ABOM — Agent Bill of Materials
Complete inventory of your AI agent ecosystem for supply chain security and compliance. Unlike traditional SBOM for code dependencies, ABOM provides visibility into AI-specific components.
SBOM vs ABOM
SBOM (Software Bill of Materials)
- • NPM packages, Maven dependencies
- • Library versions
- • License information
- • CVE vulnerabilities
ABOM (Agent Bill of Materials)
- • AI agents and their capabilities
- • MCP server connections
- • Trust scores and attestations
- • Capability drift events
What ABOM Tracks
| Component | What It Tracks | Why It Matters |
|---|---|---|
| Agents | Names, types, capabilities, trust scores, status | Know what AI is running in your organization |
| MCP Servers | Connected servers, tools, confidence scores | Track external service integrations |
| Capabilities | What each agent can do (db:read, api:call, etc.) | Audit permission scope |
| Connections | Agent-to-MCP relationships, attestation history | Understand dependencies |
| Drift Events | When capabilities change unexpectedly | Detect supply chain attacks |
Why ABOM Matters
Compliance Audits
Know exactly what AI components your organization uses. Export comprehensive reports for SOC 2, HIPAA, and GDPR audits.
Incident Response
Quickly identify affected agents when an MCP server is compromised. Understand blast radius and take targeted action.
Change Management
Track capability drift and unauthorized tool additions. Get alerts when MCP server configurations change unexpectedly.
Risk Assessment
Understand the blast radius of any single agent or MCP server. Prioritize security efforts based on dependency analysis.
CycloneDX Export Format
ABOM exports in CycloneDX format for compatibility with existing SBOM tooling and vulnerability scanners.
Example CycloneDX Output
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"timestamp": "2025-12-23T12:00:00Z",
"tools": [{ "name": "AIM", "version": "1.0.0" }],
"component": {
"type": "application",
"name": "my-ai-agent-fleet",
"version": "1.0.0"
}
},
"components": [
{
"type": "application",
"bom-ref": "agent-customer-support",
"name": "customer-support-agent",
"version": "1.2.0",
"description": "Customer support AI agent",
"purl": "pkg:aim/customer-support-agent@1.2.0",
"properties": [
{ "name": "aim:trust-score", "value": "92" },
{ "name": "aim:agent-type", "value": "langchain" },
{ "name": "aim:status", "value": "active" }
]
},
{
"type": "service",
"bom-ref": "mcp-filesystem",
"name": "filesystem-mcp",
"version": "1.0.0",
"description": "MCP server for filesystem access",
"purl": "pkg:npm/@modelcontextprotocol/server-filesystem@1.0.0",
"properties": [
{ "name": "aim:confidence-score", "value": "95" },
{ "name": "aim:attestation-count", "value": "47" },
{ "name": "aim:tools", "value": "read_file,write_file,list_directory" }
]
}
],
"dependencies": [
{
"ref": "agent-customer-support",
"dependsOn": ["mcp-filesystem", "mcp-github"]
}
]
}SDK Usage
Python SDK
from aim_sdk import secure
agent = secure("my-agent")
# ABOM is automatically tracked as you:
# - Register agents
# - Connect to MCP servers
# - Declare capabilities
# - Create attestations
# Export ABOM via dashboard or API
# GET /api/v1/organizations/{org_id}/abomJava SDK (SupplyChainReporter)
import org.opena2a.aim.security.SupplyChainReporter;
SupplyChainReporter reporter = SupplyChainReporter.getInstance();
// Record MCP servers
reporter.recordMcpServer("filesystem-mcp", "npx @mcp/filesystem", discovery);
reporter.recordMcpServer("github-mcp", "npx @mcp/github", githubDiscovery);
// Generate ABOM (Agent Bill of Materials)
SupplyChainReporter.SBOM sbom = reporter.generateSBOM(agent.getAgentName());
System.out.println("Format: " + sbom.format); // CycloneDX
System.out.println("Components: " + sbom.componentCount);
System.out.println("Generated: " + sbom.generatedAt);
// Export for compliance audits
for (SupplyChainReporter.SBOMComponent component : sbom.components) {
System.out.println("- " + component.name + " v" + component.version);
System.out.println(" PURL: " + component.purl);
}API Export
# Export ABOM for your organization
curl -X GET "https://aim.example.com/api/v1/organizations/{org_id}/abom" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json"
# Filter by agent
curl -X GET "https://aim.example.com/api/v1/agents/{agent_id}/abom" \
-H "Authorization: Bearer $TOKEN"
# Export in CycloneDX format
curl -X GET "https://aim.example.com/api/v1/organizations/{org_id}/abom?format=cyclonedx" \
-H "Authorization: Bearer $TOKEN"Dashboard Access
Access ABOM data through the AIM dashboard:
- 1. Navigate to MCP Servers → Supply Chain
- 2. Click "Export ABOM" button
- 3. Choose format: JSON or CycloneDX
- 4. Download the complete inventory
Integration with SBOM Tools
Compatible Tools
ABOM's CycloneDX format integrates with existing security tooling:
Vulnerability Scanners
- • Snyk
- • Grype
- • Trivy
SBOM Platforms
- • Anchore
- • FOSSA
- • Dependency-Track
Compliance Tools
- • Vanta
- • Drata
- • Secureframe
Best Practices
Export ABOM regularly
Set up automated weekly exports for compliance records
Monitor drift events
Configure alerts for unexpected capability changes
Review before incidents
Keep ABOM current so you're prepared for incident response
Include in security reviews
Add ABOM review to your security assessment process