advanta

HomeModule LibraryData

Module DAT-06 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-06. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-06
P2· L-G· Bands OperationalIntegratedOptimisedDefensible

· DAT-06

AI Bill of Materials Standard

A firm that cannot answer 'what AI do you have in production' cannot govern AI. The AI Bill of Materials Standard defines the canonical record of every deployed AI capability — model, vendor, version, data scope, owner, governance state. The Standard specifies required attributes, change-control discipline for version updates, and integration with the Risk Register and Vendor Evaluation. Without an authoritative BoM, Shadow AI detection has no baseline and the regulator's first question has no defensible answer. Methodology v2026.1.

strategic

·

Continuous

·

Initial rollout 4–6 weeks; ongoing maintenance 1–2 days per month plus event-driven reviews.

Methodology v2026.1

Executive Summary

DAT-06 establishes the organisation-wide AI Bill of Materials (AI BoM) as the authoritative, version-controlled register of every AI tool in operation. It defines a mandatory 22-field schema capturing identity, model and data characteristics, scope and approvals, governance controls, and agentic-specific safeguards for autonomous systems. The module prescribes a four-step registration workflow, Agentic Tier classification, lifecycle states from Draft to Retired, and evidence standards that make AI operations auditable and defensible. The AI BoM is the single source of truth for what AI the organisation runs, on whose infrastructure, and over which data. It underpins compliance with the EU AI Act, ISO/IEC 42001, privacy regimes, and client due diligence expectations. DAT-06 also sets monitoring cadences, Shadow AI escalation rules, and cross-walks to the Risk Taxonomy 2026, ensuring that every tool’s risk profile is explicit, current, and linked to the AI Risk Register. Without this module, no governance claim about AI use is verifiable.

Defensibility Evidence Produced

DAT-06 operates at DPS Tier 3 (Defensible) across all three lenses. Adoption lens: the 22-field AI BoM entry schema captures user training records, approval history, stakeholder notifications, and usage analytics for every registered tool — 5-year retention from Active status confirmation date. Sophistication lens: the 4-step registration process (Initiation → Technical Review → Governance Sign-off → Certificate Issuance) with mandatory Technical Review Gate and quantified agentic tier assessment provides an auditable decision trail for every AI adoption decision across all five tiers — 5-year retention. Defensibility lens: Certificate of AI BoM Registration, Governance Sign-off records, agentic tier classification rationale, incident linkage documentation, lifecycle stage audit trail, and deregistration certificates upon retirement constitute the evidentiary backbone for regulatory inquiry, client disclosure, and privilege defence — 7-year retention from retirement date. As the foundational AI governance standard referenced by all other modules via the Metric 0 Gate 2 prerequisite, DAT-06 itself serves as primary evidence that the firm operates a systematic, auditable, and continuously maintained AI oversight regime.

Elements:

Evidence frameworkGovernance posture

Metric 0 Pre-Check

Before registering a new AI tool, two gates must pass:

  • Gate 1 — GOV-02 AI Use Policy Coverage: Confirm an AI Use Policy entry exists or will be created in parallel for the tool.
  • Gate 2 — AI Governance Lead Availability: Confirm the AI Governance Lead (or delegate) can review and sign off within 5 business days.

Both gates must be satisfied before deployment or pilot use.

1. Purpose

DAT-06 defines the organisation’s AI Bill of Materials (AI BoM) Standard: a mandatory, version-controlled register of every AI tool the organisation operates. It specifies the 22 required fields for each entry, the registration workflow, approval authorities, Agentic Tier classification, lifecycle states, and evidence retention rules.

The AI BoM:

  • Makes the AI footprint visible and governable.
  • Provides the evidentiary foundation for risk, compliance, and audit activities.
  • Enforces pre-deployment review and sign-off.
  • Surfaces Shadow AI by exception.
  • Produces Certificates of Registration and Deregistration for regulators, auditors, and clients.

2. Strategic Context

The AI BoM is now a regulatory and commercial expectation. EU AI Act provisions on technical documentation, ISO/IEC 42001 inventory requirements, and client procurement processes all assume a current, accurate AI system register.

Legal functions are particularly exposed: privilege, confidentiality, data residency, and professional liability all depend on knowing which AI tools process which data. Registered, governed tools create manageable incidents; unregistered tools create negligence exposure.

