Shadow AI Rises: Why Enterprises Now Need AI-BOMs

Shadow AI Is the New Shadow IT — And Enterprises Aren't Ready

The era of shadow IT — employees spinning up unauthorized cloud instances and SaaS tools — has evolved into something far more dangerous: shadow AI. As AI applications, large language models, and autonomous agents proliferate across enterprise environments, traditional software bills of materials (SBOMs) no longer provide a complete picture of what's running inside an organization. A new framework called the AI-BOM (AI Bill of Materials) is emerging as the critical missing piece in enterprise security posture.

The core problem is deceptively simple. 'If you don't have visibility, you can't understand what to protect,' security leaders warn. And right now, most enterprises have alarmingly little visibility into the AI components embedded across their supply chains, developer workflows, and business operations.

Key Takeaways

• Shadow AI has surpassed shadow IT as the top governance concern for enterprise security teams in 2025
• Traditional SBOMs were designed for software dependencies — they cannot adequately catalog AI models, training data, fine-tuning parameters, or agent configurations
• AI-BOMs extend the bill-of-materials concept to include model provenance, data lineage, API integrations, and behavioral guardrails
• Gartner estimates that by 2026, over 80% of enterprises will have AI components they cannot fully inventory or audit
• Regulatory pressure from the EU AI Act, NIST AI Risk Management Framework, and upcoming U.S. executive orders is accelerating AI-BOM adoption
• Organizations without AI-BOM strategies face compliance gaps, security blind spots, and potential liability exposure

Why SBOMs Fall Short in the Age of AI Agents

SBOMs became an industry standard after the 2021 Log4j vulnerability exposed how little organizations knew about their software supply chains. President Biden's Executive Order 14028 mandated SBOMs for federal software procurement, and the practice spread rapidly across the private sector. For traditional software — libraries, packages, dependencies — SBOMs work well.

But AI components are fundamentally different from conventional software dependencies. A large language model isn't just a package with a version number. It carries training data provenance, fine-tuning history, alignment configurations, prompt templates, retrieval-augmented generation (RAG) pipelines, and increasingly, agentic tool-use permissions. None of these elements fit cleanly into existing SBOM formats like SPDX or CycloneDX.

Consider a typical enterprise scenario: a customer service team deploys an AI chatbot built on a fine-tuned version of Meta's Llama 3, connected to internal knowledge bases via a RAG pipeline, with tool-calling capabilities that let it access CRM systems. An SBOM might capture the Python packages involved, but it tells you nothing about the model's training data, its behavioral boundaries, or what enterprise systems it can autonomously access.

What an AI-BOM Actually Contains

An AI-BOM extends the traditional bill-of-materials concept to capture the unique attributes of AI systems. Unlike an SBOM, which primarily tracks code dependencies, an AI-BOM must document a far richer set of metadata.

Core components of a comprehensive AI-BOM include:

• Model identity and provenance: Which foundation model is used, its version, who trained it, and what license governs it
• Training and fine-tuning data lineage: What datasets were used, their sources, potential biases, and data retention policies
• Behavioral guardrails and alignment: What safety filters, system prompts, and output constraints are in place
• Integration surface area: Which APIs, databases, tools, and enterprise systems the AI can access
• Agent permissions and autonomy level: What actions the AI can take independently versus requiring human approval
• Performance and evaluation benchmarks: How the model was tested, on what metrics, and known failure modes

This level of documentation goes well beyond what any current SBOM standard supports. Several organizations, including the Linux Foundation, OWASP, and MITRE, are working on frameworks to standardize AI-BOM formats, but no single standard has achieved dominance yet.

The Shadow AI Problem Is Bigger Than Most CISOs Realize

Shadow AI manifests in ways that are harder to detect than traditional shadow IT. When an employee spun up an unauthorized AWS instance 5 years ago, network monitoring tools could flag the anomaly. Shadow AI is more insidious.

Developers embed AI API calls — to OpenAI, Anthropic, Google Gemini, or open-source models — directly into applications without going through formal procurement or security review. Business analysts use AI-powered tools like Microsoft Copilot or standalone ChatGPT accounts to process sensitive data. Marketing teams fine-tune models on proprietary customer data using third-party platforms. Each of these activities creates AI dependencies that exist outside the organization's security perimeter.

