RAI Bill of Materials Registry

Summary: The RAI bill of materials registry keeps a formal machine-readable record of the supply chain details of the components used in building an AI system, such as component name, version, supplier, dependency relationship, author, and timestamp.

Type of pattern: Product pattern

Type of objective: Trust

Target users: Architects, developers

Impacted stakeholders: Development teams, RAI governors, AI users, AI consumers

Relevant AI ethics principles: Privacy protection and security, transparency and explainability, accountability

Mapping to AI regulations/standards: EU AI Act, ISO/IEC 42001:2023 Standard.

Context: From a software supply chain angle, AI product vendors often create AI systems by assembling commercial and/or open-source AI and/or non-AI components from third parties. Development of AI systems involves a complex and dynamic software supply chain.

Problem: The trust that stakeholders place in an AI system is proportional to how trustworthy and transparent the supply chain of the AI system is [1]. Bringing transparency to the AI system supply chains and enabling connections across supply chains are critical to identifying and removing the weak links in the software supply chains. How do we bring transparency to the AI system supply chain to enable the stakeholders of AI systems to track the supply chain information of the AI components?

Solution: The RAI bill of materials registry keeps a formal machine-readable record of the supply chain details of the components used in building a software system [2]. A bill of materials is essentially a nested inventory that covers the ingredients of a software component, such as component name, version, supplier, dependency relationship, author, and timestamp. In addition to supply chain details of the components, context documents (like model cards for reporting AI models [3], and datasheets for the datasets used to train AI models [4]) can also be integrated to the bill of materials. A real-world AI system is composed of a vast and complex infrastructure, where the AI components might be a small fraction of the whole AI system. As shown in the figure, every component, either AI component or non-AI component, could be associated with an RAI bill of materials [5].


The main purpose of the RAI bill of materials is to provide traceability and transparency into the components within AI systems so that ethical issues can be tracked and addressed. An immutable data infrastructure is needed to store the bill of materials. For example, the manufacturers of autonomous vehicles could maintain a material registry contract on blockchain to track their components’ supply chain information, such as the version and supplier of the third-party navigation components.

Fig.1 RAI bill of materials registry of software components within an AI system

Benefits:

  • Increased transparency: Stakeholders can access the supply chain details of each component of interest in AI systems via the RAI bill of materials.
  • Increased accountability: The supply chain details recorded in the RAI bill of materials could be used to identify the acknowledgment and responsibility for the components and decisions of interest.
  • Integrity: The RAI bill of materials helps with continuous verification of the integrity of individual components and the overall AI system.

Drawbacks:

  • Increased management effort: As AI systems evolve over time, the RAI bill of materials may need to be updated frequently. The cost of managing the RAI bill of materials of all the components is proportional to the complexity of the AI system.

Related patterns:

  • Verifiable RAI credential: Verifiable RAI credentials could be applied with RAI bill of materials to provide proof of responsibility at a point of the supply chain.
  • RAI bill of materials: The supply chain information of AI system components can be maintained in an RAI software bill of material registry. 

Known uses:

  • Dependency Track is widely used by practitioners to track components’ supply chain information and identify known vulnerabilities.
  • Software Package Data Exchange (SPDX) and CycloneDX are two standards for exchanging software bill of material information for security analysis.
  • OpenBOM is a digital platform of data management for manufacturing companies. OpenBOM provides solutions to support Bill of Materials across networks of engineers, supply chain managers, and contract manufacturers.
  • Codenotary provide digital solutions to software bill of materials. The company provides community attestation service for the open source software community. 

References

[1] NTIA Multistakeholder Process on Software Component Transparency Framing Working Group, Transparency: Establishing a Common Software Bill of Material (SBOM), 2019.

[2] United States Department of Commerce, The Minimum Elements for a Software Bill of Materials (SBOM), 2021.

[3] Mitchell, M., et al. Model cards for model reporting. in Proceedings of the confer-ence on fairness, accountability, and transparency. 2019.

[4] Gebru, T., et al. Datasheets for datasets. Communications of the ACM, 2021. 64(12): p. 86-92.

[5] Sculley, D., et al. Hidden technical debt in machine learning systems. Advances in neural information processing systems, 2015. 28.