The AI Bill of Materials (AI BoM) is the canonical inventory of every AI system and AI-enabled feature in use by the function. It is the procurement-side counterpart to the Defensibility Posture Statement: the DPS says what governance applies; the AI BoM says what governance is applied to.
The AI BoM answers two operational questions the function must be able to answer instantly: what AI systems are in use, and where. The first regulator inquiry, the first procurement audit, the first M&A diligence request, the first sectoral compliance check all ask variants of these questions. A function without an AI BoM operates with undisclosed inventory at every external touchpoint.
What the AI BoM contains
Per AI system: vendor name, system identifier, model version, deployment locus (SaaS, on-prem, hybrid), data residency, sub-processor count and identity, business purpose, named owner inside the function, Agentic Tier classification, Lifecycle stage, Risk Taxonomy classes exposed, last evaluation date, contract expiration. Each entry refreshes when the underlying system changes.
Per AI-enabled feature inside non-AI tools: the same metadata applied at the feature level. A document management system with AI-enabled clause extraction is an AI BoM entry, distinct from the parent DMS. A matter management system with AI-enabled time capture is an AI BoM entry. The AI BoM does not stop at standalone AI products; it captures every surface where AI processes legal data, regardless of whether the parent tool is marketed as an AI tool.
Why the AI BoM matters
Functions that operate AI without an AI BoM are operating with undisclosed inventory. The first regulator inquiry that asks what AI systems are in use exposes the gap. The first procurement audit that asks what the function is paying for exposes it again. The first incident review that asks which system was responsible for the failed output exposes it a third time. The AI BoM is the canonical answer to all three and the structural prerequisite for vendor consolidation, exit planning, procurement discipline, and AI Lifecycle management.
For executive committee reporting, the AI BoM also enables portfolio-level views: where is the function over-indexed on a single vendor, where is the function exposed to a single model provider through multiple downstream products, where is sub-processor count growing, where is contract expiration concentration creating renegotiation pressure.
Relationship to vendor-side disclosures
The AI BoM is the deployer-side artefact. Vendor-side AI BoMs (sometimes called AI Software Bills of Materials or ML-BoMs) are emerging as a regulatory expectation under the EU AI Act and adjacent frameworks. The deployer’s AI BoM integrates the vendor-side disclosures with the deployer’s own context: which systems are deployed where, by whom, for what purpose, exposing which Risk Taxonomy classes. Vendor-side disclosure is necessary but not sufficient; the deployer’s AI BoM is the institutional answer that closes the gap between provider transparency and deployer accountability.
AI BoM: Definition and Role
The AI BoM is the procurement‑grade inventory of every AI capability the legal function operates, covering models, datasets, tools, APIs, and vendors. It acts as the institutional procurement gate:
- No AI spend is authorised without an AI BoM entry.
- No AI BoM entry is permitted without governance in place, specifically:
- AI Task Force Charter (STR-07) active
- AI Use Policy in force
- AI Risk Register populated for the capability
Relationship to AI Inventory and Other Modules
- AI Inventory (broader concept): Governs what is known to operate in the function, including:
- Approved tools
- Shadow AI detections
- Tools under evaluation
- AI BoM (procurement-grade subset): Governs what is contracted, auditable, and disclosed.
- The Inventory is the institutional awareness substrate.
- The AI BoM is the procurement‑grade evidence substrate.
Operating Modules and Structures
- AI BoM Standard (DAT-06): The Module that operates the AI BoM at corpus scale.
- AI Task Force (STR-07): The standing forum that reviews and approves additions to the AI BoM.
- Capability Portfolio (SUS-10): The lifecycle‑stage view that sits above the AI BoM, providing a portfolio‑level perspective on capabilities.
Naming and Usage Rules
- Use “AI Bill of Materials” on first reference only; use “AI BoM” thereafter.
- Forbidden synonyms:
- “Software inventory”
- “AI catalogue”
image pending
Diagram showing the relationship between AI Inventory, AI BoM, and Capability Portfolio
The AI BoM is not just a list of tools; it is the enforcement point where procurement, governance, and risk management intersect. No AI spend proceeds without a corresponding AI BoM entry backed by active governance machinery.