DBOM — Decision Bill of Material

… works!

What is DBOM?

A DBOM (Decision Bill of Materials) is a digital document that traces all the steps that led to a decision made by an AI system. Just as its ancestor, the SBOM (Software Bill Of Materials), the DBOM helps to understand the role of components in a moere and more complex software world. Any DBOM is cryptographically signed and meant to be used in combination with Confidential Computing, in order to guarantee its integrity.

Features

  • Thoroughly document high-risk (AI) decisions: A DBOM can enforce documentation requirements. Just as software developers are often required to provide an SBOM, AI service providers can use DBOM to comply to the strict regulation of high-risk AI use-cases.

  • Tamper-proof: Using Confidential Computing, it is possible to generate a DBOM on cloud infrastructure without risking manipulations by the infrastructure provider or an inside attacker.

  • Effective Forensics: While the DBOM alone can not prevent dangerous AI decisions, it can be used to trace back potential causes and to clearly attribute responsability.

  • Ready for tooling:The DBOM provides a unified interface, which we plan to use for automated analysis. A DBOM is hard to understand for a human, but ready for automated reasoning.

  • Traces impact:Just as an SBOM allows to trace the impact of a vulnerable dependency, DBOM allows to trace manipulated or biased datasets, outdated training tools and more.

Glossary

Confidential Computing
is a hardware technology, where the CPU shields and encrypts the living memory during runtime, thus protecting against attackers with full system access.
High-Risk AI application
TODO: What is the EU definition again?
SBOM
is the short form of Software Bill of Materials. It is an electronic document that lists all the components of a software: dependencies, build system etc. Providing an SBOM has become mandatory in some security-critical contexts.
Fine Print
Acknowledgements Legal