Know Your AI Stack: Introducing AI BOM in Cisco AI Defense

AI systems are evolving faster than most security programs can track. Models change, tools multiply, and agent behaviors emerge across codebases and containers. That creates a simple but urgent question: what is an AI system composed of and how is it built?

The answer to that is Cisco’s AI BOM (AI Bill of Materials), now available as part of Cisco AI Defense and as an open-source tool. It gives security and engineering teams a clear inventory of AI assets and the context needed to understand how those AI assets are orchestrated in an agentic workflow.

The AI Inventory Gap

Traditional SBOM (Software Bill of Materials) focuses on packages and dependencies. On the other hand, cloud visibility platforms provide visibility into deployed infrastructure on cloud, which may include AI assets, such as models, MCP tools, agents, and prompts. That is not enough for comprehensive AI visibility. For example, an AI chat app may connect to several agents, use multiple MCP tools, and other MCP constructs and datastores like vector databases to build a cohesive response to user queries. Organizations need deep visibility into AI-specific building blocks like models, agents, tools, prompts, and the workflows that connect to them by shifting left to the source of the AI app by scanning the code in code repositories or container images to produce a comprehensive AI BOM.

Without that deep visibility, teams face AI supply chain risks like:

Unapproved or unexpected models introduced into production
Shadow tools or agent capabilities that expand beyond intended scope
AI workflows that touch sensitive data without clear lineage
Incomplete governance and audit trails for AI systems

Cisco’s AI BOM: A Differentiated Approach

Cisco’s AI BOM is purpose-built to map the AI assets used in the AI application. In its initial release, it scans codebases and container images to identify AI assets like agents, prompts, models, and tools to produce a structured report of how these AI assets are used together. This lays the foundation for deeper lineage and dependency analysis.

Cisco’s AI BOM’s approach centers on three principles:

AI asset discovery
This focuses on AI assets that matter to security and governance, not just generic dependencies. Traditional SBOMs have focused on package dependencies used in a software product.
A curated knowledge base
It is powered by knowledge base which is frequently updated with a comprehensive categorization of all code constructs, including more than 10+ popular AI and agentic frameworks like Langchain, OpenAI, AWS BedRock, Autogen, Anthropic SDK, and Google GenAI to a mention a few. This provides valuable grounding information to map AI assets discovered in source code.
AI asset dependency graph
AI BOM constructs dependency graphs that show how AI assets are orchestrated within an AI application. This includes relationships between agents, models, MCP tools and prompts, based on code scans.

This combination makes AI BOM uniquely actionable. It shows what assets are there, how they are used by AI applications, and where they sit in your AI ecosystem.

Cisco’s Approach to AI Security

Cisco AI Defense secures the AI application lifecycle through a unified approach spanning Discovery, Detection, and Protection.

Securing AI application lifecycle using AI Defense starts with discovery which focuses on identifying AI assets and understanding how they are used. AI Defense provides AI cloud visibility across models, agents, and connected data sources. AI-BOM augments this discovery by identifying how AI applications are built from source code and container images, capturing visibility into AI assets such as models, agents, MCP tools, and frameworks.

Detection uses this asset visibility to identify risk before production impact. AI Defense scans model files, agents, prompts and MCP tools to detect malicious or unsafe AI assets as part of AI supply chain risk management. It also runs algorithmic red teaming through AI Validation, that identifies safety, security, and privacy vulnerabilities in AI assets and applications.

Protection mitigates threats at runtime. With full visibility into AI assets, AI Defense Runtime applies guardrails to production AI applications and agents, blocking harmful responses and attacks in real time to protect deployed AI applications. Together, these capabilities help teams move beyond ad-hoc audits toward consistent, repeatable AI security practices across the AI application lifecycle.

Get Started
Cisco’s AI BOM is an open-source, CLI-based utility available now for early experimentation, extension and integration into developer workflows. Explore the project, review the approach, and contribute to the community at the GitHub repository: https://github.com/cisco-ai-defense/aibom