Overview
Severity: MEDIUM | Affected: U.S. Department of Commerce | Category: policy
The U.S. Department of Commerce, through NIST, has issued a final rule requiring providers of AI systems used in critical infrastructure sectors to maintain and provide an AI Bill of Materials (AIBOM). Effective July 1, 2026, the mandate requires companies in energy, finance, and healthcare to disclose key components of their AI systems, including training datasets, open-source libraries, base models, and data provenance information. The goal is to enhance transparency and security within the AI supply chain, enabling faster vulnerability identification and mitigation. This policy follows several high-profile incidents involving tainted training data and vulnerable dependencies in AI models. While industry groups have praised the move for standardizing security practices, some smaller AI vendors have expressed concerns about the administrative overhead and potential for exposing proprietary information.