Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AI Bill of Materials and Beyond: Systematizing Security Assurance through the AI Risk Scanning (AIRS) Framework

Samuel Nathanson, Alexander Lee, Catherine Chen Kieffer, Jared Junkin, Jessica Ye, Amir Saeed, Melanie Lockhart, Russ Fink, Elisha Peterson, Lanier Watkins

TL;DR

The AI Risk Scanning (AIRS) framework addresses fragmented AI assurance by introducing a threat-model–driven, evidence-generating approach that extends SBOM practices to AI-specific risks. It evolves through three pilots—AIBOM, OPAL, and AIRS—culminating in a machine-verifiable methodology aligned with MITRE ATLAS threat categories. A PoC on a quantized GPT-OSS-20B model demonstrates enforceable loader policies, per-shard hash integrity, and runtime probes that yield auditable evidence, highlighting gaps in SPDX 3.0 and CycloneDX 1.6 coverage. The work argues for automated, threat-informed assessments as a foundation for trustworthy AI provenance and outlines paths to broader modality support and system-level assurance.

Abstract

Assurance for artificial intelligence (AI) systems remains fragmented across software supply-chain security, adversarial machine learning, and governance documentation. Existing transparency mechanisms - including Model Cards, Datasheets, and Software Bills of Materials (SBOMs) - advance provenance reporting but rarely provide verifiable, machine-readable evidence of model security. This paper introduces the AI Risk Scanning (AIRS) Framework, a threat-model-based, evidence-generating framework designed to operationalize AI assurance. The AIRS Framework evolved through three progressive pilot studies - Smurf (AIBOM schema design), OPAL (operational validation), and Pilot C (AIRS) - that reframed AI documentation from descriptive disclosure toward measurable, evidence-bound verification. The framework aligns its assurance fields to the MITRE ATLAS adversarial ML taxonomy and automatically produces structured artifacts capturing model integrity, packaging and serialization safety, structural adapters, and runtime behaviors. Currently, the AIRS Framework is scoped to provide model-level assurances for LLMs, but it could be expanded to include other modalities and cover system-level threats (e.g. application-layer abuses, tool-calling). A proof-of-concept on a quantized GPT-OSS-20B model demonstrates enforcement of safe loader policies, per-shard hash verification, and contamination and backdoor probes executed under controlled runtime conditions. Comparative analysis with SBOM standards of SPDX 3.0 and CycloneDX 1.6 reveals alignment on identity and evaluation metadata, but identifies critical gaps in representing AI-specific assurance fields. The AIRS Framework thus extends SBOM practice to the AI domain by coupling threat modeling with automated, auditable evidence generation, providing a principled foundation for standardized, trustworthy, and machine-verifiable AI risk documentation.

AI Bill of Materials and Beyond: Systematizing Security Assurance through the AI Risk Scanning (AIRS) Framework

TL;DR

The AI Risk Scanning (AIRS) framework addresses fragmented AI assurance by introducing a threat-model–driven, evidence-generating approach that extends SBOM practices to AI-specific risks. It evolves through three pilots—AIBOM, OPAL, and AIRS—culminating in a machine-verifiable methodology aligned with MITRE ATLAS threat categories. A PoC on a quantized GPT-OSS-20B model demonstrates enforceable loader policies, per-shard hash integrity, and runtime probes that yield auditable evidence, highlighting gaps in SPDX 3.0 and CycloneDX 1.6 coverage. The work argues for automated, threat-informed assessments as a foundation for trustworthy AI provenance and outlines paths to broader modality support and system-level assurance.

Abstract

Assurance for artificial intelligence (AI) systems remains fragmented across software supply-chain security, adversarial machine learning, and governance documentation. Existing transparency mechanisms - including Model Cards, Datasheets, and Software Bills of Materials (SBOMs) - advance provenance reporting but rarely provide verifiable, machine-readable evidence of model security. This paper introduces the AI Risk Scanning (AIRS) Framework, a threat-model-based, evidence-generating framework designed to operationalize AI assurance. The AIRS Framework evolved through three progressive pilot studies - Smurf (AIBOM schema design), OPAL (operational validation), and Pilot C (AIRS) - that reframed AI documentation from descriptive disclosure toward measurable, evidence-bound verification. The framework aligns its assurance fields to the MITRE ATLAS adversarial ML taxonomy and automatically produces structured artifacts capturing model integrity, packaging and serialization safety, structural adapters, and runtime behaviors. Currently, the AIRS Framework is scoped to provide model-level assurances for LLMs, but it could be expanded to include other modalities and cover system-level threats (e.g. application-layer abuses, tool-calling). A proof-of-concept on a quantized GPT-OSS-20B model demonstrates enforcement of safe loader policies, per-shard hash verification, and contamination and backdoor probes executed under controlled runtime conditions. Comparative analysis with SBOM standards of SPDX 3.0 and CycloneDX 1.6 reveals alignment on identity and evaluation metadata, but identifies critical gaps in representing AI-specific assurance fields. The AIRS Framework thus extends SBOM practice to the AI domain by coupling threat modeling with automated, auditable evidence generation, providing a principled foundation for standardized, trustworthy, and machine-verifiable AI risk documentation.

Paper Structure

This paper contains 25 sections, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Paper Organization
  3. Related Work
  4. Development Methodology
  5. Iterative Refinement Across Pilots
  6. Pilot Studies
  7. Pilot A: Smurf - Developing a more Comprehensive Artificial Intelligence Bill of Materials (AIBOM)
  8. Pilot B: OPAL - Validation and Lessons Learned through Production
  9. Pilot C: AI Risk Scanning (AIRS) Framework
  10. Threat Model and Coverage
  11. Policy and Provenance
  12. Runtime Probes
  13. Risk Scoring as a Design Consideration
  14. AIRS and Standards
  15. Context and Goal
  16. ...and 10 more sections

Figures (4)

  • Figure 1: Overview of the AI Risk Scanning (AIRS) Framework. AIRS operationalizes AI assurance through a threat-model-based workflow that produces structured, machine-verifiable evidence. Automated scans enforce user-defined policy configurations and produce AI model risk reports, clarifying risk awareness and informing production monitoring.
  • Figure 2: Next-token log-probability distributions for TP vs. TN. Overlap motivates richer probes.
  • Figure 3: $p$-value distribution from repeated one-way ANOVA. Mixed significance highlights weak separability.
  • Figure 4: Edit-distance distributions. Contaminated prompts (red) yield more similar outputs than uncontaminated prompts (blue).