Introduction to AI SBOM Guidance
A group of international government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), released guidance on Tuesday on what they believe any artificial intelligence 'ingredients list' tool should include to make AI more secure. The concept of such a list, known as a 'software bill of materials (SBOM),' is to know everything that goes into a particular piece of software so that any supply chain risks are easier to identify.
There's been a growing focus from cyber experts on how they interact with AI. The guidance produced by agencies from the G7 group of nations is aimed at setting minimum voluntary standards for what SBOMs for AI should look like. It builds on past efforts to produce other kinds of SBOM guidance.
Key Elements of AI SBOM Guidance
The guidance outlines the following key elements that should be included in an AI SBOM: information related to the SBOM for AI itself, on the AI system as a whole, for identifying the models used by the AI system, on datasets used during the whole life cycle of the model, on physical and virtual infrastructure needed for operation and support of the AI system, on cybersecurity measures that apply to AI models and systems, and on the AI system's key performance indicators.
Industry Reaction to AI SBOM Guidance
A trio of industry professionals who have worked on the topic of AISBOMs welcomed the guidance, praising it as a good step that could nonetheless be improved upon. Daniel Bardenstein, CEO of Manifest Cyber, said, 'Pretty much every piece of software out there is now going to have AI incorporated into it, and when a hospital is buying an AI-enabled medical device, or the Department of War is buying an AI-enabled weapon system, or auto manufacturers are putting AI into cars, we need to be able to trust what AI is in those systems.'
Dmitry Raidman, co-founder and chief technology officer at Cybeats, said the G7 guidance was 'amazing' because it covers 80 to 90% of what's needed. However, Bardenstein expressed concerns with how easily organizations can implement the guidance, and Raidman said it doesn't adequately tackle the issue of runtime.
Next Steps and Future Developments
Allan Friedman, sometimes called the 'godfather of SBOMs,' said the guidance was a good document, but probably mislabeled because it states that the elements it identifies are not mandatory. Friedman suggested that the next steps could include mapping the guidance into what is being implemented today, and talking about aligning it with policies in the European Union and G7 governments to make sure there are minimal conflicts.
- The guidance is a strong step towards getting everybody on the same page that this is the future of how we need to think about trusting AI.
- The guidance covers 80 to 90% of what's needed for AI SBOMs.
- There are concerns about how easily organizations can implement the guidance and its limitations in addressing runtime issues.
The release of the AI SBOM guidance marks an important step towards improving the security and transparency of AI systems. As the use of AI continues to grow, it is essential to have a clear understanding of the components and risks involved in AI systems.
'This document is laying out sets of types of data that could be useful,' said Friedman. 'And so it is a great, great piece to advance AI transparency and AI system transparency, but it lists potential elements. These aren’t the minimum elements.'
The guidance is expected to evolve over time to keep pace with the rapid advancement of AI technology. As the AI landscape continues to evolve, it is crucial to have a flexible and adaptive approach to AI SBOMs.
Source: CyberScoop