribute Google form (Slack + calendar invites), leadership overview, and a roadmap section (to be updated after leads’ meeting).
      
      
    • Workstreams: overview of active workstreams and their focus areas.
      
      
    • Minutes of Meetings: minutes for all seven previous calls already published; updated within 12–24 hours after each call.
      
      
    • Meeting Recordings: links to YouTube recordings of all calls (also updated within 12–24 hours).
      
      
    • Guidance: currently holds guidance on two initial topics; will be expanded as foundational deliverables are ready.
      
      
    • Sponsorship: decks and details for sponsorship tiers (Gold, Silver, etc.).
      
      
    • Resources: blogs, podcasts, news mentions, and upcoming events where AIBOM is featured or discussed.
      
      
• Google Drive Working Structure:
  
  
  • Weekly Meetings folder: slide decks, notes, and minutes.
    
    
  • Workstreams folders: one per workstream, containing resource docs, minutes from workstream-level calls, and active drafts.
    
    
  • Prerequisites folder: resource list, weekly MoMs, and working drafts (e.g., definition and taxonomy).
    
    
• YouTube channel:
  
  
  • Currently hosts full recordings of calls.
    
    
  • In future (once core content stabilizes) the content team intends to produce short educational clips and other outreach material.
    
    
• Feedback pathways:
  
  
  • A Google suggestions form is live for:
    
    
    • Website and usability feedback.
      
      
    • AI BOM definition feedback.
      
      
    • Foundational best practices / AI BOM 101 comments.
      
      
  • Anmol shows the form and notes:
    
    
    • AI BOM definition review deadline: December 19, 2025.
      
      
    • Foundational best practices / AI BOM 101: open for edits through at least January 16, 2026.
      
      
    • Content feedback: ongoing.
      
      

5. AI BOM Definition & Taxonomy (Prerequisites Workstream)

• Status:
  
  
  • The definition of AI BOM has been consolidated from multiple references into a baseline draft under the Prerequisites workstream.
    
    
  • This draft is now open for community review.
    
    
• Process:
  
  
  • The team plans:
    
    
    • A bi-weekly cadence of producing and refining definitions.
      
      
    • A dedicated Slack channel for definition/taxonomy discussion.
      
      
    • A structure where each definition includes cross-references to other bodies’ definitions (SPDX, CycloneDX, banking sector, etc.).
      
      
• Community feedback:
  
  
  • Alan and Raymond previously highlighted that:
    
    
    • Clear definitions and scope are blockers for almost everything else (best practices, tooling, policy, etc.).
      
      
    • The project must be explicit on scope (what is and is not an AI BOM) and align with use cases.
      
      
  • Aruneesh reiterates commitment to:
    
    
    • Execute on definitional work quickly and transparently.
      
      
    • Encourage the entire community to review and comment.
      
      
• Timeline:
  
  
  • Comments on the current definition draft are requested by December 19, 2025, with iteration continuing into early 2026.
    
    

6. Black Hat MEA Debrief & Regional Perspective

• Aruneesh shares observations from Black Hat Middle East & Africa:
  
  
  • Comparable in size and significance to Black Hat Las Vegas.
    
    
  • AI was a central theme, especially:
    
    
    • How AI complicates security for practitioners.
      
      
    • Deepfakes and deception as major concern areas.
      
      
  • He conducted a livestream discussion with a product company on AI governance/VIP coding topics related to AI BOM; he may share relevant snippets with the group.
    
    
  • Emphasizes the importance of including perspectives from Middle East and Africa, not just US/Europe/India, in AIBOM work.
    
    

7. Workstream Updates

7.1 Prerequisites

• Work in progress:
  
  
  • AI BOM definition draft created and shared.
    
    
  • Starting consolidation of taxonomies from existing projects (SPDX, others).
    
    
  • Planning to address use cases, but notes this will take more time.
    
    
• Supporting docs:
  
  
  • Resource lists and weekly workstream minutes are available in the prerequisites folder.
    
    

7.2 Formats

• Currently on hold, awaiting stabilization of prerequisites and definitions.
  
  
• Work will resume once there is a clear AI BOM definition and basic taxonomy.
  
  

7.3 Tooling

• Lead: Yuvraj / team.
  
  
• Focus:
  
  
  • Building a first version list of tools around the AI BOM topic, including AI asset discovery, provenance, vulnerability analysis, etc.
    
    
  • Incorporating input from Victor and others on SPDX implementations and knowledge-graph-based approaches.
    
    
• Next steps:
  
  
  • Ongoing cataloging of open-source tools and aligning categories with other workstreams (prereqs, threat intel).
    
    

7.4 Content

• Lead: Anmol.
  
  
• Ongoing:
  
  
  • Updating existing website content, linking to drive folders, and maintaining minutes and recordings.
    
    
  • Coordination around blog/podcast/news updates and future video content.
    
    

7.5 Foundational Best Practices & Operational Guide

• Previously discussed as:
  
  
  • Dependent on AI BOM definition work.
    
    
  • First deliverable is an “AI BOM 101” style document providing starter guidance for organizations.
    
    
  • Tentative target around early 2026, as indicated in the roadmap.
    
    

7.6 Policy

• Lead: Aruneesh.
  
  
• Current work:
  
  
  • Developing a list of 50 AI-related regulations (currently ~25–26 populated).
    
    
  • The sheet will be shared for review via Slack and in the workstream folder.
    
