MOM Call #15: May 12, 2026

Overview

OWASP AIBOM Call #15 marked approximately four months since the project launch and highlighted continued momentum across sponsorships, content creation, foundational guidance development, academic collaboration, and conference participation. The meeting focused heavily on operationalizing AI BOM concepts, harmonizing definitions and specifications across the ecosystem, and increasing industry engagement through blogs, events, and standards collaboration.

A major theme throughout the call was the growing need for practical AI BOM guidance as organizations struggle with visibility into AI systems, dependencies, governance, and operational risk.

Key Highlights

Project Growth & Visibility

• OWASP AIBOM continues expanding globally with:
  • Increased LinkedIn and YouTube activity
  • More structured content publishing cadence
  • Weekly or bi-weekly guidance publication goals
• Community engagement becoming more operational and content-driven
• Strong focus on making AIBOM more actionable for practitioners

Sponsorship Growth

• Official welcome to new Silver Sponsor:
  • Prediction Guard
• Existing sponsor pipeline remains active
• Project approaching sponsorship growth targets faster than expected
• Sponsorship funding intended to support:
  • Global outreach
  • Conference presence
  • Community expansion
  • Educational initiatives

Prediction Guard Collaboration

Prediction Guard introduced their work around:

• Sovereign AI control planes
• Governance-first AI deployments
• AI visibility and safeguards
• AI BOM internal implementation efforts

Discussion emphasized:

• Need for visibility into:
  • Models
  • Safeguards
  • Infrastructure
  • Runtime controls
• Alignment between operational AI governance and AI BOM goals

The group discussed potential:

• Co-authored blogs
• Joint outreach
• Shared research/content efforts

Conferences & Events

Upcoming Conferences Mentioned

• Black Hat
• DEF CON
• AI Engineer World Fair (San Francisco)
• DeveloperWeek NYC
• Software Supply Chain Assurance Conference (DC)
• OWASP Europe Event (Vienna)
• BSides events
• Denmark security event presentation
• NIST & MITRE presentations

Planned Improvements

• Centralized conference repository
• Standardized presentation templates
• FAQ package for speakers representing AIBOM
• More regional/community outreach

Foundations Workstream (AI BOM 101)

Progress

• AI BOM 101 structure and content progressing steadily
• Agentic AI systems section underway
• Authors finalized for major sections
• Weekly Foundations calls established:
  • Mondays
  • 11 AM EST

Current Focus Areas

• AI BOM definitions harmonization
• Data flow visibility
• Agentic AI BOM structures
• Operational AI visibility
• Mapping terminology across:
  • SBOM
  • MLBOM
  • AIBOM
  • Existing frameworks

Major Discussion Topics

Participants raised concerns around:

• Multiple competing definitions
• Lack of standardization
• Confusion across specifications and formats

Key consensus:

• Focus should be on:
  • Harmonization
  • Operational usefulness
  • Practical adoption
• Avoid fragmentation similar to SBOM ecosystem issues

Policy Workstream

Current Focus

• EU AI Act mapping
• AI BOM-related regulatory controls
• Identifying supply chain relevant articles

Next Steps

• Build policy controls aligned with regulations
• Expand beyond EU AI Act into:
  • US frameworks
  • Global frameworks
• Keep scope manageable for MVP phase

Meeting cadence:

• Thursdays at 9 AM EST

Threat Intelligence Workstream

Current State

• Workstream cadence established:
  • Every two Fridays
• Initial focus:
  • Threat categorization
  • Standard alignment
  • Foundation dependencies

Future Direction

• Threat intelligence framework tied to:
  • AI BOM structure
  • Vulnerability visibility
  • Supply chain attack analysis

Collaboration & Academic Outreach

Ongoing Efforts

• Engagement with multiple universities in:
  • DC
  • Maryland
  • International regions

Additional Collaboration Areas

• Coalition for Secure AI
• NIST
• MITRE
• OpenSSF
• Cross-foundation engagement

Goal:

• Build broader academic + industry ecosystem participation

Content & Engagement Workstream

Current Initiatives

Martin and Sapna discussed:

• Weekly blog strategy
• LinkedIn outreach
• Event promotion
• YouTube shorts
• Live sessions and interviews

New Strategy Direction

Use real-world incidents as anchors for:

• AI BOM awareness
• Supply chain visibility education
• Operational AI security discussions

Example Topics

• LiteLLM incident
• npm ecosystem attacks
• AI supply chain blind spots
• AI ransomware scenarios

Future Automation Goals

Building workflows/bots to:

• Monitor incidents
• Generate blog drafts
• Automate content pipelines

Major Strategic Discussion

“What Is an AI BOM?”

A large portion of the discussion focused on the need for:

• Clear public definitions
• Simpler onboarding explanations
• Better landing-page messaging

Participants emphasized:

• Organizations need immediate clarity on:
  • What AIBOM is
  • Why it matters
  • How it differs from SBOM
  • Its operational value

Recommendation:

• Create simplified “What is AI BOM?” messaging directly on the website homepage

Standards & Harmonization Discussion

Topics Covered

• SPDX evolution
• CycloneDX updates
• VEX integration
• ISO-related efforts
• BSI/CISA guidance
• OpenVEX restructuring

Consensus

The group stressed:

• Harmonization over fragmentation
• Avoid excessive competing specifications
• Focus on interoperability and operational relevance

Key takeaway:
AI BOM must become operationally useful, not just another specification document.

Key Action Items

Foundations

• Continue AI BOM 101 drafting
• Finalize harmonized definitions
• Expand operational guidance
• Add clearer public-facing explanations

Content

• Increase blog publication cadence
• Expand LinkedIn and YouTube outreach
• Improve engagement metrics
• Explore co-authored industry content

Collaboration

• Continue university partnerships
• Strengthen cross-foundation coordination
• Engage standards contributors

Conferences

• Track CFPs and speaking opportunities
• Standardize presentation resources
• Expand global event presence

Policy

• Complete EU AI Act mappings
• Begin US regulatory alignment

Closing Notes

The call reflected a transition from early-stage community building into a more mature operational phase. Discussions increasingly centered on:

• Practical implementation
• Industry adoption
• Governance alignment
• Operational visibility
• Ecosystem harmonization

A recurring theme across the meeting:
AI BOM must avoid repeating the fragmentation and adoption issues experienced in the SBOM ecosystem and instead prioritize practical, actionable value for organizations.