Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

HomeModule Library

Module DAT-06 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-06. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-06

P2

L-G

DAT-06

AI Bill of Materials Standard

Defines the mandatory AI Bill of Materials register for all AI tools in the Legal AI OS.

ModuleAdvancedContinuousProtect lensComply lensGrow lensTransform lens

Audience

General CounselLegal OperationsAI Governance LeadRisk and ComplianceIT Security

·

Initial rollout 4–6 weeks; ongoing maintenance 1–2 days per month plus event-driven reviews.

Executive Summary

DAT-06 establishes the organisation-wide AI Bill of Materials (AI BoM) as the authoritative, version-controlled register of every AI tool in operation. It defines a mandatory 22-field schema capturing identity, model and data characteristics, scope and approvals, governance controls, and agentic-specific safeguards for autonomous systems. The module prescribes a four-step registration workflow, Agentic Tier classification, lifecycle states from Draft to Retired, and evidence standards that make AI operations auditable and defensible. The AI BoM is the single source of truth for what AI the organisation runs, on whose infrastructure, and over which data. It underpins compliance with the EU AI Act, ISO/IEC 42001, privacy regimes, and client due diligence expectations. DAT-06 also sets monitoring cadences, Shadow AI escalation rules, and cross-walks to the Risk Taxonomy 2026, ensuring that every tool’s risk profile is explicit, current, and linked to the AI Risk Register. Without this module, no governance claim about AI use is verifiable.

Metric 0 Pre-Check

Before registering a new AI tool, two gates must pass:

  • Gate 1 — GOV-02 AI Use Policy Coverage: Confirm an AI Use Policy entry exists or will be created in parallel for the tool.
  • Gate 2 — AI Governance Lead Availability: Confirm the AI Governance Lead (or delegate) can review and sign off within 5 business days.

Both gates must be satisfied before deployment or pilot use.

---

1. Purpose

DAT-06 defines the organisation’s AI Bill of Materials (AI BoM) Standard: a mandatory, version-controlled register of every AI tool the organisation operates. It specifies the 22 required fields for each entry, the registration workflow, approval authorities, Agentic Tier classification, lifecycle states, and evidence retention rules.

The AI BoM:

  • Makes the AI footprint visible and governable.
  • Provides the evidentiary foundation for risk, compliance, and audit activities.
  • Enforces pre-deployment review and sign-off.
  • Surfaces Shadow AI by exception.
  • Produces Certificates of Registration and Deregistration for regulators, auditors, and clients.

---

2. Strategic Context

The AI BoM is now a regulatory and commercial expectation. EU AI Act provisions on technical documentation, ISO/IEC 42001 inventory requirements, and client procurement processes all assume a current, accurate AI system register.

Legal functions are particularly exposed: privilege, confidentiality, data residency, and professional liability all depend on knowing which AI tools process which data. Registered, governed tools create manageable incidents; unregistered tools create negligence exposure.

A robust AI BoM also accelerates safe AI adoption, enabling faster approvals and stronger positioning in client due diligence.

Defensibility Evidence

DAT-06 operates at DPS Tier 3 (Defensible) across all three lenses. Adoption lens: the 22-field AI BoM entry schema captures user training records, approval history, stakeholder notifications, and usage analytics for every registered tool — 5-year retention from Active status confirmation date. Sophistication lens: the 4-step registration process (Initiation → Technical Review → Governance Sign-off → Certificate Issuance) with mandatory Technical Review Gate and quantified agentic tier assessment provides an auditable decision trail for every AI adoption decision across all five tiers — 5-year retention. Defensibility lens: Certificate of AI BoM Registration, Governance Sign-off records, agentic tier classification rationale, incident linkage documentation, lifecycle stage audit trail, and deregistration certificates upon retirement constitute the evidentiary backbone for regulatory inquiry, client disclosure, and privilege defence — 7-year retention from retirement date. As the foundational AI governance standard referenced by all other modules via the Metric 0 Gate 2 prerequisite, DAT-06 itself serves as primary evidence that the firm operates a systematic, auditable, and continuously maintained AI oversight regime.

Operational Artefacts

  • AI BoM Register Template (22-field schema)

    xlsx · v2026.1

    Gated

  • Certificate of AI BoM Registration Template

    docx · v2026.1

    Gated

  • AI BoM Coverage and Shadow AI Audit Checklist

    checklist · v2026.1

    Gated

Framework Crosswalk

EU AI Act

European Union

Supports technical documentation and risk management expectations for providers and deployers, including system identity, training data description, intended purpose, and performance metrics.

ISO/IEC 42001

ISO/IEC

Addresses AI system inventory and governance requirements, aligning the AI BoM with AI management system controls and continual improvement.

NIST AI Risk Management Framework

NIST

Provides a structure for mapping AI BoM data to risk identification, measurement, and monitoring across the AI lifecycle.

Operational Details

Inputs

  • · Inventory of all AI tools in use or proposed across the organisation
  • · GOV-02 AI Use Policy entries for each tool and use case
  • · GOV-04 vendor security and compliance due diligence outputs
  • · Vendor documentation: product sheets, ToS, privacy policy, DPA, security certifications
  • · GOV-09 or equivalent evaluation results for hallucination, bias, and robustness
  • · Data inventory mapping for all categories processed by each tool
  • · Agentic Tier classification rationale and design for autonomous workflows
  • · AI Governance Lead and Business Owner assignments

Outputs

  • · AI BoM Register with complete 22-field entries for every AI tool
  • · Certificate of AI BoM Registration for each Active tool
  • · Certificate of AI BoM Deregistration for each Retired tool
  • · AI BoM Register extract for audits, regulators, and client due diligence
  • · AI BoM Coverage Report comparing environment tools vs. Active entries
  • · Shadow AI detection and escalation records
  • · Risk Taxonomy 2026 class severity assessments per tool
  • · Tiered monitoring and review logs, including kill-switch and intervention log checks

Owner

AI Governance Lead + General Counsel

Telemetry & Observability

Telemetry-ready

Key Takeaways

  • Establish a single, authoritative AI BoM Register for all AI tools across the organisation.

  • Enforce pre-deployment registration and AI Governance Lead sign-off for every AI tool.

  • Capture a complete 22-field record for each tool, including model, data, scope, and risk profile.

  • Classify every tool by Agentic Tier and apply tier-specific governance and monitoring.

  • Detect and escalate Shadow AI by comparing incidents and environment scans to the AI BoM.

  • Maintain lifecycle states, certificates, and version history as DPS-grade defensibility evidence.

  • Align AI BoM data with EU AI Act, ISO/IEC 42001, and Risk Taxonomy 2026 requirements.

Get This Module

This module is available as part of an Advanta Advisory engagement.

Explore Advisory

Module Details

Type

Pillar

P2

Layer

G · Governance

Duration

Initial rollout 4–6 weeks; ongoing maintenance 1–2 days per month plus event-driven reviews.

Advisory

Yes

Access

enterprise

Maturity Bands

OperationalIntegratedOptimisedDefensible

Risk Classes Mitigated

Related Resources

P2 · DataModule Library →Take the Free Baseline Diagnostic →

Governance

Methodology
v2026.1

ADVISORY

Need help implementing this — and the 49 modules around it?

Advanta Advisory works with legal departments to deploy the full Legal AI OS framework — governance design, implementation roadmap, and team capability — structured around your maturity baseline.

Explore Advisory →Run the Diagnostic first
← Back to Module Library