A robust AI BoM also accelerates safe AI adoption, enabling faster approvals and stronger positioning in client due diligence.

Operational Signals

dat-06.bom-coverage

Defensibility Posture Statement

Proportion of deployed AI capabilities with current BoM entry — DE-3 Evidence framework record.

Quarterly

dat-06.entry-currency

Annual Legal AI OS Index

BoM entries refreshed within version-change SLA feeds the Annual Legal AI OS Index governance signal.

monthly

dat-06.attribute-completeness

Console

Required-attribute completeness per entry for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • Head of Legal Operations

Approvers

  • General Counsel
  • Risk & Compliance
  • CIO / CISO

Contributors

  • Engineering / IT
  • AI Task Force

Informed

  • Board
  • Audit Committee

Inputs · Outputs

Inputs

  • · Inventory of all AI tools in use or proposed across the organisation
  • · GOV-02 AI Use Policy entries for each tool and use case
  • · GOV-04 vendor security and compliance due diligence outputs
  • · Vendor documentation: product sheets, ToS, privacy policy, DPA, security certifications
  • · GOV-09 or equivalent evaluation results for hallucination, bias, and robustness
  • · Data inventory mapping for all categories processed by each tool
  • · Agentic Tier classification rationale and design for autonomous workflows
  • · AI Governance Lead and Business Owner assignments

Outputs

  • · AI BoM Register with complete 22-field entries for every AI tool
  • · Certificate of AI BoM Registration for each Active tool
  • · Certificate of AI BoM Deregistration for each Retired tool
  • · AI BoM Register extract for audits, regulators, and client due diligence
  • · AI BoM Coverage Report comparing environment tools vs. Active entries
  • · Shadow AI detection and escalation records
  • · Risk Taxonomy 2026 class severity assessments per tool
  • · Tiered monitoring and review logs, including kill-switch and intervention log checks

Framework Crosswalk

EU AI Act

European Union

Supports technical documentation and risk management expectations for providers and deployers, including system identity, training data description, intended purpose, and performance metrics.

ISO/IEC 42001

ISO/IEC

Addresses AI system inventory and governance requirements, aligning the AI BoM with AI management system controls and continual improvement.

NIST AI Risk Management Framework

NIST

Provides a structure for mapping AI BoM data to risk identification, measurement, and monitoring across the AI lifecycle.

Operational Artefacts

  • AI BoM Register Template (22-field schema)

    xlsx · v2026.1

    Gated
  • Certificate of AI BoM Registration Template

    docx · v2026.1

    Gated
  • AI BoM Coverage and Shadow AI Audit Checklist

    checklist · v2026.1

    Gated

Diagnostic Relevance

Running the AI Bill of Materials Standard strengthens the Defensibility lens — expected Band progression: Operational → Integrated.

Confidence: high

Key Takeaways

  • Establish a single, authoritative AI BoM Register for all AI tools across the organisation.

  • Enforce pre-deployment registration and AI Governance Lead sign-off for every AI tool.

  • Capture a complete 22-field record for each tool, including model, data, scope, and risk profile.

  • Classify every tool by Agentic Tier and apply tier-specific governance and monitoring.

  • Detect and escalate Shadow AI by comparing incidents and environment scans to the AI BoM.

  • Maintain lifecycle states, certificates, and version history as DPS-grade defensibility evidence.

  • Align AI BoM data with EU AI Act, ISO/IEC 42001, and Risk Taxonomy 2026 requirements.

Run this Module

Operational artefacts available to Enterprise Partnership members. Methodology v2026.1.

View Membership

Targeting

Audience

General CounselLegal OperationsAI Governance LeadRisk and ComplianceIT Security

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Module
Difficulty
Advanced
Pillar
P2
Owner
Head of Legal Operations
Access
Enterprise Partnership

Maturity Bands

OperationalIntegratedOptimisedDefensible

Where this Module lives

The AI BoM Standard is the inventory backbone underneath every governance Module. It is the source of truth that Shadow AI Discovery (USE-07) compares against, the registry that Vendor Evaluation (VEN-01) writes to, and the scope reference that the Annual Audit (SUS-05) samples from. Without this Module, every governance artefact operates over inconsistent scope and the DPS lacks the inventory that distinguishes governance from documentation.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.