Playbook

Stand Up an AI Bill of Materials

You cannot govern or attest to an AI system you have not inventoried. An AI-BOM catalogs the models, agents, MCP servers, and dependencies your AI runs on - the map governance and audits depend on.

Talk to usFree to start - no card required.

Why this is hard

An AI system is a supply chain: models, agents, the tools they can call, the identities acting, and upstream dependencies. Most organizations have no single inventory of it, which means they cannot bound what they run, trace a compromised component, or attest to an AI system for an auditor. Building an AI-BOM turns a vague sense of exposure into a concrete, reviewable list.

  • Agents and MCP servers proliferate faster than any manual list
  • A compromised dependency is only traceable if it was inventoried
  • Attesting to an AI system requires enumerating its parts
  • The gap between the inventory and observed actors is your shadow AI

The approach, step by step

From no inventory to a living AI-BOM

  1. 1

    Enumerate the models

    List the models and model integrations in use across the platform, including which systems and agents call them.

  2. 2

    Catalog the agents and tools

    Record each agent, what it is scoped to do, and the MCP servers and tools it can invoke.

  3. 3

    Map non-human identities

    Inventory the service accounts and tokens acting as non-human identities, and note the human owner of each.

  4. 4

    Trace the dependencies

    Capture the upstream dependencies in the AI supply chain so a compromised component can be located later.

  5. 5

    Reconcile with reality

    Compare the inventory against the actors actually observed acting, so the gap - the shadow AI - is explicit and closed.

How SentriAI does the work

SentriAI treats the AI-BOM as living, not a one-time spreadsheet. Because it governs actions, observed non-human actors are reconciled against the inventory automatically, so an agent or MCP server that is acting but not catalogued surfaces as shadow AI. The AI-BOM then feeds control mapping and vendor reviews.

What you get out of the box

  • An inventory of models, agents, MCP servers, and dependencies
  • Non-human identities tied to their human owners
  • Automatic reconciliation of observed actors against the BOM
  • A foundation for control mapping and vendor security reviews

Avoid the common pitfall

Frequently asked questions

What is an AI-BOM?

An AI Bill of Materials is a structured inventory of the components an AI system depends on - models, agents, MCP servers and tools, non-human identities, and upstream dependencies. It is the AI counterpart to a software bill of materials and the prerequisite for governing or attesting to AI.

How do I build an AI-BOM?

Enumerate the models in use, catalog the agents and the tools they can call, map non-human identities to their owners, trace the supply-chain dependencies, and then reconcile the inventory against what is actually acting so shadow AI surfaces.

How does an AI-BOM relate to shadow AI?

The AI-BOM is the list of AI you sanctioned; shadow AI is what is acting but not on the list. Comparing observed non-human actors against the BOM is exactly how ungoverned agents and MCP servers surface.

Why do I need an AI-BOM for compliance?

Because attesting to an AI system, answering a vendor security review, or mapping controls all require knowing the system’s parts. The AI-BOM is the inventory those activities depend on.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Inventory your AI, then govern it

Build the living AI-BOM governance depends on. Start free, no card required.

Talk to us