A 2025 survey by Salesforce found that 49% of employees using generative AI tools at work have never received formal approval to do so. Meanwhile, research from Gartner indicates that the average enterprise now has 3x more AI integrations than their security teams are aware of. The gap between actual AI usage and documented AI usage represents a massive attack surface.

Regulatory Pressure Accelerates AI-BOM Adoption

The compliance landscape is rapidly making AI-BOMs not just a best practice but a legal necessity. The EU AI Act, which entered enforcement phases in 2025, requires organizations deploying high-risk AI systems to maintain detailed documentation of model characteristics, training data, and risk assessments. Without an AI-BOM, meeting these requirements is nearly impossible.

In the United States, the NIST AI Risk Management Framework (AI RMF) provides voluntary guidelines that increasingly influence federal procurement requirements. Several sector-specific regulators — including the SEC for financial services and the FDA for healthcare AI — are developing their own AI documentation mandates.

Key regulatory drivers pushing AI-BOM adoption:

• EU AI Act Article 11 requires technical documentation for high-risk AI systems
• NIST AI RMF emphasizes transparency, accountability, and AI system mapping
• Executive Order 14110 on safe AI development includes supply chain security provisions
• ISO/IEC 42001 establishes AI management system requirements that implicitly demand component inventories

Organizations operating across jurisdictions face a patchwork of requirements that all point in the same direction: you need to know what AI you're running, where it came from, and what it can do.

How Leading Enterprises Are Building AI-BOM Programs

Early adopters are taking a phased approach to AI-BOM implementation. Rather than attempting to catalog every AI component at once, security teams are starting with high-risk and customer-facing AI systems, then expanding coverage over time.

Microsoft has integrated AI component tracking into its internal security operations, extending its existing SBOM infrastructure to capture model metadata. JPMorgan Chase, which reportedly employs over 2,000 AI and ML models in production, has built proprietary model governance frameworks that function as de facto AI-BOMs. Startups like Protect AI, HiddenLayer, and Robust Intelligence (acquired by Cisco in 2024 for approximately $500 million) offer commercial tools that automate AI-BOM generation and vulnerability scanning.

The practical implementation typically follows 3 phases: discovery (finding all AI components), documentation (creating the AI-BOM entries), and continuous monitoring (detecting changes, new deployments, and emerging vulnerabilities). Compared to SBOM programs that took enterprises 12-18 months to mature, AI-BOM programs are expected to require 18-24 months due to the added complexity of AI-specific metadata.

What This Means for Developers and Security Teams

For developers, the AI-BOM shift means that deploying an AI model or integrating an LLM API will increasingly require the same level of documentation and review as introducing a new software dependency. DevSecOps pipelines will need to incorporate AI-specific checks — verifying model provenance, scanning for known model vulnerabilities, and validating that behavioral guardrails are in place before deployment.

For CISOs and security leaders, the priority is establishing visibility before enforcement. You cannot secure what you cannot see. The first step is conducting an AI asset discovery across the organization — identifying every model, API integration, fine-tuned variant, and agentic system in production or development. Only after that inventory exists can meaningful risk assessment begin.

For business leaders, the message is equally clear: AI governance is no longer optional. The organizations that build robust AI-BOM practices now will have a significant competitive advantage as regulations tighten and enterprise customers begin demanding AI transparency from their vendors.

Looking Ahead: AI-BOMs Become Table Stakes by 2027

The trajectory is unmistakable. Just as SBOMs went from obscure concept to industry mandate in roughly 3 years following Log4j, AI-BOMs are on a similar — and likely faster — adoption curve. The proliferation of AI agents that can autonomously take actions, make API calls, and interact with enterprise systems adds urgency that even Log4j didn't create.

By 2027, industry analysts expect AI-BOMs to be a standard requirement in enterprise procurement processes, government contracts, and cyber insurance underwriting. Organizations that delay adoption risk finding themselves unable to comply with emerging regulations, unable to respond effectively to AI-related security incidents, and unable to answer the fundamental question every board of directors will soon ask: 'What AI is running in our environment, and what can it do?'

The shadow AI era demands a new kind of transparency. AI-BOMs are the answer — and the clock is ticking.