Every regulated organisation already keeps an inventory of the things it must govern. It knows which systems hold regulated data, who has privileged access, which keys encrypt what, and which vendors sit in the critical path. AI is the newest entry on that list and, in most organisations, the least inventoried. Teams are running models through a dozen tools, calling external providers from inside applications, and pasting sensitive material into assistants, and the governance function frequently cannot produce a current list of what is in use, on what data, for what decision. The principle that has governed every other regulated asset applies here without modification: you cannot govern what you have not inventoried.
The instrument that closes the gap is an AI bill of materials: a maintained, structured record of every AI system, the provider and model behind it, the version in production, the data it touches, its intended use, its risk classification, who approved it, and the audit trail of how all of that changed over time. This is not a novel demand invented for AI. It is the same registration-and-documentation discipline that already exists for systems, suppliers, and cryptographic material, pointed at a new asset class. The frameworks arriving across jurisdictions are converging on exactly this requirement, and the timing matters because the gap between AI adoption and AI governance is currently enormous.
You cannot govern what you have not inventoried
The adoption-governance gap is the strongest evidence that the inventory is the missing primitive. ISACA's 2024 survey of digital-trust professionals reported that roughly seventy percent of organisations had staff using generative AI tools while only fifteen percent had an AI policy in place. Workforce surveys find the same shape from the other side: a majority of white-collar workers report using AI at work, and only a small fraction are aware their employer has any AI policy at all. The result is "shadow AI," the direct successor to shadow IT, with the same root cause. The organisation cannot set a rule, attach a control, or produce evidence for a system it does not know exists.
An inventory is the precondition for everything else. Risk classification, approval workflows, data-handling rules, vendor due diligence, and incident response all assume you have a current list of what you are governing. Without it, every other AI control is applied to a guess.
What an AI bill of materials contains
The idea has a lineage. The "model card," proposed by Mitchell and colleagues in 2019, established that a released model should travel with documentation of its intended use, performance characteristics, and limitations. The AI bill of materials generalises that into a machine-readable inventory of every component that makes up an AI system: the models, the training and reference datasets, software dependencies, frameworks, and the governance metadata around them. It is the AI-specific extension of the software bill of materials that security teams already maintain, and the tooling is maturing to match: the CycloneDX machine-learning bill-of-materials format and the SPDX 3.0 AI profile both exist to carry this data, and OWASP launched a dedicated AIBOM project in 2025 alongside its Top 10 for LLM Applications, where supply-chain risk (LLM03) is a named entry precisely because an unknown model or dependency is an ungoverned one.
In practice the bill of materials answers a fixed set of questions for each AI system: what model and version is running, which provider supplies it, what data flows into it, what decision it informs, how risky that use is, who signed off, and what has changed since. Hold those answers, keep them current, and the governance conversation becomes possible. Skip them, and it does not.
The frameworks now require the inventory
The strongest signal is the EU AI Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024 and applies in phases: prohibited practices and AI-literacy obligations from 2 February 2025, general-purpose model obligations from 2 August 2025, and the high-risk obligations from 2 August 2026. Its documentation requirements read like a specification for an AI bill of materials. Article 11 requires that technical documentation for a high-risk system "be drawn up before that system is placed on the market or put into service and shall be kept up-to date," covering the elements in Annex IV: the system's intended purpose, the provider, the versions of relevant software, the datasets and their provenance, validation and testing procedures, and the changes made across the lifecycle. Article 9 requires a risk-management system that is "established, implemented, documented and maintained" as "a continuous iterative process planned and run throughout the entire lifecycle." Article 12 requires automatic logging over the system's lifetime, and Articles 49 and 71 require high-risk systems to be registered in a public EU database. The penalties give the requirement teeth: up to thirty-five million euros or seven percent of global annual turnover for the most serious breaches.
ISO/IEC 42001:2023, the first international AI management-system standard, makes the inventory a management discipline rather than a one-off document. It requires organisations to identify and manage their AI systems across the lifecycle, conduct AI impact assessments, and document risk treatment. Adoption is moving quickly enough to signal a baseline forming: AWS achieved accredited certification in November 2024, IBM certified its Granite models, and KPMG announced certification in late 2025. NIST's AI Risk Management Framework (AI RMF 1.0, January 2023) is even more explicit. Its Govern function includes control GOVERN 1.6: "Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities." NIST's Generative AI Profile, released in July 2024, extends the Map, Measure, Manage, and Govern functions to generative systems and leans further into documentation across the lifecycle.
In the United States, the picture is a moving target but the direction is consistent. Colorado enacted the first comprehensive state AI law in 2024, imposing documentation and impact-assessment duties on developers and deployers of high-risk systems, though those duties were repeatedly delayed and substantially scaled back through 2025 and 2026. New York City's Local Law 144 has required, since enforcement began in July 2023, an annual independent bias audit of automated employment decision tools and public posting of the results. The EEOC's 2023 technical guidance made clear that an employer can be liable under Title VII for a vendor's AI tool used on its behalf, which means the inventory has to extend to AI you did not build.
The same expectation is forming in the MENA region. The UAE has published a national charter for the development and use of AI, and Saudi Arabia's SDAIA has issued AI ethics principles, both emphasising accountability and documentation of AI systems in use. The vocabulary differs by jurisdiction; the underlying instruction does not.
The architectural answer
An AI bill of materials is only worth as much as its currency and its evidence. A spreadsheet of models maintained by hand is a rung-one artefact in the evidence maturity ladder: stale on contact, unverifiable, and disconnected from the systems it claims to describe. Governing AI the way you govern everything else means the inventory has to live where your other governed assets live, under the same audit chain, with the same proof.
This is what Novantra's AI governance layer is built to do. Novantra registers every AI system, provider, and model as a first-class governed object, binds each to its risk classification, approvals, prompts, and intended use, and holds the documentation, evidence, and audit trail in the same hash-chained record as your access reviews and key rotations. The model-use and decision history is captured as it happens rather than reconstructed for a regulator. Because Novantra supports bringing your own model and runs with no silent fallback to an unapproved provider, the bill of materials reflects what is actually executing, not what someone intended to deploy. And because Novantra's Sovereign deployment runs inside your own infrastructure with customer-controlled keys, the AI inventory, like the data it governs, never leaves your control. The sibling discipline for provider control is covered in customer-controlled encryption keys, and the deployment foundation in sovereign by architecture.
AI is the surface regulators are asking about most loudly and the one most organisations can least account for. The fix is not a new category of governance. It is the oldest discipline there is, applied to the newest asset: know what you have, prove it is current, and keep the record.