The creators of the open-source AIBOM Generator, a tool designed to bring transparency to artificial intelligence supply chains, announced that the generator was formally contributed to the Open Worldwide Application Security Project (OWASP) in December, marking a significant step in the maturation of AI security practices.Developed by security practitioners Helen Oakley and Dmitry Raidman, the AIBOM Generator was introduced at RSAC 2025.At the time, it filled a notable gap: while AI adoption was accelerating rapidly, practical tools to document and understand the components behind AI models were lagging. The generator was the first open-source tool capable of automatically producing an AI Software Bill of Materials (AIBOM) for models hosted on Hugging Face.
The launch drew interest from the security, AI, and software supply chain communities. According to the project’s maintainers, it validated a growing concern that organizations lacked visibility into the models, data, and configurations embedded in the AI systems they were deploying.The AIBOM Generator has evolved from a proof-of-concept into a widely referenced implementation, and is listed in the CycloneDX Tool Center. It has been used to demonstrate how AI supply chain metadata can be extracted, structured, and assessed at scale.The tool generates standards-aligned AIBOMs in CycloneDX format, helping teams answer fundamental questions about AI models, including what is inside them, where they originated, what data and parameters shaped them, and how complete their documentation is.
The decision to move the project under OWASP reflects feedback from the community, the creators said. As interest grew, so did calls for open governance and a neutral steward to guide its future development.The AIBOM Generator is now part of the OWASP GenAI Security Project, where it will operate as the OWASP AIBOM Generator. Under OWASP, the project aligns with other GenAI-focused initiatives, including the OWASP Top 10 for Large Language Models and work on agentic application security.Placing the tool within OWASP brings several changes. Development will now follow an open, community-driven governance model, with transparent evolution of field mappings, checks, and standards alignment across ecosystems such as CycloneDX and SPDX. It also creates a shared space for researchers, engineers, and security teams to collaborate on practical AI supply chain security.Looking ahead, the project will focus on improving AI-specific completeness checks, expanding automated metadata extraction, and supporting consistent AIBOM generation at scale. The team is also developing an OWASP AIBOM Generation Handbook to document best practices for using AIBOMs in governance, compliance, and incident response.As AI systems continue to outpace traditional assurance mechanisms, supporters say AIBOMs offer a structured way to understand risk. With the generator now under OWASP, its creators said the path toward interoperable and community-maintained AI transparency is clearer.Produced in partnership with the OWASP Generative AI Security Project.Edited by Stephen Weigand, SC Media managing editor.