    
• Future focus (early 2026):
  
  
  • Engaging regulatory experts and academia to:
    
    
    • Validate coverage.
      
      
    • Use AI BOM concepts to support policy shaping and literacy.
      
      

7.7 Threat Intelligence

• Lead: Bakul (new workstream).
  
  
• Vision:
  
  
  • Build threat intelligence specific to AI components and map it to AI BOM, ultimately reaching threat mapping standards and metrics like vulnerability, exploitability, exposure.
    
    
• Phase 1 (current):
  
  
  • Analyze existing open-source security frameworks and AI security references.
    
    
  • Perform coverage and gap analysis for AI threat scenarios.
    
    
• Phase 2 (near-term):
  
  
  • Consolidate open-source tooling relevant to AI threat intel and vulnerability analysis (some overlap with Tooling; collaboration planned).
    
    
• Phase 3 (after definitions stabilize):
  
  
  • Use AIBOM taxonomy and prerequisites output to:
    
    
    • Map threats and intelligence feeds to specific AI BOM entities.
      
      
    • Support dynamic risk and exposure views over the AI BOM inventory.
      
      
• Coordination:
  
  
  • Yuvraj and Bakul agree to sync Tooling and Threat Intel on overlapping tools and data flows.
    
    

8. Collaboration, Sponsorship, and External Engagement

• Collaboration:
  
  
  • Existing: engagement with banks in Australia and New Zealand (mentioned in earlier call, referenced again).
    
    
  • New: from Black Hat MEA:
    
    
    • Private companies and universities in Middle East and Egypt interested in AIBOM collaboration.
      
      
    • More concrete updates expected in upcoming calls.
      
      
• Sponsorship:
  
  
  • A sponsor pipeline exists, but:
    
    
    • Alan’s feedback on solidifying definitions and use cases is being considered carefully.
      
      
    • Due diligence and alignment remain prerequisites for onboarding new sponsors.
      
      
  • Target remains to secure meaningful sponsorship while preserving project integrity and clarity of purpose.
    
    
• Localization (future):
  
  
  • Longer-term goal to translate key guidance and content into multiple languages.
    
    
  • Call for volunteers will come once foundational documents are ready (likely in the coming months).
    
    

9. Cross-Project Alignment, Agentic AI, and Standards Questions

• Agentic AI:
  
  
  • G asks whether agentic AI is being handled in any specific AIBOM workstream and notes it is a hot topic in ISO and regulations.
    
    
  • Aruneesh explains:
    
    
    • AIBOM touches on agentic aspects indirectly, but the foundational work on agentic AI is more central in OWASP AI Exchange.
      
      
    • Offers to share AI Exchange materials on Slack for those interested.
      
      
• Overlap & Redundancy Concerns:
  
  
  • Lovely raises the need to:
    
    
    • Map AIBOM to other OWASP AI initiatives (AI Exchange, GenAI projects, AIVSS) and avoid duplicative efforts.
      
      
    • Clarify boundaries between:
      
      
      • Threat Intel (AIBOM) – focusing on deployed AI BOM inventory and ongoing monitoring.
        
        
      • Red teaming / GenAI security – focusing more on pre-deployment adversarial testing and assessments.
        
        
  • Aruneesh agrees:
    
    
    • Recognizes risk of redundant work and suggests building more coordination mechanisms (e.g., a “scrum of scrums” for OWASP AI project leads).
      
      
    • Clarifies:
      
      
      • Threat intel workstream focuses on real-time context over an AI BOM inventory (who runs what, and how new threats affect those assets).
        
        
      • Red teaming efforts focus on probing and testing models and systems before/around deployment.
        
        
• Standards context:
  
  
  • Victor mentions an EU initiative on describing laws/regulations and underlines:
    
    
    • The critical need for precise terminology given each law’s specific context.
      
      
    • AIBOM should preserve clarity when defining both terms and requirements.
      
      
  • Karen asks whether anyone has submitted AIBOM work to FOSDEM (or similar FOSS event):
    
    
    • Suggests this would expose AIBOM to a broader open source developer audience.
      
      
    • Aruneesh requests Karen to post the link in Slack so they can consider a submission.
      
      

10. Participation, Onboarding, and Feedback

• Access & onboarding:
  
  
  • Several participants (e.g., Bakul Gupta, Zoe) indicate they plan to:
    
    
    • Thoroughly review the website and documents.
      
      
    • Choose specific workstreams to join by the next call.
      
      
  • Lovely is interested in joining multiple workstreams; Aruneesh commits to adding her to the relevant Slack channels and encourages inviting other academics.
    
    
  • Behnaz wants to start with the regulations/policy workstream and will review documents before the next session.
    
    
• Time zone & handover:
  
  
  • Nisha notes difficulty attending prerequisites calls due to time zones and overlapping meetings, and asks for better handover across time zones.
    
    
  • Anmol reminds that workstream minutes are posted in Slack and folders; Aruneesh commits to follow up with Nisha and consider a poll or broader adjustments.
    
    

11. Closing & Next Steps

• General sentiment:
  
  
  • Participants (e.g., Scott) express appreciation for the project’s direction and the quality of discussions; they leave motivated to contribute.
    
    
• Closing remarks:
  
  
  • Yuvraj:
    
    
    • Recaps that there will be no call on December 23 and the next main call is January 6, 2026.
      
      
    • Encourages continued engagement via Slack and workstream meetings.
      
      
    • Wishes everyone a Merry Christmas and a Happy New Year 2026.
      
      

The call is adjourned.