– An AI BOM, or AI Bill of Materials, is an inventory of the AI components used in software. It can include models, agents, MCP servers, LLM SDKs, dependencies, origins, and related metadata needed for governance, risk management, and compliance.

Checkmarx AI-BOM

AI-BOM
for Enterprise AI Governance

Q: : How is an AI BOM different from an SBOM?

An SBOM focuses on software components such as libraries and packages. An AI BOM extends that idea to AI – specific elements such as models, agents, MCP servers, prompts, and AI frameworks, along with the metadata needed to govern them responsibly.

Q: Why do enterprises need an AI BOM now?

AI adoption is moving faster than manual governance. Without a continuously updated AI BOM, organizations struggle to answer basic questions about what AI they use, where it lives, what it depends on, and whether it meets policy and compliance requirements.

Q: How does Checkmarx AI - BOM support compliance?

Checkmarx AI – BOM Software helps teams produce standards – aligned inventory documentation and maintain traceability across AI assets, risks, and governance actions. That supports audit readiness and helps teams respond faster to requirements tied to the EU AI Act, NIST AI RMF, and ISO 42001.

Q: Can developers and DevSecOps teams use AI - BOM without extra friction?

Yes. Checkmarx AI – BOM is designed to fit existing pull request, CI/CD, and Checkmarx One workflows. Teams can surface AI component usage, detect policy violations, and act on findings without switching to a separate platform.

Create a continuously updated AI-BOM for models, agents, MCP servers, and LLM SDKs
to improve visibility, governance, and compliance – so you’re never caught off guard.

Book a Custom Demo → Jump to Key Benefits

Checkmarx AIBOM Key Benefits

One Inventory for AI Risk and Compliance

Shadow AI is spreading across your SDLC as developers pull in models, MCPs, agents, and frameworks outside of security review – and regulations like the EU AI Act, NIST AI RMF, and ISO 42001 require you to account for every one of them. Checkmarx AI-BOM automatically inventories AI components across your pipeline, giving teams the visibility needed to manage risk, enforce governance, and stay audit-ready.

AI INVENTORY

Know every AI component in use

Track models, agents, MCP servers, and SDKs across every repo with deterministic discovery that stays current on every commit.

COMPLIANCE READY

Generate audit-ready AI documentation

Produce standards-aligned AI-BOMs with origins, licenses, dependencies, and risk metadata for compliance and board reporting.

PLATFORM-NATIVE

Built In AI Governance, Not Bolted On

Checkmarx AI-BOM runs natively inside Checkmarx One alongside SAST, SCA, DAST, and Malicious Package Detection. One platform, one policy layer, one place to respond to AI supply chain risk.

POLICY CONTROL

Flag risky AI at commit

Enforce policy on approved models, agents, MCP servers, and SDKs in pull requests and CI/CD pipelines. Flag policy violations early, block unapproved AI components, and keep controls inside existing workflows.

Book a Custom Demo – See How It Works →

SEE IT IN ACTION

The Enterprise AI-BOM Software
for Visibility, Policy, and Compliance

See how Checkmarx AI-BOM inventories AI components directly from source code and configuration files, then turns that inventory into usable governance evidence — integrated natively in Checkmarx One.

Request a Demo →

Compliance Assurance Use Cases

AIBOM Tool Built for the Regulations Governing AI

Checkmarx One AI-BOM maps directly to the requirements your compliance teams are already being asked to meet.

Checkmarx AI-BOM Delivers

Get EU AI Act-ready with Checkmarx AI-BOM

Article 11 – Technical documentation — Continuously updated AI inventory, auto-generated from source code on every commit.

Article 13 – Transparency — Per-component origins, licence metadata, and dependency chain in every export.

Annex IV – Audit records — On-demand exports in SPDX 3.0 and CycloneDX 1.6.

Checkmarx AI-BOM Delivers

Get NIST AI RMF-ready with Checkmarx AI-BOM

Map – Identify risks — Deterministic discovery identifies all AI assets and deployment context per repo.

Measure – Assess risks — Risk metadata, licence flags, and policy violation signals provide measurable indicators.

Manage – Respond — Prioritise and respond to risks; maintain records of treatment decisions. Block unapproved components before production; policy action history in Checkmarx One.

Checkmarx AI-BOM Delivers

Get ISO/IEC 42001:2023-compliant with Checkmarx AI-BOM

Clause 6.1 – Risk planning — Structured scope documentation exported in SPDX 3.0 and CycloneDX 1.6.

Clause 8.4 – Impact assessment — Third-party model, SDK, and agent tracking extends governance to all external dependencies.

Clause 9.1 – Monitoring — Continuous inventory updates provide a real-time audit trail for management review.

Customer Stories

Why the World’s Top Teams Choose Checkmarx

“We’ve seen an 80% noise reduction — our engineers now focus on the high-quality risks that matter.”

Explore Best Buy Case Study

“By far the best AppSec tooling decision we have made”

“Checkmarx gave us a 90% reduction in vulnerabilities in just a few months.”

“Unifying our AppSec tools with Checkmarx gave us a single source of truth.”

“With 2.1B lines of code scanned monthly, Checkmarx gives us the scale and speed we need.”

“Checkmarx fits seamlessly into our DevOps pipelines—it’s a truly scalable solution.”

“From a buyer perspective, Checkmarx’s approach offers a structured and role-aware entry point into agentic security. ”

“Incorporating Checkmarx’s technology has revolutionized our development culture ”

“Checkmarx One made our security team and developers life easier.”

“The success of our AppSec program can be directly attributed to the tooling, processes and support provided by the Checkmarx managed services.”

“Bringing ASPM context directly into the IDE reflects a forward-looking approach to prioritizing security efforts based on risk earlier in the development process.”

Common Questions

Frequently Asked Questions

What is an AI BOM?

: How is an AI BOM different from an SBOM?

Why do enterprises need an AI BOM now?

How does Checkmarx AI – BOM support compliance?

What makes Checkmarx AI – BOM different from other AI inventory tools?

Checkmarx uses deterministic discovery directly from code and configuration files rather than relying on inference alone. Checkmarx AI-BOM does not limit to LLMs but covers a wide range of AI components including LLMs, AI Libraries, AI SDKs, AI Orchestration frameworks, MCP Clients, MCP Servers, Agents, and more. It also runs natively in Checkmarx One, so teams can inventory AI components, enforce policy, and generate AI-BOM documentation in the same AppSec workflows they already trust.

Can developers and DevSecOps teams use AI – BOM without extra friction?

Custom AIBOM Demo

Ready to See it in Action?

See how Checkmarx AIBOM helps your team govern AI adoption with real inventory, policy controls, and audit – ready documentation.

Thank You!

Your Custom Demo Request is successfully sent. A member of Checkmarx Team would contact you shortly to set up your custom demo.

Get a Demo

See For Yourself

Complete Visibility

Discover AI models, agents, MCP servers, and SDKs across every repo

Compliance Readiness

Generate standards-aligned AI-BOMs for audit and compliance readiness

Centralized Policy Enforcement

Enforce approved AI usage in pull requests and CI/CD pipelines

Robust Governance

Give security and compliance teams one trusted inventory for AI governance

Get Started

Get Started With
Checkmarx AIBOM Today

Join the leading enterprises that include Checkmarx AIBOM in their application security toolkit for holistic application security.

Get a Custom Demo → Explore Checkmarx One

Gartner Magic Quadrant Leader

Forrester Wave Leader

SOC 2 Type II Certified

AI-BOM
for Enterprise AI Governance