Overview
The OWASP AIBOM Weekly Call #10 focused on a revised 2026 roadmap, the introduction of several high-profile new members, and a major sponsorship announcement. Significant discussion took place regarding the technical direction of AIBOM formats (CycloneDX vs. SPDX), the need for continuous monitoring in production, and the integration of threat intelligence. The project announced the confirmation of a new sponsor and highlighted a ~20% growth in community engagement. The meeting emphasized moving from definitions to operationalization and high-level best practices.
Action Items
Tooling & Formats
- Finalize Tooling List: The consolidated open-source tooling document remains open for internal review until February 3, 2026.
- Format Decision: Schedule a technical sync (Friday, Jan 30) to decide on a primary schema (CycloneDX/SPDX) to drive downstream work for the Threat Intel and Formats workstreams.
- Solicit External Tools: Create a Google Form to allow external companies and open-source projects to nominate tools for the AIBOM ecosystem.
Threat Intelligence
- Superset Threat List: Consolidate threat categories from Atlas, NIST AI RMF, and OWASP into a normalized list by end of February.
- Integrity & Lineage: Thomas and Jatin to sync on adding schema support for “ancestry” and “lineage” to address the malicious fork scenario.
Policy & Best Practices
- AIBOM 101 Outline: Draft the structure and table of contents for the “AIBOM for Dummies” handbook by the next meeting (mid-February target).
- Regulation Tracker: Publish the list of tracked AI regulations (including the new Texas and South Korean acts) on Slack for community feedback immediately.
Operations
- Professionalization: Implement Linear for task tracking to improve visibility and systematic progress monitoring.
- Language Support: Call for volunteers to assist with content translation for the top 6-7 global languages.
Outline
- Welcome and Introductions
- Pratik Doshi (Area AI): Background in privacy compliance and Samsung; focused on AI orchestration and governance.
- John (Security practice lead): Extensive background in graph technology (Neo4j) and infrastructure security (NERC SIP). Emphasized the need for “continuous monitoring” rather than static BOMs.
- Jatin (Salesforce/Informatica): Transitioning to Salesforce; focused on dynamic AI BOMs and offensive/defensive security.
- Community Growth & Metrics
- Project observed a steady increase in LinkedIn impressions and registration page opt-ins.
- Emphasis on converting “followers” into “active participants” for upcoming workstream tasks.
- Revised 2026 Roadmap
- March: Release of consolidated Definitions and Consensus.
- May: Launch of AIBOM 101 handbook and Standards/Formats documentation.
- Ongoing: Tooling consolidation and policy tracking.
- Sponsorship Updates
- A new sponsor was officially confirmed during the call.
- Two additional sponsors (one from the Middle East, one from Portugal) are in final sign-off stages.
- Target: Raising $100k – $200k to fund conference participation and core member travel.
- Workstream Updates
- Requirements: AIBOM definitions are finalized; now moving to taxonomy and use-case consolidation.
- Formats: Currently on the “back burner” until the taxonomy is finished, but triggered a debate on SPDX vs. CycloneDX flexibility.
- Policy: Researching “AI-adjacent” regulations (cybersecurity/model governance) that impact transparency. Added focus on Texas, South Korea, and Singapore AI acts.
- Threat Intel: Working on a “Trusted Feed” aggregator for AIBOM-specific threats.
- Quality, Accuracy & Evidence (Open Forum)
- Lovely Frances (UMD): Raised questions on “evidence collection” and compliance artifacts.
- Discussion on mapping AIBOM data to existing audit frameworks (SOC2, FedRAMP) and the future “Quality and Accuracy” workstream.
- Closing Remarks
- Next plenary call scheduled for February 10, 2026.
- All members encouraged to maintain momentum on Slack and prepare for the Friday technical sync.
