47 downloads/week on PyPI

AI Bill of Materials MCP

Your AI supply chain is a black box. Generate audit-grade AI-BOMs in CycloneDX ML-BOM 1.6 + SPDX 3.0 format. Cover model provenance, training data sources, dependency trees, EU AI Act Annex IV compliance, and NIST AI RMF alignment — all from your MCP client.

Get Pro — £149/mo →View on GitHub

Install

pip install ai-bom-mcp

What it does

Model provenance tracking

Document the full lineage of your AI models — base model, fine-tuning runs, quantisation steps, RLHF iterations, and deployment versions.

Training data source inventory

Catalogue all training data sources with licensing status, data cards, consent records, and GDPR Art 30 processing activity alignment.

Dependency tree generation

Map the complete software supply chain — frameworks, libraries, hardware accelerators, cloud services, and third-party API dependencies.

EU AI Act Annex IV compliance

Ensure your technical documentation meets Annex IV requirements: training methodologies, data governance, validation procedures, and performance metrics.

NIST AI RMF alignment

Map your AI-BOM components against NIST AI Risk Management Framework categories — Govern, Map, Measure, Manage.

How it works

Install

pip install ai-bom-mcp — one command, zero config.

Scan

Point it at your model registry, training scripts, or deployment config. It discovers components automatically.

Export

Get a CycloneDX ML-BOM 1.6 or SPDX 3.0 JSON — drop it straight into your compliance pack.

Example BOM output (CycloneDX ML-BOM 1.6)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:ai-bom-2026-05-c8f2a1",
  "version": 1,
  "metadata": {
    "component": {
      "type": "machine-learning-model",
      "name": "customer-intent-classifier-v2.1",
      "version": "2.1.0"
    }
  },
  "components": [
    {
      "type": "machine-learning-model",
      "name": "bert-base-uncased",
      "version": "1.0",
      "purl": "pkg:huggingface/google-bert/bert-base-uncased"
    },
    {
      "type": "data",
      "name": "intent-training-set-v3",
      "description": "12,847 labelled utterances, CC-BY-4.0"
    }
  ],
  "dependencies": [
    { "ref": "customer-intent-classifier-v2.1", "dependsOn": ["bert-base-uncased", "intent-training-set-v3"] }
  ]
}

Pricing

Free

£0/mo

3 BOMs/month. Community support. No signed attestations.

Pro

£149/mo

Unlimited BOMs + HMAC-signed attestations + SPDX 3.0 export + priority support.

Enterprise

£999/mo

Dedicated signing keys, custom verify domain, CI/CD integration, SLA, onboarding call.

Your AI supply chain transparency starts here

EU AI Act Annex IV requires detailed technical documentation. CycloneDX ML-BOM is the emerging standard. Get ahead now.

Get Pro — £149/mo →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677 · 3rd Floor, 86-90 Paul Street, London EC2A 4NE · meok.ai

CSOAI

Initializing...

What it does

Model provenance tracking

Document the full lineage of your AI models — base model, fine-tuning runs, quantisation steps, RLHF iterations, and deployment versions.

Training data source inventory

Catalogue all training data sources with licensing status, data cards, consent records, and GDPR Art 30 processing activity alignment.

Dependency tree generation

Map the complete software supply chain — frameworks, libraries, hardware accelerators, cloud services, and third-party API dependencies.

EU AI Act Annex IV compliance

Ensure your technical documentation meets Annex IV requirements: training methodologies, data governance, validation procedures, and performance metrics.

NIST AI RMF alignment

Map your AI-BOM components against NIST AI Risk Management Framework categories — Govern, Map, Measure, Manage.

Example BOM output (CycloneDX ML-BOM 1.6)

{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ai-bom-2026-05-c8f2a1", "version": 1, "metadata": { "component": { "type": "machine-learning-model", "name": "customer-intent-classifier-v2.1", "version": "2.1.0" } }, "components": [ { "type": "machine-learning-model", "name": "bert-base-uncased", "version": "1.0", "purl": "pkg:huggingface/google-bert/bert-base-uncased" }, { "type": "data", "name": "intent-training-set-v3", "description": "12,847 labelled utterances, CC-BY-4.0" } ], "dependencies": [ { "ref": "customer-intent-classifier-v2.1", "dependsOn": ["bert-base-uncased", "intent-training-set-v3"] } ] }

Pricing

Free

£0/mo

3 BOMs/month. Community support. No signed attestations.

Pro

£149/mo

Unlimited BOMs + HMAC-signed attestations + SPDX 3.0 export + priority support.

Enterprise

£999/mo

Dedicated signing keys, custom verify domain, CI/CD integration, SLA, onboarding call.

Your AI supply chain transparency starts here

EU AI Act Annex IV requires detailed technical documentation. CycloneDX ML-BOM is the emerging standard. Get ahead now.

Get Pro — £149/mo →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677 · 3rd Floor, 86-90 Paul Street, London EC2A 4NE · meok.ai